Merge branch 'master' into bitlocker-csp-non-silent-scenario-update

education/windows/set-up-school-pcs-provisioning-package.md

@@ -10,7 +10,7 @@ ms.pagetype: edu
 ms.localizationpriority: medium  
 author: lenewsad  
 ms.author: lanewsad  
-ms.date: 07/13/2018  
+ms.date: 10/17/2018  
 ---  
 
 # What's in my provisioning package?
@@ -107,6 +107,22 @@ Set up School PCs uses the Universal app install policy to install school-releva
 * OneNote
 * Sway   
 
+## Provisioning time estimates
+The time it takes to install a package on a device depends on the:  
+
+* Strength of network connection 
+* Number of policies and apps withim the package
+* Additional configurations made to the device  
+
+Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes pre-installed apps, through CleanPC, will take much longer to provision.
+
+|Configurations |Connection type |Estimated provisioning time |
+|---------|---------|---------|
+|Default settings only    |  Wi-Fi      |  3 to 5 minutes      |
+|Default settings + apps    |   Wi-Fi       | 10 to 15 minutes        |
+|Default settings + remove pre-installed apps (CleanPC)    |  Wi-Fi        |  60 minutes     |
+|Default settings + other settings (Not CleanPC)    |  Wi-Fi        |  5 minutes       |  
+
 ## Next steps  
 Learn more about setting up devices with the Set up School PCs app.  
 * [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)

education/windows/take-a-test-multiple-pcs.md

@@ -154,23 +154,26 @@ To set up a test account through Windows Configuration Designer, follow these st
 
 4. Follow the steps in [Apply a provisioning package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-apply-package) to apply the package that you created.
 
-### Set up a test account in Group Policy
+### Set up a tester account in Group Policy
-To set up a test account using Group Policy, first create a Powershell script that configures the test account and assessment URL, and then create a scheduled task to run the script.
+To set up a tester account using Group Policy, first create a Powershell script that configures the tester account and assessment URL, and then create a scheduled task to run the script.
 
 #### Create a PowerShell script
-This sample PowerShell script configures the test account and the assessment URL. Edit the sample to:
+This sample PowerShell script configures the tester account and the assessment URL. Edit the sample to:
 
 - Use your assessment URL for **$obj.LaunchURI**  
-- Use your test account for **$obj.TesterAccount**
+- Use your tester account for **$obj.TesterAccount**
-- Use your test account for **-UserName**
+- Use your tester account for **-UserName**
 
-    ```
+>[!NOTE]
-    $obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'";
+>The account that you specify for the tester account must already exist on the device.
-    $obj.LaunchURI='http://www.foo.com';
+
-    $obj.TesterAccount='TestAccount';
+```
-    $obj.put()
+$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'";
-    Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount
+$obj.LaunchURI='http://www.foo.com';
-    ```
+$obj.TesterAccount='TestAccount';
+$obj.put()
+Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount
+```
 
 #### Create a scheduled task in Group Policy
 1. Open the Group Policy Management Console.

windows/application-management/apps-in-windows-10.md

@@ -131,53 +131,58 @@ Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, a
 
 ## Provisioned Windows apps
 
-Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, and 1803.
+Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 and 1809.
+
+```
+> Get-AppxProvisionedPackage -Online | Select-Object DisplayName, PackageName
+```
+
+| Package name                           | App name                                                                                                           | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? |
+|----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
+| Microsoft.3DBuilder                    | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe)                                        | x    |      |      |      | Yes                   |
+| Microsoft.BingWeather                  | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe)                                     | x    | x    | x    | x    | Yes                   |
+| Microsoft.DesktopAppInstaller          | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe)                           | x    | x    | x    | x    | Via Settings App      |
+| Microsoft.GetHelp                      | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe)                                            |      | x    | x    | x    | No                    |
+| Microsoft.Getstarted                   | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe)                                   | x    | x    | x    | x    | No                    |
+| Microsoft.HEIFImageExtension           | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe)                    |      |      |      | x    | No                    |
+| Microsoft.Messaging                    | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe)                               | x    | x    | x    | x    | No                    |
+| Microsoft.Microsoft3DViewer            | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe)                      | x    | x    | x    | x    | No                    |
+| Microsoft.MicrosoftOfficeHub           | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe)                                | x    | x    | x    | x    | Yes                   |
+| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x    | x    | x    | x    | Yes                   |
+| Microsoft.MicrosoftStickyNotes         | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe)                 | x    | x    | x    | x    | No                    |
+| Microsoft.MixedReality.Portal          | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe)                    |      |      |      | x    | No                    |
+| Microsoft.MSPaint                      | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe)                                            | x    | x    | x    | x    | No                    |
+| Microsoft.Office.OneNote               | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe)                                      | x    | x    | x    | x    | Yes                    |
+| Microsoft.OneConnect                   | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe)                            | x    | x    | x    | x    | No                    |
+| Microsoft.People                       | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe)                                     | x    | x    | x    | x    | No                    |
+| Microsoft.Print3D                      | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe)                                            |      | x    | x    | x    | No                    |
+| Microsoft.SkreenSketch                 | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe)                                  |      |      |      | x    | No                    |
+| Microsoft.SkypeApp                     | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c)                                              | x    | x    | x    | x    | No                    |
+| Microsoft.StorePurchaseApp             | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe)                         | x    | x    | x    | x    | No                    |
+| Microsoft.VP9VideoExtensions           |                                                                                                                    |      |      |      | x    | No                    |
+| Microsoft.Wallet                       | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe)                                        | x    | x    | x    | x    | No                    |
+| Microsoft.WebMediaExtensions           | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe)                     |      |      | x    | x    | No                    |
+| Microsoft.WebpImageExtension           | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe)                     |      |      |      | x    | No                    |
+| Microsoft.Windows.Photos               | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe)                             | x    | x    | x    | x    | No                    |
+| Microsoft.WindowsAlarms                | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe)                        | x    | x    | x    | x    | No                    |
+| Microsoft.WindowsCalculator            | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe)                        | x    | x    | x    | x    | No                    |
+| Microsoft.WindowsCamera                | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe)                                | x    | x    | x    | x    | No                    |
+| microsoft.windowscommunicationsapps    | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe)                 | x    | x    | x    | x    | No                    |
+| Microsoft.WindowsFeedbackHub           | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe)                             | x    | x    | x    | x    | No                    |
+| Microsoft.WindowsMaps                  | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe)                                    | x    | x    | x    | x    | No                    |
+| Microsoft.WindowsSoundRecorder         | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe)                 | x    | x    | x    | x    | No                    |
+| Microsoft.WindowsStore                 | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe)                                | x    | x    | x    | x    | No                    |
+| Microsoft.Xbox.TCUI                    | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe)                                         |      | x    | x    | x    | No                    |
+| Microsoft.XboxApp                      | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe)                                                | x    | x    | x    | x    | No                    |
+| Microsoft.XboxGameOverlay              | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe)                               | x    | x    | x    | x    | No                    |
+| Microsoft.XboxGamingOverlay            | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe)                       |      |      | x    | x    | No                    |
+| Microsoft.XboxIdentityProvider         | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe)                 | x    | x    | x    | x    | No                    |
+| Microsoft.XboxSpeechToTextOverlay      |                                                                                                                    | x    | x    | x    | x    | No                    |
+| Microsoft.YourPhone                    | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe)                                        |      |      |      | x    | No                    |
+| Microsoft.ZuneMusic                    | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe)                                      | x    | x    | x    | x    | No                    |
+| Microsoft.ZuneVideo                    | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe)                                       | x    | x    | x    | x    | No                    |
 
-| Name                            | Full name                              | 1703 | 1709 | 1803 | Uninstall through UI?     |
-|---------------------------------|----------------------------------------|:------:|:------:|:------:|:---------------------------:|
-| 3D Builder                      | Microsoft.3DBuilder                    | x    |      |      | Yes                       |
-| Alarms & Clock                  | Microsoft.WindowsAlarms                | x    |  x   | x    | No                        |
-| App Installer                   | Microsoft.DesktopAppInstaller          | x    |  x   | x    | Via Settings App          |
-| Calculator                      | Microsoft.WindowsCalculator            | x    |  x   | x    | No                        |
-| Camera                          | Microsoft.WindowsCamera                | x    |  x   | x    | No                        |
-| Feedback Hub                    | Microsoft.WindowsFeedbackHub           | x    |  x   | x    | Yes                       |
-| Get Help                        | Microsoft.GetHelp                      |      |  x   | x    | No                        |
-| Get Office/My Office            | Microsoft.Microsoft OfficeHub          | x    |  x   | x    | Yes                       |
-| Get Skype/Skype (preview)/Skype | Microsoft.SkypeApp                     | x    |  x   | x    | Yes                       |
-| Get Started/Tips                | Microsoft.Getstarted                   | x    |  x   | x    | Yes                       |
-| Groove                          | Microsoft.ZuneMusic                    | x    |  x   | x    | No                        |
-| Mail and Calendar               | Microsoft.windows communicationsapps   | x    |  x   | x    | No                        |
-| Maps                            | Microsoft.WindowsMaps                  | x    |  x   | x    | No                        |
-| Messaging                       | Microsoft.Messaging                    | x    |  x   | x    | No                        |
-| Microsoft 3D Viewer             | Microsoft.Microsoft3DViewer            | x    |  x   | x    | No                        |
-| Movies & TV                     | Microsoft.ZuneVideo                    | x    |  x   | x    | No                        |
-| OneNote                         | Microsoft.Office.OneNote               | x    |  x   | x    | Yes                       |
-| Paid Wi-FI                      | Microsoft.OneConnect                   | x    | x    | x    | Yes                       |
-| Paint 3D                        | Microsoft.MSPaint                      | x    |  x   | x    | No                        |
-| People                          | Microsoft.People                       | x    |  x   | x    | No                        |
-| Photos                          | Microsoft.Windows.Photos               | x    |  x   | x    | No                        |
-| Print 3D                        | Microsoft.Print3D                      |      |  x   | x    | No                        |
-| Solitaire                       | Microsoft.Microsoft SolitaireCollection| x    |  x   | x    | Yes                       |
-| Sticky Notes                    | Microsoft.MicrosoftStickyNotes         | x    |  x   | x    | No                        |
-| Store                           | Microsoft.WindowsStore                 | x    |  x   | x    | No                        |
-| Sway                            | Microsoft.Office.Sway                  | *    |  x   | x    | Yes                       |
-| Voice Recorder                  | Microsoft.SoundRecorder                | x    |  x   | x    | No                        |
-| Wallet                          | Microsoft.Wallet                       | x    |  x   | x    | No                        |
-| Weather                         | Microsoft.BingWeather                  | x    |  x   | x    | Yes                       |
-| Xbox                            | Microsoft.XboxApp                      | x    |  x   | x    | No                        |
-|                                 | Microsoft.OneConnect                   | x    |  x   | x    | No                        |
-|                                 | Microsoft.DesktopAppInstaller          |      |      | x    | No                        |
-|                                 | Microsoft.StorePurchaseApp             | x    |  x   | x    | No                        |
-|                                 | Microsoft.WebMediaExtensions           |      |      | x    | No                        |
-|                                 | Microsoft.Xbox.TCUI                    |      |  x   | x    | No                        |
-|                                 | Microsoft.XboxGameOverlay              | x    |  x   | x    | No                        |
-|                                 | Microsoft.XboxGamingOverlay            |      |      | x    | No                        |
-|                                 | Microsoft.XboxIdentityProvider         | x    |  x   | x    | No                        |
-|                                 | Microsoft.XboxSpeech ToTextOverlay     | x    |  x   | x    | No                        |
 ---
-
 >[!NOTE]
 >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
-
-
 ---

windows/application-management/msix-app-packaging-tool.md

@@ -8,42 +8,19 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: mikeblodge
 ms.topic: article
-ms.date: 09/21/2018
+ms.date: 10/16/2018
 ---
 
 # Repackage existing win32 applications to the MSIX format
 
-The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store (coming soon). 
+The MSIX Packaging Tool is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store. 
 
 > Prerequisites:
 
-- Participation in the Windows Insider Program  
+- Participate in the Windows Insider Program or update to Windows 10 October 2018 Update (version 1809)
 - Minimum Windows 10 build 17701 
 - Admin privileges on your PC account 
-- A valid MSA alias (to access the app from the Store) 
+- A valid Micorsoft account (MSA) alias to access the app from the Store 
-
-## What's new
-v1.2018.915.0
-- Updated UI to improve clarity and experience
-- Ability to generate a template file for use with a command line
-- Ability to add/remove entry points
-- Ability to sign your package from package editor
-- File extension handling
-
-v1.2018.821.0
-- Command Line Support
-- Ability to use existing local virtual machines for packaging environment.
-- Ability to cross check publisher information in the manifest with a signing certificate to avoid signing issues.
-- Minor updates to the UI for added clarity.
-
-v1.2018.807.0
-- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu.
-- Fixed an issue where signing with password protected certificates would fail in the tool.
-- Fixed an issue where the tool was crashing when editing an existing MSIX package.
-- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures.
-- Minor UI tweaks to add clarity.
-- Minor updates to the logs to add clarity.
-
 
 ## Installing the MSIX Packaging Tool
 
@@ -51,7 +28,7 @@ v1.2018.807.0
 2. Open the product description page.
 3. Click the install icon to begin installation.
 
-This is an early preview build and not all features are supported. Here is what you can expect to be able to do with this preview:
+Here is what you can expect to be able to do with this tool:
 
 - Package your favorite application installer interactively (msi, exe, App-V 5.x and ClickOnce) to MSIX format by launching the tool and selecting **Application package** icon. 
 - Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon.
@@ -99,7 +76,8 @@ Requirements:
         AllowTelemetry="true"
         ApplyAllPrepareComputerFixes="true"
         GenerateCommandLineFile="true"
-        AllowPromptForPassword="false" >
+        AllowPromptForPassword="false" 
+        EnforceMicrosoftStoreVersioningRequirements="false">
 
         <ExclusionItems>
             <FileExclusion ExcludePath="[{CryptoKeys}]" />
@@ -200,6 +178,7 @@ Here is the complete list of parameters that you can use in the Conversion templ
 |Settings:: ApplyAllPrepareComputerFixes     |[optional] Applies all recommended prepare computer fixes. Cannot be set when other attributes are used.         |
 |Settings:: GenerateCommandLineFile     |[optional] Copies the template file input to the SaveLocation directory for future use.         |
 |Settings:: AllowPromptForPassword     |[optional] Instructs the tool to prompt the user to enter passwords for the Virtual Machine and for the signing certificate if it is required and not specified.         |
+|Settings:: EnforceMicrosoftStoreVersioningRequirements|[optional] Instructs the tool to enforce the package versioning scheme required for deployment from Microsoft Store and Microsoft Store for Business.|
 |ExclusionItems     |[optional] 0 or more FileExclusion or RegistryExclusion elements. All FileExclusion elements must appear before any RegistryExclusion elements.         |
 |ExclusionItems::FileExclusion     |[optional] A file to exclude for packaging.         |
 |ExclusionItems::FileExclusion::ExcludePath     |Path to file to exclude for packaging.         |
@@ -250,8 +229,7 @@ Open Feedback Hub. Alternatively, launch the tool and select the **Settings** ge
 - Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*.  
 
 ## Known issues
-1. MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. 
+- MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. 
-2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually.
+- Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart.
-3. Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart.
+- Setting **EnforceMicrosoftStoreVersioningRequirements=true**, when using the command line interface, will throw an error, even if the vesrion is set correctly. To work around this issue, use **EnforceMicrosoftStoreVersioningRequirements=false** in the conversion template file.
-
+- Adding files to MSIX packages in package editor does not add the file to the folder that the user right-clicks. To work around this issue, ensure that the file being added is in the correct classic app location. For example if you want to add a file in the VFS\ProgramFilesx86\MyApp folder, copy the file locally to your C:\Program Files (86)\MyApp location first, then in the package editor right-click **Package files**, and then click **Add file**. Browse to the newly copied file, then click **Save**.
-

windows/client-management/administrative-tools-in-windows-10.md

@@ -50,6 +50,10 @@ These tools were included in previous versions of Windows and the associated doc
 >[!TIP]  
 >If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content. 
 
+## Related topics
+
+[Diagnostic Data Viewer](https://docs.microsoft.com/windows/privacy/diagnostic-data-viewer-overview)
+
  
 
 

windows/client-management/mdm/clientcertificateinstall-csp.md

@@ -2,18 +2,18 @@
 title: ClientCertificateInstall CSP
 description: ClientCertificateInstall CSP
 ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7
-ms.author: maricia
+ms.author: pashort
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
-author: MariciaAlforque
+author: shortpatti
-ms.date: 11/03/2017
+ms.date: 10/16/2018
 ---
 
 # ClientCertificateInstall CSP
 
 
-The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates.
+The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. 
 
 For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
 

windows/configuration/ue-v/uev-for-windows.md

@@ -96,4 +96,4 @@ You can also [customize UE-V to synchronize settings](uev-deploy-uev-for-custom-
 
 ## Have a suggestion for UE-V?
 
-Add or vote on suggestions on the [User Experience Virtualization feedback site](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization).<br>For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).

windows/deployment/TOC.md

@@ -228,6 +228,7 @@
 ### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md)
 #### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md)
 #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)
+#### [Whitepaper: Windows Updates using forward and reverse differentials](update/PSFxWhitepaper.md)
 ### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md)
 #### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md)
 #### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md)

windows/deployment/deploy-m365.md

@@ -21,7 +21,7 @@ This topic provides a brief overview of Microsoft 365 and describes how to use a
 
 [Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS).
 
-For Windows 10 deployment, Microsoft 365 includes a fantasic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including:
+For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including:
 
 - Windows Autopilot
 - In-place upgrade

windows/deployment/update/PSFxWhitepaper.md

@@ -0,0 +1,203 @@
+---
+title: Windows Updates using forward and reverse differentials
+description: A technique to produce compact software updates optimized for any origin and destination revision pair
+keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: Jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.date: 10/17/2018
+---
+
+# Windows Updates using forward and reverse differentials
+
+
+Windows 10 monthly quality updates are cumulative, containing all previously
+released fixes to ensure consistency and simplicity. For an operating system
+platform like Windows 10, which stays in support for multiple years, the size of
+monthly quality updates can quickly grow large, thus directly impacting network
+bandwidth consumption.
+
+Today, this problem is addressed by using express downloads, where differential
+downloads for every changed file in the update are generated based on selected
+historical revisions plus the base version. In this paper, we introduce a new
+technique to build compact software update packages that are applicable to any
+revision of the base version, and then describe how Windows 10 quality updates
+uses this technique.
+
+## General Terms
+
+The following general terms apply throughout this document:
+
+-   *Base version*: A major software release with significant changes, such as
+    Windows 10, version 1809 (Windows 10 Build 17763.1)
+
+-   *Revision*: Minor releases in between the major version releases, such as
+    KB4464330 (Windows 10 Build 17763.55)
+
+-   *Baseless Patch Storage Files (Baseless PSF)*: Patch storage files that
+    contain full binaries or files
+
+## Introduction
+
+In this paper, we introduce a new technique that can produce compact software
+updates optimized for any origin/destination revision pair. It does this by
+calculating forward the differential of a changed file from the base version and
+its reverse differential back to the base version. Both forward and reverse
+differentials are then packaged as an update and distributed to the endpoints
+running the software to be updated.
+
+![](images/PSF1.png)
+
+The endpoints that have the base version of the file (V<sub>0</sub>) hydrate the target
+revision (V<sub>N</sub>) by applying a simple transformation:
+
+![](images/PSF2.png)
+
+The endpoints that have revision N of the file (V<sub>N</sub>), hydrate the target revision
+(V<sub>R</sub>) by applying the following set of transformations:
+
+![](images/PSF3.png)
+
+The endpoints retain the reverse differentials for the software revision they
+are on, so that it can be used for hydrating and applying next revision update.
+
+By using a common baseline, this technique produces a single update package with
+numerous advantages:
+
+-   Compact in size
+
+-   Applicable to all baselines
+
+-   Simple to build
+
+-   Efficient to install
+
+-   Redistributable
+
+Historically, download sizes of Windows 10 quality updates (Windows 10, version
+1803 and older supported versions of Windows 10) are optimized by using express
+download. Express download is optimized such that updating Windows 10 systems
+will download the minimum number of bytes. This is achieved by generating
+differentials for every updated file based on selected historical base revisions
+of the same file + its base or RTM version.
+
+For example, if the October monthly quality update has updated Notepad.exe,
+differentials for Notepad.exe file changes from September to October, August to
+October, July to October, June to October, and from the original feature release
+to October are generated. All these differentials are stored in a Patch Storage
+File (PSF, also referred to as “express download files”) and hosted or cached on
+Windows Update or other update management or distribution servers (for example,
+Windows Server Update Services (WSUS), System Center Configuration Manager, or a
+non-Microsoft update management or distribution server that supports express
+updates). A device leveraging express updates uses network protocol to determine
+optimal differentials, then downloads only what is needed from the update
+distribution endpoints.
+
+The flipside of express download is that the size of PSF files can be very large
+depending on the number of historical baselines against which differentials were
+calculated. Downloading and caching large PSF files to on-premises or remote
+update distribution servers is problematic for most organizations, hence they
+are unable to leverage express updates to keep their fleet of devices running
+Windows 10 up to date. Secondly, due to the complexity of generating
+differentials and size of the express files that need to be cached on update
+distribution servers, it is only feasible to generate express download files for
+the most common baselines, thus express updates are only applicable to selected
+baselines. Finally, calculation of optimal differentials is expensive in terms
+of system memory utilization, especially for low-cost systems, impacting their
+ability to download and apply an update seamlessly.
+
+In the following sections, we describe how Windows 10 quality updates will
+leverage this technique based on forward and reverse differentials for newer
+releases of Windows 10 and Windows Server to overcome the challenges with
+express downloads.
+
+## High-level Design
+
+### Update packaging
+
+Windows 10 quality update packages will contain forward differentials from
+quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM
+(∆N→RTM) for each file that has changed since RTM. By using the RTM version as
+the baseline, we ensure that all devices will have an identical payload. Update
+package metadata, content manifests, and forward and reverse differentials will
+be packaged into a cabinet file (.cab). This .cab file, and the applicability
+logic, will also be wrapped in Microsoft Standalone Update (.msu) format.
+
+There can be cases where new files are added to the system during servicing.
+These files will not have RTM baselines, thus forward and reverse differentials
+cannot be used. In these scenarios, null differentials will be used to handle
+servicing. Null differentials are the slightly compressed and optimized version
+of the full binaries. It should be noted that update packages can have either
+forward or reverse differentials, or null differential of any given binary in
+them.
+
+![](images/PSF4.png)
+
+### Hydration and installation 
+
+Once the usual applicability checks are performed on the update package and are
+determined to be applicable, the Windows component servicing infrastructure will
+hydrate the full files during pre-installation and then proceed with the usual
+installation process.
+
+Below is a high-level sequence of activities that the component servicing
+infrastructure will run in a transaction to complete installation of the update:
+
+-   Identify all files that are required to install the update.
+
+-   Hydrate each of necessary files using current version (V<sub>N</sub>) of the file,
+    reverse differential (V<sub>N</sub>--->RTM) of the file back to quality update RTM/base
+    version and forward differential (V<sub>RTM</sub>--->R) from feature update RTM/base
+    version to the target version. Also, use null differential hydration to
+    hydrate null compressed files.
+
+-   Stage the hydrated files (full file), forward differentials (under ‘f’
+    folder) and reverse differentials (under ‘r’ folder) or null compressed
+    files (under ‘n’ folder) in the component store (%windir%\\WinSxS folder).
+
+-   Resolve any dependencies and install components.
+
+-   Clean up older state (V<sub>N-1</sub>); the previous state V<sub>N</sub> is retained for
+    uninstallation and restoration or repair.
+
+### **Resilient Hydration**
+
+To ensure resiliency against component store corruption or missing files that
+could occur due to susceptibility of certain types of hardware to file system
+corruption, a corruption repair service has been traditionally used to recover
+the component store automatically (“automatic corruption repair”) or on demand
+(“manual corruption repair”) using an online or local repair source. This
+service will continue to offer the ability to repair and recover content for
+hydration and successfully install an update, if needed.
+
+When corruption is detected during update operations, automatic corruption
+repair will start as usual and use the Baseless Patch Storage File published to
+Windows Update for each update to fix corrupted manifests, binary differentials,
+or hydrated or full files. Baseless patch storage files will contain reverse and
+forward differentials and full files for each updated component. Integrity of
+the repair files will be hash verified.
+
+Corruption repair will use the component manifest to detect missing files and
+get hashes for corruption detection. During update installation, new registry
+flags for each differential staged on the machine will be set. When automatic
+corruption repair runs, it will scan hydrated files using the manifest and
+differential files using the flags. If the differential cannot be found or
+verified, it will be added to the list of corruptions to repair.
+
+### Lazy automatic corruption repair
+
+“Lazy automatic corruption repair” runs during update operations to detect
+corrupted binaries and differentials. While applying an update, if hydration of
+any file fails, "lazy" automatic corruption repair automatically starts,
+identifies the corrupted binary or differential file, and then adds it to the
+corruption list. Later, the update operation continues as far as it can go, so
+that "lazy" automatic corruption repair can collect as many corrupted files to fix
+as possible. At the end of the hydration section, the update fails, and
+automatic corruption repair starts. Automatic corruption repair runs as usual
+and at the end of its operation, adds the corruption list generated by "lazy"
+automatic corruption repair on top of the new list to repair. Automatic
+corruption repair then repairs the files on the corruption list and installation
+of the update will succeed on the next attempt.

windows/deployment/update/servicing-stack-updates.md

@@ -45,3 +45,5 @@ Typically, the improvements are reliability, security, and performance improveme
 * Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
 * Installing servicing stack update does not require restarting the device, so installation should not be disruptive. 
 * Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
+* Search to install latest available [Servicing stack update for Windows 10](https://support.microsoft.com/en-us/search?query=servicing%20stack%20update%20Windows%2010).
+

windows/deployment/update/waas-quick-start.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 author: Jaimeo
 ms.localizationpriority: medium
 ms.author: jaimeo
-ms.date: 05/29/2018
+ms.date: 10/17/2018
 ---
 
 # Quick guide to Windows as a service
@@ -35,6 +35,8 @@ Some new terms have been introduced as part of Windows as a service, so you shou
 
 See [Overview of Windows as a service](waas-overview.md) for more information.
 
+For some interesting in-depth information about how cumulative updates work, see [Windows Updates using forward and reverse differentials](PSFxWhitepaper.md).
+
 ## Key Concepts
 
 Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.

windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md

@@ -22,7 +22,7 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi
 ## Proof-of-concept environment
 
 
-For the purposes of this topic, we will use four machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0003 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0003 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
 
 ![figure 1](../images/upgrademdt-fig1-machines.png)
 

windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md

@@ -19,7 +19,7 @@ Drive-by DMA attacks can lead to disclosure of sensitive information residing on
 
 This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
 
-For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to Intel documentation.
+For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to [Intel Thunderbolt™ 3 Security documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf).
 
 ## Background
 
@@ -77,10 +77,12 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do
    - Reboot system into Windows 10.
 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. 
 
+For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
+
 ## Frequently asked questions
 
 ### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3?
-In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees.
+In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
 
 ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?
 No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. 

windows/security/threat-protection/TOC.md

@@ -504,7 +504,7 @@
 ####### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md)
 ####### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md)
 ###### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md)
-####### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md)
+####### [Event 4782 S: The password hash of an account was accessed.](auditing/event-4782.md)
 ####### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md)
 ###### [Audit Security Group Management](auditing/audit-security-group-management.md)
 ####### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md)

windows/security/threat-protection/auditing/audit-other-account-management-events.md

@@ -30,13 +30,13 @@ This subcategory allows you to audit next events:
 
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                          |
 |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash an account was accessed.”<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.                                                             |
+| Domain Controller | Yes             | No              | Yes              | No               | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash of an account was accessed.”<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.                                                             |
 | Member Server     | No              | No              | No               | No               | The only event which is generated on Member Servers is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Workstation       | No              | No              | No               | No               | The only event which is generated on Workstations is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.   |
 
 **Events List:**
 
--   [4782](event-4782.md)(S): The password hash an account was accessed.
+-   [4782](event-4782.md)(S): The password hash of an account was accessed.
 
 -   [4793](event-4793.md)(S): The Password Policy Checking API was called.
 

windows/security/threat-protection/auditing/event-4779.md

@@ -23,7 +23,7 @@ ms.date: 04/19/2017
 
 ***Event Description:***
 
-This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true).
+This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://docs.microsoft.com/windows-hardware/drivers/display/fast-user-switching).
 
 This event also generated when user disconnects from virtual host Hyper-V Enhanced Session, for example.
 

windows/security/threat-protection/auditing/event-4782.md

@@ -1,6 +1,6 @@
 ---
-title: 4782(S) The password hash an account was accessed. (Windows 10)
+title: 4782(S) The password hash of an account was accessed. (Windows 10)
-description: Describes security event 4782(S) The password hash an account was accessed.
+description: Describes security event 4782(S) The password hash of an account was accessed.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,7 +10,7 @@ author: Mir0sh
 ms.date: 04/19/2017
 ---
 
-# 4782(S): The password hash an account was accessed.
+# 4782(S): The password hash of an account was accessed.
 
 **Applies to**
 -   Windows 10
@@ -108,7 +108,7 @@ Typically **“Subject\\Security ID”** is the SYSTEM account.
 
 ## Security Monitoring Recommendations
 
-For 4782(S): The password hash an account was accessed.
+For 4782(S): The password hash of an account was accessed.
 
 -   Monitor for all events of this type, because any actions with account’s password hashes should be planned. If this action was not planned, investigate the reason for the change.
 

windows/security/threat-protection/index.md

@@ -55,11 +55,12 @@ The attack surface reduction set of capabilities provide the first line of defen
 **[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**<br>
 To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats.
 
-- [Windows Defender Antivirus](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) 
+- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus)
+- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
 - [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus)
 - [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
 
-
 <a name="edr"></a>
 
 **[Endpoint protection and response](windows-defender-atp/overview-endpoint-detection-response.md)**<br>

windows/security/threat-protection/intelligence/coordinated-malware-eradication.md

@@ -32,4 +32,4 @@ Organizations participating in the CME effort work together to help eradicate se
 
 Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware).
 
-If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join CME, [VIA](./virus-information-alliance-criteria.md), or [MVI](./virus-initiative-criteria.md).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).

windows/security/threat-protection/intelligence/supply-chain-malware.md

@@ -17,6 +17,8 @@ Supply chain attacks are an emerging kind of threat that target software develop
 
 ## How supply chain attacks work
 
+> [!video https://www.youtube.com/embed/uXm2XNSavwo]
+
 Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes.  
 
 Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they’re released to the public. The malicious code then runs with the same trust and permissions as the app.  

windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md

@@ -46,4 +46,4 @@ To be eligible for VIA your organization must:
 
 3. Be willing to sign and adhere to the VIA membership agreement.
 
-If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join VIA, [MVI](./virus-initiative-criteria.md), or [CME](./coordinated-malware-eradication.md).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).

windows/security/threat-protection/intelligence/virus-initiative-criteria.md

@@ -52,6 +52,6 @@ Your organization must meet the following eligibility requirements to participat
 
 7. Submit your AM app to Microsoft for periodic performance testing.
 
-### Apply to MVI
+### Apply now
 
-If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join MVI, [VIA](./virus-information-alliance-criteria.md), or [CME](./coordinated-malware-eradication.md).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).

windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md

@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
-ms.date: 10/19/2017
+ms.date: 10/17/2017
 ---
 
 # Configure Windows Defender Application Guard policy settings
@@ -19,7 +19,7 @@ Windows Defender Application Guard (Application Guard) works with Group Policy t
 
 Application Guard uses both network isolation and application-specific settings.
 
-### Network isolation settings
+## Network isolation settings
 
 These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
 
@@ -33,15 +33,18 @@ These settings, located at **Computer Configuration\Administrative Templates\Net
 |Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may optionally use "." as a wildcard character to automatically trust subdomains. Configuring ".constoso.com" will automatically trust "subdomain1.contoso.com", "subdomain2.contoso.com" etc. |
 |Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.|
 
-### Application-specific settings
+## Application-specific settings
 These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard.
 
 |Name|Supported versions|Description|Options|
 |-----------|------------------|-----------|-------|
-|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<ul><li>Disable the clipboard functionality completely when Virtualization Security is enabled.</li><li>Enable copying of certain content from Application Guard into Microsoft Edge.</li><li>Enable copying of certain content from Microsoft Edge into Application Guard.<br><br>**Important**<br>Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.</li></ul>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
+|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<ul><li>Disable the clipboard functionality completely when Virtualization Security is enabled.</li><li>Enable copying of certain content from Application Guard into Microsoft Edge.</li><li>Enable copying of certain content from Microsoft Edge into Application Guard.<br><br>**Important**<br>Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.</li></ul>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
-|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<ul><li>Enable Application Guard to print into the XPS format.</li><li>Enable Application Guard to print into the PDF format.</li><li>Enable Application Guard to print to locally attached printers.</li><li>Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.</ul>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<ul><li>Enable Application Guard to print into the XPS format.</li><li>Enable Application Guard to print into the PDF format.</li><li>Enable Application Guard to print to locally attached printers.</li><li>Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.</ul>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
+|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
-|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
 |Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
-|Allow files to download to host operating system|Windows 10 Enterprise, 1803|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.<br><br>**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
+|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.<br><br>**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
-|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803<br><br>(experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.<br><br><ul>**Important**<br>Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br></ul>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.<br><br>**Note**<br>This is an experimental feature in Windows 10 Enterprise, version 1803 and will not function without the presence of an additional registry key provided by Microsoft. If you would like to evaluate this feature on deployments of Windows 10 Enterprise, version 1803, please contact Microsoft for further information.|
+|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.<br><br><ul>**Important**<br>Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br></ul>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device.<br><br></ul>**Important**<br>Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<br><br></ul>**Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.|
+|Allow Windows Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Windows Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<br><br></ul>**Disabled or not configured.** Certificates are not shared with Windows Defender Application Guard.|
+|Allow users to trust files that open in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.<br><br></ul>**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Windows Defender Application Guard.|

windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md

@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
-ms.date: 10/19/2017
+ms.date: 10/16/2018
 ---
 
 # Application Guard testing scenarios
@@ -66,9 +66,9 @@ Before you can use Application Guard in enterprise mode, you must install Window
 
     ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png)
 
-4.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting.
+4.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting.
 
-5.	Click **Enabled**.
+5.	Click **Enabled** and click **OK**.
 
     ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png)
 
@@ -104,10 +104,11 @@ You have the option to change each of these settings to work with your enterpris
 - Windows 10 Enterpise edition, version 1709 or higher
 - Windows 10 Professional edition, version 1803
 
-**To change the copy and paste options**
+#### Copy and paste options
-1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
 
-2.	Click **Enabled**.
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
+
+2.	Click **Enabled** and click **OK**.
  
     ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png)
 
@@ -129,10 +130,11 @@ You have the option to change each of these settings to work with your enterpris
 
 5.	Click **OK**.
 
-**To change the print options**
+#### Print options
-1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings.
 
-2.	Click **Enabled**.
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings.
+
+2.	Click **Enabled** and click **OK**.
 
     ![Group Policy editor Print options](images/appguard-gp-print.png)
 
@@ -140,10 +142,11 @@ You have the option to change each of these settings to work with your enterpris
 
 4. Click **OK**.
 
-**To change the data persistence options**
+#### Data persistence options
-1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting.
 
-2.	Click **Enabled**.
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting.
+
+2.	Click **Enabled** and click **OK**.
 
     ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png)
  
@@ -164,10 +167,11 @@ You have the option to change each of these settings to work with your enterpris
 - Windows 10 Enterpise edition, version 1803
 - Windows 10 Professional edition, version 1803
 
-**To change the download options**
+#### Download options
-1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting.
 
-2.	Click **Enabled**.
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting.
+
+2.	Click **Enabled** and click **OK**.
 
     ![Group Policy editor Download options](images/appguard-gp-download.png)
  
@@ -177,16 +181,57 @@ You have the option to change each of these settings to work with your enterpris
 
 5.	Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
 
-**To change hardware acceleration options**
+#### Hardware acceleration options
-1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting.
 
-2.	Click **Enabled**.
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting.
+
+2.	Click **Enabled** and click **OK**.
 
     ![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png)
  
-3.	Contact Microsoft for further information to fully enable this setting. 
+3.	Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. 
 
-4.	Once you have fully enabled this experimental feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. 
+4.	Assess the visual experience and battery performance. 
 
-5.	Assess the visual experience and battery performance. 
+**Applies to:**
+- Windows 10 Enterpise edition, version 1809
+- Windows 10 Professional edition, version 1809
+
+#### File trust options
+
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard** setting.
+
+2.	Click **Enabled**, set **Options** to 2, and click **OK**.
+
+    ![Group Policy editor Download options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png)
+ 
+3.	Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+
+4.	Open a file in Edge, such an Office 365 file. 
+
+5.	Check to see that an antivirus scan completed before the file was opened.
+
+#### Camera and microphone options
+
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard** setting.
+
+2.	Click **Enabled** and click **OK**.
+
+    ![Group Policy editor Download options](images/appguard-gp-allow-camera-and-mic.png)
+ 
+3.	Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+
+4.	Open an application with video or audio capability in Edge. 
+
+5.	Check that the camera and microphone work as expected.
+
+#### Root certificate sharing options
+
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device** setting.
+
+2.	Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
+
+    ![Group Policy editor Download options](images/appguard-gp-allow-root-certificates.png)
+ 
+3.	Log out and back on to your device, opening Microsoft Edge in Application Guard again.
 

windows/whats-new/whats-new-windows-10-version-1607.md

@@ -103,7 +103,7 @@ Several new features and management options have been added to Windows Defender
 - [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
 - [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans.
 - [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
-- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more informaiton about threat detections and removal.
+- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal.
 - [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus).
 - [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times.