-
-### Supported values
-
-| Group Policy | MDM | Registry | Description |
-|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------|
-| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. |
-| Enabled | 0 | 0 | Load the Start page. |
-| Enabled | 1 | 1 | Load the New Tab page. |
-| Enabled | 2 | 2 | Load the previous pages. |
-| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. |
-
----
-
-
->[!TIP]
->If you want to make changes to this policy:
value, which honors both domain and non domain-joined devices when it's the only configured URL.
+
+**version 1809:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.
+
+### Supported values
+
+| Group Policy | MDM | Registry | Description |
+|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------|
+| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. |
+| Enabled | 0 | 0 | Load the Start page. |
+| Enabled | 1 | 1 | Load the New Tab page. |
+| Enabled | 2 | 2 | Load the previous pages. |
+| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. |
+
+---
+
+> [!TIP]
+> If you want to make changes to this policy:
- Set the **Disabled Lockdown of Start Pages** policy to not configured.
- Make changes to the **Configure Open Microsoft With** policy.
- Enable the **Disabled Lockdown of Start Pages** policy.
+
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Configure Open Microsoft Edge With
+- **GP name:** ConfigureOpenMicrosoftEdgeWith
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings
+- **Value name:** ConfigureOpenEdgeWith
+- **Value type:** REG_DWORD
+
+### Related policies
+
+- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)]
+- [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]
+
+
+---
diff --git a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md
index d64fe44479..4ec95259a1 100644
--- a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md
+++ b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md
@@ -13,8 +13,8 @@ ms.topic: include
By default, all sites open the currently active browser. With this policy, you can automatically open all sites not included in the Enterprise Mode Site List in Microsoft Edge. When you enable this policy, you must also turn on the Internet Explorer\Use the Enterprise Mode IE website list policy and include at least one site in the Enterprise Mode Site List.
->[!NOTE]
->If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11.
+> [!NOTE]
+> If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11.
You can find the group policy settings in the following location of the Group Policy Editor:
diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md
index fdb0016715..739f15e3be 100644
--- a/browsers/edge/includes/provision-favorites-include.md
+++ b/browsers/edge/includes/provision-favorites-include.md
@@ -1,52 +1,53 @@
----
-author: eavena
-ms.author: eravena
-ms.date: 10/02/2018
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-
->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Customizable)*
-
-[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)]
-
-
->[!IMPORTANT]
->Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
-
-### Supported values
-
-| Group Policy | Description | Most restricted |
-|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
-| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | |
-| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.To define a default list of favorites, do the following:
- In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
- Click **Import from another browser**, click **Export to file** and save the file.
- In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
- HTTP location: "SiteList"=
- Local network: "SiteList"="\network\shares\URLs.html"
- Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
|  |
-
----
-
-### ADMX info and settings
-#### ADMX info
-- **GP English name:** Provision Favorites
-- **GP name:** ConfiguredFavorites
-- **GP element:** ConfiguredFavoritesPrompt
-- **GP path:** Windows Components/Microsoft Edge
-- **GP ADMX file name:** MicrosoftEdge.admx
-
-#### MDM settings
-- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites)
-- **Supported devices:** Desktop
-- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites
-- **Data type:** String
-
-#### Registry settings
-- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites
-- **Value name:** ConfiguredFavorites
-- **Value type:** REG_SZ
-
-### Related policies
-[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
-
-
+---
+author: eavena
+ms.author: eravena
+ms.date: 10/02/2018
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+
+> *Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+> *Default setting: Disabled or not configured (Customizable)*
+
+[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)]
+
+
+> [!IMPORTANT]
+> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
+
+### Supported values
+
+| Group Policy | Description | Most restricted |
+|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
+| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | |
+| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.To define a default list of favorites, do the following:
- In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
- Click **Import from another browser**, click **Export to file** and save the file.
- In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
- HTTP location: "SiteList"=
- Local network: "SiteList"="\network\shares\URLs.html"
- Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
|  |
+
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Provision Favorites
+- **GP name:** ConfiguredFavorites
+- **GP element:** ConfiguredFavoritesPrompt
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites
+- **Data type:** String
+
+#### Registry settings
+- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites
+- **Value name:** ConfiguredFavorites
+- **Value type:** REG_SZ
+
+### Related policies
+[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
+
+
diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md
index 2d8195f03e..0f909d31d7 100644
--- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md
+++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md
@@ -1,62 +1,63 @@
----
-author: eavena
-ms.author: eravena
-ms.date: 10/02/2018
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-
->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured*
-
-[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)]
-
->[!TIP]
->Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager.
-
-
-### Supported values
-
-| Group Policy | MDM | Registry | Description | Most restricted |
-|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
-| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. |  |
-| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.
- In Group Policy Editor, navigate to:
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**
- Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.
A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.
| |
-
----
-
-
-### ADMX info and settings
-#### ADMX info
-- **GP English name:** Send all intranet sites to Internet Explorer 11
-- **GP name:** SendIntranetTraffictoInternetExplorer
-- **GP path:** Windows Components/Microsoft Edge
-- **GP ADMX file name:** MicrosoftEdge.admx
-
-#### MDM settings
-- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer)
-- **Supported devices:** Desktop
-- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer
-- **Data type:** Integer
-
-#### Registry settings
-- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main
-- **Value name:** SendIntranetTraffictoInternetExplorer
-- **Value type:** REG_DWORD
-
-### Related Policies
-- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)]
-
-- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)]
-
-
-### Related topics
-- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge.
-
-- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company.
-
-- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
-
-
+---
+author: eavena
+ms.author: eravena
+ms.date: 10/02/2018
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+
+> *Supported versions: Microsoft Edge on Windows 10*
+> *Default setting: Disabled or not configured*
+
+[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)]
+
+> [!TIP]
+> Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager.
+
+
+### Supported values
+
+| Group Policy | MDM | Registry | Description | Most restricted |
+|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
+| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. |  |
+| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.
- In Group Policy Editor, navigate to:
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**
- Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.
A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.
| |
+
+---
+
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Send all intranet sites to Internet Explorer 11
+- **GP name:** SendIntranetTraffictoInternetExplorer
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main
+- **Value name:** SendIntranetTraffictoInternetExplorer
+- **Value type:** REG_DWORD
+
+### Related Policies
+- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)]
+
+- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)]
+
+
+### Related topics
+- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge.
+
+- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company.
+
+- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
+
+
diff --git a/browsers/edge/managing-group-policy-admx-files.md b/browsers/edge/managing-group-policy-admx-files.md
index 8b93e0ebc2..11dede91d3 100644
--- a/browsers/edge/managing-group-policy-admx-files.md
+++ b/browsers/edge/managing-group-policy-admx-files.md
@@ -19,8 +19,8 @@ ms.date: 10/19/2018
ADMX files, which are registry-based policy settings provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy Object Editor. The ADMX files replace ADM files, which used a different markup language.
->[!NOTE]
->The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain mostly unchanged. In the majority of situations, you won’t notice the presence of ADMX files during your day-to-day Group Policy administration tasks.
+> [!NOTE]
+> The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain mostly unchanged. In the majority of situations, you won’t notice the presence of ADMX files during your day-to-day Group Policy administration tasks.
Unlike ADM files, ADMX files are not stored in individual GPOs by default; however, this behavior supports less common scenarios. For domain-based enterprises, you can create a central store location of ADMX files accessible by anyone with permission to create or edit GPOs. Group Policy tools continue to recognize other earlier ADM files you have in your existing environment. The Group Policy Object Editor automatically reads and displays Administrative Template policy settings from both the ADMX and ADM files.
diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
index c4141688d8..8249262926 100644
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@@ -1,8 +1,8 @@
---
title: Deploy Microsoft Edge Legacy kiosk mode
description: Microsoft Edge Legacy kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge Legacy kiosk mode, you must configure Microsoft Edge Legacy as an application in assigned access.
-ms.assetid:
-ms.reviewer:
+ms.assetid:
+ms.reviewer:
audience: itpro
manager: dansimp
author: dansimp
@@ -16,28 +16,28 @@ ms.date: 01/17/2020
# Deploy Microsoft Edge Legacy kiosk mode
->Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later
->Professional, Enterprise, and Education
+> Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later
+> Professional, Enterprise, and Education
> [!NOTE]
> You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-kiosk-mode).
In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge Legacy as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge Legacy in kiosk mode.
-In this topic, you'll learn:
+In this topic, you'll learn:
- How to configure the behavior of Microsoft Edge Legacy when it's running in kiosk mode with assigned access.
-- What's required to run Microsoft Edge Legacy kiosk mode on your kiosk devices.
-- You'll also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or an other MDM service.
+- What's required to run Microsoft Edge Legacy kiosk mode on your kiosk devices.
+- You'll also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or an other MDM service.
-At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support.
+At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support.
## Kiosk mode configuration types
->**Policy** = Configure kiosk mode (ConfigureKioskMode)
+> **Policy** = Configure kiosk mode (ConfigureKioskMode)
-Microsoft Edge Legacy kiosk mode supports four configurations types that depend on how Microsoft Edge Legacy is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario.
+Microsoft Edge Legacy kiosk mode supports four configurations types that depend on how Microsoft Edge Legacy is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario.
- Learn about [creating a kiosk experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image)
@@ -50,9 +50,9 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend
### Important things to note before getting started
-- There are [required steps to follow](#setup- required-for-microsoft-edge-legacy-kiosk-mode) in order to use the following Microsoft Edge Legacy kiosk mode types either alongside the new version of Microsoft Edge or prevent the new version of Microsoft Edge from being installed on your kiosk device.
+- There are [required steps to follow](#setup- required-for-microsoft-edge-legacy-kiosk-mode) in order to use the following Microsoft Edge Legacy kiosk mode types either alongside the new version of Microsoft Edge or prevent the new version of Microsoft Edge from being installed on your kiosk device.
-- The public browsing kiosk types run Microsoft Edge Legacy InPrivate mode to protect user data with a browsing experience designed for public kiosks.
+- The public browsing kiosk types run Microsoft Edge Legacy InPrivate mode to protect user data with a browsing experience designed for public kiosks.
- Microsoft Edge Legacy kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge Legacy resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own.
@@ -67,7 +67,7 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend
- [Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3).
-### Supported configuration types
+### Supported configuration types
[!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)]
@@ -75,9 +75,9 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend
Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge Legacy kiosk mode:
-- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service.
+- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service.
-- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge Legacy kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode).
+- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge Legacy kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode).
### Prerequisites
@@ -89,14 +89,14 @@ Now that you're familiar with the different kiosk mode configurations and have t
- URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page.
- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge Legacy:
-
+
```
Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
```
### Setup required for Microsoft Edge Legacy kiosk mode
-When the new version of Microsoft Edge Stable channel is installed, Microsoft Edge Legacy is hidden and all attempts to launch Microsoft Edge Legacy are redirected to the new version of Microsoft Edge.
+When the new version of Microsoft Edge Stable channel is installed, Microsoft Edge Legacy is hidden and all attempts to launch Microsoft Edge Legacy are redirected to the new version of Microsoft Edge.
To continue using Microsoft Edge Legacy kiosk mode on your kiosk devices take one of the following actions:
@@ -104,11 +104,11 @@ To continue using Microsoft Edge Legacy kiosk mode on your kiosk devices take on
- To prevent Microsoft Edge Stable channel from being installed on your kiosk devices deploy the Microsoft Edge [Allow installation default](https://docs.microsoft.com/DeployEdge/microsoft-edge-update-policies#installdefault) policy for Stable channel or consider using the [Blocker toolkit](https://docs.microsoft.com/DeployEdge/microsoft-edge-blocker-toolkit) to disable automatic delivery of Microsoft Edge.
> [!NOTE]
-> For more information about accessing Microsoft Edge Legacy after installing Microsoft Edge, see [How to access the old version of Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-sysupdate-access-old-edge).
+> For more information about accessing Microsoft Edge Legacy after installing Microsoft Edge, see [How to access the old version of Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-sysupdate-access-old-edge).
### Use Windows Settings
-Windows Settings is the simplest and the only way to set up one or a couple of single-app devices.
+Windows Settings is the simplest and the only way to set up one or a couple of single-app devices.
1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**.
@@ -120,9 +120,9 @@ Windows Settings is the simplest and the only way to set up one or a couple of s
5. Select how Microsoft Edge Legacy displays when running in kiosk mode:
- - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge Legacy InPrivate protecting user data.
+ - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge Legacy InPrivate protecting user data.
- - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge Legacy, protecting user data.
+ - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge Legacy, protecting user data.
6. Select **Next**.
@@ -136,23 +136,23 @@ Windows Settings is the simplest and the only way to set up one or a couple of s
11. Restart the kiosk device and sign in with the local kiosk account to validate the configuration.
-**_Congratulations!_** You’ve just finished setting up a single-app kiosk device using Windows Settings.
+**_Congratulations!_**
You’ve just finished setting up a single-app kiosk device using Windows Settings.
-**_What's next?_**
+**_What's next?_**
- User your new kiosk device.
OR
- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge Legacy**.
----
+---
### Use Microsoft Intune or other MDM service
With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge Legacy kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add).
->[!IMPORTANT]
->If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device.
+> [!IMPORTANT]
+> If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device.
1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps.
@@ -166,7 +166,7 @@ With this method, you can use Microsoft Intune or other MDM services to configur
| **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**
 | Configure how the Home Button behaves.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton
**Data type:** Integer
**Allowed values:**
- **0 (default)** - Not configured. Show home button, and load the default Start page.
- **1** - Enabled. Show home button and load New Tab page
- **2** - Enabled. Show home button & set a specific page.
- **3** - Enabled. Hide the home button.
|
| **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)** | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com |
| **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**
 | Set a custom URL for the New Tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com |
-
+
**_Congratulations!_**
You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge Legacy kiosk mode using Microsoft Intune or other MDM service.
@@ -177,7 +177,7 @@ With this method, you can use Microsoft Intune or other MDM services to configur
## Supported policies for kiosk mode
-Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
+Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
Make sure to check with your provider for instructions.
@@ -251,18 +251,18 @@ Make sure to check with your provider for instructions.
 = Not applicable or not supported
 = Supported
----
+---
## Feature comparison of kiosk mode and kiosk browser app
In the following table, we show you the features available in both Microsoft Edge Legacy kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access.
-| **Feature** | **Microsoft Edge Legacy kiosk mode** | **Microsoft Kiosk browser app** |
+| **Feature** | **Microsoft Edge Legacy kiosk mode** | **Microsoft Kiosk browser app** |
|-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:|
| Print support |  |  |
| Multi-tab support |  |  |
-| Allow/Block URL support |   |
+| Allow/Block URL support |  |  |
| Configure Home Button |  |  |
| Set Start page(s) URL |  | 
*Same as Home button URL* |
| Set New Tab page URL |  |  |
@@ -280,6 +280,6 @@ To prevent access to unwanted websites on your kiosk device, use Windows Defende
## Provide feedback or get support
-To provide feedback on Microsoft Edge Legacy kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
+To provide feedback on Microsoft Edge Legacy kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md
index 91065aa687..35f4b5ac73 100644
--- a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md
+++ b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md
@@ -1,12 +1,13 @@
---
author: dansimp
ms.author: dansimp
-ms.date: 10/02/2018
+ms.date: 04/23/2020
ms.reviewer:
-audience: itpro
manager: dansimp
+audience: itpro
+manager: dansimp
ms.prod: edge
ms.topic: include
---
-[Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy):
-This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**.
+[Microsoft browser extension policy](https://docs.microsoft.com/legal/microsoft-edge/microsoft-browser-extension-policy):
+This article describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content these browsers display. Techniques that aren't explicitly listed in this article are considered to be **unsupported**.
diff --git a/browsers/edge/web-app-compat-toolkit.md b/browsers/edge/web-app-compat-toolkit.md
index 8ec157e607..00e7a02d51 100644
--- a/browsers/edge/web-app-compat-toolkit.md
+++ b/browsers/edge/web-app-compat-toolkit.md
@@ -1,6 +1,6 @@
---
title: Web Application Compatibility lab kit
-ms.reviewer:
+ms.reviewer:
audience: itpro
manager: dansimp
description: Learn how to use the web application compatibility toolkit for Microsoft Edge.
@@ -14,7 +14,7 @@ ms.localizationpriority: high
# Web Application Compatibility lab kit
->Updated: October, 2017
+> Updated: October, 2017
Upgrading web applications to modern standards is the best long-term solution to ensure compatibility with today’s web browsers, but using backward compatibility can save time and money. Internet Explorer 11 has features that can ease your browser and operating system upgrades, reducing web application testing and remediation costs. On Windows 10, you can standardize on Microsoft Edge for faster, safer browsing and fall back to Internet Explorer 11 just for sites that need backward compatibility.
@@ -22,7 +22,7 @@ The Web Application Compatibility Lab Kit is a primer for the features and techn
The Web Application Compatibility Lab Kit includes:
-- A pre-configured Windows 7 and Windows 10 virtual lab environment with:
+- A pre-configured Windows 7 and Windows 10 virtual lab environment with:
- Windows 7 Enterprise Evaluation
- Windows 10 Enterprise Evaluation (version 1607)
- Enterprise Mode Site List Manager
@@ -36,10 +36,10 @@ Depending on your environment, your web apps may "just work” using the methods
There are two versions of the lab kit available:
-- Full version (8 GB) - includes a complete virtual lab environment
+- Full version (8 GB) - includes a complete virtual lab environment
- Lite version (400 MB) - includes guidance for running the Lab Kit on your own Windows 7 or Windows 10 operating system
-The Web Application Compatibility Lab Kit is also available in the following languages:
+The Web Application Compatibility Lab Kit is also available in the following languages:
- Chinese (Simplified)
- Chinese (Traditional)
@@ -48,11 +48,11 @@ The Web Application Compatibility Lab Kit is also available in the following lan
- Italian
- Japanese
- Korean
-- Portuguese (Brazil)
+- Portuguese (Brazil)
- Russian
- Spanish
[DOWNLOAD THE LAB KIT](https://www.microsoft.com/evalcenter/evaluate-windows-10-web-application-compatibility-lab)
->[!TIP]
->Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space.
+> [!TIP]
+> Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space.
diff --git a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md
index cbfc5f11b5..867bb143b8 100644
--- a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md
+++ b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md
@@ -8,7 +8,7 @@ ms.prod: ie11
title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer:
manager: dansimp
ms.author: dansimp
---
@@ -17,16 +17,16 @@ ms.author: dansimp
**Applies to:**
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal.
->[!Important]
->Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
+> [!Important]
+> Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
**To create a new change request**
1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**.
@@ -36,7 +36,7 @@ Employees assigned to the Requester role can create a change request. A change r
2. Fill out the required fields, based on the group and the app, including:
- **Group name.** Select the name of your group from the dropdown box.
-
+
- **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List.
- **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list.
@@ -58,16 +58,16 @@ Employees assigned to the Requester role can create a change request. A change r
- **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes.
- **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx).
-
+
4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing.
-
+
A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list.
5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct.
- **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**.
-
+
- **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator.
## Next steps
-After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic.
+After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md).
diff --git a/browsers/enterprise-mode/enterprise-mode-features-include.md b/browsers/enterprise-mode/enterprise-mode-features-include.md
index 8090fc9ba8..9da0e79778 100644
--- a/browsers/enterprise-mode/enterprise-mode-features-include.md
+++ b/browsers/enterprise-mode/enterprise-mode-features-include.md
@@ -1,4 +1,5 @@
### Enterprise Mode features
+
Enterprise Mode includes the following features:
- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes.
@@ -8,9 +9,9 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools.
- >[!Important]
- >All centrally-made decisions override any locally-made choices.
+ > [!Important]
+ > All centrally-made decisions override any locally-made choices.
- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
-- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
\ No newline at end of file
+- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md
index 21efc17c35..ff7107b46a 100644
--- a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md
+++ b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md
@@ -35,8 +35,8 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all
2. Install the Node.js® package manager, [npm](https://www.npmjs.com/).
- >[!Note]
- >You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source.
+ > [!NOTE]
+ > You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source.
3. Open File Explorer and then open the **EMIEWebPortal/** folder.
@@ -105,8 +105,8 @@ Create a new Application Pool and the website, by using the IIS Manager.
9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**.
- >[!Note]
- >You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
+ > [!NOTE]
+ > You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
10. Return to the **<website_name> Home** pane, and double-click the **Connection Strings** icon.
@@ -116,8 +116,8 @@ Create a new Application Pool and the website, by using the IIS Manager.
- **Initial catalog.** The name of your database.
- >[!Note]
- >Step 3 of this topic provides the steps to create your database.
+ > [!NOTE]
+ > Step 3 of this topic provides the steps to create your database.
## Step 3 - Create and prep your database
Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables.
@@ -216,8 +216,8 @@ Register the EMIEScheduler tool and service for production site list changes.
1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\.
- >[!Important]
- >If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files.
+ > [!IMPORTANT]
+ > If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files.
2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_.
diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
index 1a704aa67e..4651adf5cf 100644
--- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -1,8 +1,8 @@
Before you can use a site list with Enterprise Mode, you must turn the functionality on and set up the system for centralized control. By allowing
centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser.
->[!NOTE]
->We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
+> [!NOTE]
+> We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
**Group Policy**
diff --git a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md
index a72f720a3f..3e06b8b806 100644
--- a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md
+++ b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md
@@ -8,7 +8,7 @@ ms.prod: ie11
title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer:
manager: dansimp
ms.author: dansimp
---
@@ -17,18 +17,18 @@ ms.author: dansimp
**Applies to:**
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
->[!Important]
->This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
+> [!Important]
+> This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including:
-- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
+- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment.
diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
index 22464cc569..31961c97a1 100644
--- a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
+++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
@@ -1,22 +1,23 @@
----
-author: eavena
-ms.author: eravena
-ms.date: 10/02/2018
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
-
->[!IMPORTANT]
->Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do.
-
-1. In the Enterprise Mode Site List Manager, click **File \> Import**.
-
-2. Go to the exported .EMIE file.
For example, `C:\users\\documents\sites.emie`
-
-1. Click **Open**.
-
-2. Review the alert message about all of your entries being overwritten and click **Yes**.
+---
+author: eavena
+ms.author: eravena
+ms.date: 10/02/2018
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
+
+> [!IMPORTANT]
+> Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do.
+
+1. In the Enterprise Mode Site List Manager, click **File \> Import**.
+
+2. Go to the exported .EMIE file.For example, `C:\users\\documents\sites.emie`
+
+1. Click **Open**.
+
+2. Review the alert message about all of your entries being overwritten and click **Yes**.
diff --git a/browsers/includes/interoperability-goals-enterprise-guidance.md b/browsers/includes/interoperability-goals-enterprise-guidance.md
index 04470d33af..407e07bf91 100644
--- a/browsers/includes/interoperability-goals-enterprise-guidance.md
+++ b/browsers/includes/interoperability-goals-enterprise-guidance.md
@@ -26,8 +26,8 @@ You must continue using IE11 if web apps use any of the following:
If you have uninstalled IE11, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11.
->[!TIP]
->If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714).
+> [!TIP]
+> If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714).
|Technology |Why it existed |Why we don't need it anymore |
@@ -38,4 +38,3 @@ If you have uninstalled IE11, you can download it from the Microsoft Store or th
---
-
diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md
index 28a0957588..ceb4d9b0f2 100644
--- a/browsers/internet-explorer/TOC.md
+++ b/browsers/internet-explorer/TOC.md
@@ -47,6 +47,7 @@
#### [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md)
#### [Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
#### [Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
+#### [Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md)
### [Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md)
#### [Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md)
##### [Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
index 2fa52865ab..78f0903d6f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
@@ -116,7 +116,3 @@ After you’ve added all of your sites to the tool and saved the file to XML, yo
- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md)
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index 46a8edef5e..0977b87b94 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -7,7 +7,8 @@ author: dansimp
ms.prod: ie11
ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b
ms.reviewer:
-audience: itpro
manager: dansimp
+audience: itpro
+manager: dansimp
ms.author: dansimp
title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros)
ms.sitesec: library
@@ -57,16 +58,20 @@ You can add individual sites to your compatibility list by using the Enterprise
5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site.
- - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee.
+ - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. If you have enabled [Internet Explorer mode integration on Microsoft Edge](https://docs.microsoft.com/deployedge/edge-ie-mode), this option will open sites in Internet Explorer mode.
- **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
- **None**. Opens in whatever browser the employee chooses.
-6. Click **Save** to validate your website and to add it to the site list for your enterprise.
+6. If you have enabled [Internet Explorer mode integration on Microsoft Edge](https://docs.microsoft.com/deployedge/edge-ie-mode), and you have sites that still need to opened in the standalone Internet Explorer 11 application, you can check the box for **Standalone IE**. This checkbox is only relevant when associated to 'Open in' IE11. Checking the box when 'Open In' is set to MSEdge or None will not change browser behavior.
+
+7. The checkbox **Allow Redirect** applies to the treatment of server side redirects. If you check this box, server side redirects will open in the browser specified by the open-in tag. For more information, see [here](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance#updated-schema-attributes).
+
+8. Click **Save** to validate your website and to add it to the site list for your enterprise.
If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
-7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
+9. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
## Next steps
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
index d15192b9d3..278408ab38 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
@@ -8,7 +8,7 @@ ms.prod: ie11
title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer:
audience: itpro
manager: dansimp
ms.author: dansimp
@@ -18,16 +18,16 @@ ms.author: dansimp
**Applies to:**
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal.
->[!Important]
->Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
+> [!Important]
+> Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
**To create a new change request**
1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**.
@@ -37,7 +37,7 @@ Employees assigned to the Requester role can create a change request. A change r
2. Fill out the required fields, based on the group and the app, including:
- **Group name.** Select the name of your group from the dropdown box.
-
+
- **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List.
- **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list.
@@ -59,16 +59,17 @@ Employees assigned to the Requester role can create a change request. A change r
- **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes.
- **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx).
-
+
4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing.
-
+
A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list.
5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct.
- **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**.
-
+
- **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator.
## Next steps
-After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic.
+
+After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
index 2ab127eec5..cb419efe7f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
@@ -81,8 +81,8 @@ Every add-on has a Class ID (CLSID) that you use to enable and disable specific
2. From the copied information, select and copy just the **Class ID** value.
- >[!NOTE]
- >You want to copy the curly brackets as well as the CLSID: **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**.
+ > [!NOTE]
+ > You want to copy the curly brackets as well as the CLSID: **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**.
3. Open the Group Policy Management Editor and go to: Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.
**-OR-**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
index 008e2624c0..d94601a9d5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
@@ -20,7 +20,7 @@ ms.date: 07/27/2017
If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](https://go.microsoft.com/fwlink/p/?LinkId=279872).
## Group Policy Object-related Log Files
-You can use the Event Viewer to review Group Policy-related messages in the **Windows Logs**, **System** file. All of the Group Policy-related events are shown with a source of **GroupPolicy**. For more information about the Event Viewer, see [What information appears in event logs? (Event Viewer)](https://go.microsoft.com/fwlink/p/?LinkId=294917).
+You can use the Event Viewer to review Group Policy-related messages in the **Windows Logs**, **System** file. All of the Group Policy-related events are shown with a source of **GroupPolicy**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
index 0b1edff4cd..9fe7dca247 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
@@ -37,8 +37,8 @@ current version of Internet Explorer.
Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel.
->[!Note]
->If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app.
+> [!NOTE]
+> If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app.
## Internet Explorer 11 automatic upgrades
@@ -52,14 +52,14 @@ If you use Automatic Updates in your company, but want to stop your users from a
- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
- >[!Note]
- >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md).
+ > [!NOTE]
+ > The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md).
- **Use an update management solution to control update deployment.**
If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit.
- >[!Note]
- >If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202).
+ > [!NOTE]
+ > If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202).
Additional information on Internet Explorer 11, including a Readiness Toolkit, technical overview, in-depth feature summary, and Internet Explorer 11 download is available on the [Internet Explorer 11 page of the Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge/dn262703.aspx).
@@ -81,13 +81,13 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There
4. Click the rule that automatically approves an update that is classified as
Update Rollup, and then click **Edit.**
- >[!Note]
- >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else.
+ > [!NOTE]
+ > If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else.
5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section.
- >[!Note]
- >The properties for this rule will resemble the following:
- When an update is in Update Rollups
- Approve the update for all computers
+ > [!NOTE]
+ > The properties for this rule will resemble the following:- When an update is in Update Rollups
- Approve the update for all computers
6. Clear the **Update Rollup** check box, and then click **OK**.
@@ -101,12 +101,12 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There
11. Expand *ComputerName*, expand **Updates**, and then click **All Updates**.
-12. Choose **Unapproved** in the **Approval**drop down box.
+12. Choose **Unapproved** in the **Approval** drop down box.
13. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update.
- >[!Note]
- >There may be multiple updates, depending on the imported language and operating system updates.
+ > [!NOTE]
+ > There may be multiple updates, depending on the imported language and operating system updates.
**Optional**
@@ -126,8 +126,8 @@ If you need to reset your Update Rollups packages to auto-approve, do this:
7. Click **OK** to close the **Automatic Approvals** dialog box.
->[!Note]
->Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved.
+> [!NOTE]
+> Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved.
## Additional resources
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png b/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png
index d2508016be..7626296e87 100644
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png and b/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
index 5097f83564..6b34fcc195 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
@@ -9,6 +9,8 @@ manager: dansimp
ms.author: dansimp
---
+# Full-sized flowchart detailing how document modes are chosen in IE11
+
Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
new file mode 100644
index 0000000000..bb22b43b3f
--- /dev/null
+++ b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
@@ -0,0 +1,47 @@
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: How to use Site List Manager to review neutral sites for IE mode
+author: dansimp
+ms.prod: ie11
+ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager
+ms.sitesec: library
+ms.date: 04/02/2020
+---
+
+# Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager
+
+**Applies to:**
+
+- Windows 10
+- Windows 8
+- Windows Server 2012 R2
+- Microsoft Edge version 77 or later
+
+> [!NOTE]
+> This feature is available on the Enterprise Mode Site List Manager version 11.0.
+
+## Overview
+
+While converting your site from v.1 schema to v.2 schema using the latest version of the Enterprise Mode Site List Manager, sites with the *doNotTransition=true* in v.1 convert to *open-in=None* in the v.2 schema, which is characterized as a "neutral site". This is the expected behavior for conversion unless you are using Internet Explorer mode (IE mode). When IE mode is enabled, only authentication servers that are used for modern and legacy sites should be set as neutral sites. For more information, see [Configure neutral sites](https://docs.microsoft.com/deployedge/edge-ie-mode-sitelist#configure-neutral-sites). Otherwise, a site meant to open in Edge might potentially be tagged as neutral, which results in inconsistent experiences for users.
+
+The Enterprise Mode Site List Manager provides the ability to flag sites that are listed as neutral sites, but might have been added in error. This check is automatically performed when you are converting from v.1 to v.2 through the tool. This check might flag sites even if there was no prior schema conversion.
+
+## Flag neutral sites
+
+To identify neutral sites to review:
+
+1. In the Enterprise Mode Site List Manager (schema v.2), click **File > Flag neutral sites**.
+2. If selecting this option has no effect, there are no sites that needs to be reviewed. Otherwise, you will see a message **"Engine neutral sites flagged for review"**. When a site is flagged, you can assess if the site needs to be removed entirely, or if it needs the open-in attribute changed from None to MSEdge.
+3. If you believe that a flagged site is correctly configured, you can edit the site entry and click on **"Clear Flag"**. Once you select that option for a site, it will not be flagged again.
+
+## Related topics
+
+- [About IE Mode](https://docs.microsoft.com/deployedge/edge-ie-mode)
+- [Configure neutral sites](https://docs.microsoft.com/deployedge/edge-ie-mode-sitelist#configure-neutral-sites)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index bc468576ed..0f35b04d1c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -31,7 +31,7 @@ You can search to see if a specific site already appears in your global Enterpri
**To search your compatibility list**
- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.
- The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported.
+ The search query searches all of the text. For example, entering *“micro”* will return results like, `www.microsoft.com`, `microsoft.com`, and `microsoft.com/images`. Wildcard characters aren’t supported.
## Related topics
- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
index e63d79527c..7b0dd491aa 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
@@ -36,8 +36,8 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all
2. Install the Node.js® package manager, [npm](https://www.npmjs.com/).
- >[!Note]
- >You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source.
+ > [!NOTE]
+ > You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source.
3. Open File Explorer and then open the **EMIEWebPortal/** folder.
@@ -49,8 +49,8 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all
6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution.
- >[!Note]
- >Step 3 of this topic provides the steps to create your database.
+ > [!NOTE]
+ > Step 3 of this topic provides the steps to create your database.
7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager.
@@ -109,8 +109,8 @@ Create a new Application Pool and the website, by using the IIS Manager.
9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**.
- >[!Note]
- >You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
+ > [!NOTE]
+ > You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
## Step 3 - Create and prep your database
Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables.
@@ -209,8 +209,8 @@ Register the EMIEScheduler tool and service for production site list changes.
1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\.
- >[!Important]
- >If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files.
+ > [!IMPORTANT]
+ > If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files.
2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
index c5a68132d8..1f9a047156 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
@@ -85,8 +85,8 @@ To see if the site works in the Internet Explorer 5, Internet Explorer 7, Intern
- Run the site in each document mode until you find the mode in which the site works.
- >[!NOTE]
- >You will need to make sure the User agent string dropdown matches the same browser version as the Document mode dropdown. For example, if you were testing to see if the site works in Internet Explorer 10, you should update the Document mode dropdown to 10 and the User agent string dropdown to Internet Explorer 10.
+ > [!NOTE]
+ > You will need to make sure the User agent string dropdown matches the same browser version as the Document mode dropdown. For example, if you were testing to see if the site works in Internet Explorer 10, you should update the Document mode dropdown to 10 and the User agent string dropdown to Internet Explorer 10.
- If you find a mode in which your site works, you will need to add the site domain, sub-domain, or URL to the Enterprise Mode Site List for the document mode in which the site works, or ask the IT administrator to do so. You can add the *x-ua-compatible* meta tag or HTTP header as well.
@@ -116,8 +116,8 @@ If IE8 Enterprise Mode doesn't work, IE7 Enterprise Mode will give you the Compa
If the site works, inform the IT administrator that the site needs to be added to the IE7 Enterprise Mode section.\
->[!NOTE]
->Adding the same Web path to the Enterprise Mode and sections of the Enterprise Mode Site List will not work, but we will address this in a future update.
+> [!NOTE]
+> Adding the same Web path to the Enterprise Mode and sections of the Enterprise Mode Site List will not work, but we will address this in a future update.
### Update the site for modern web standards
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index 29c8de2486..744df8c766 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -28,8 +28,8 @@ ms.localizationpriority: medium
Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser.
->[!NOTE]
->We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
+> [!NOTE]
+> We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
**To turn on Enterprise Mode using Group Policy**
@@ -63,9 +63,4 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi
- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
index 58ffc300ce..3cbc140f4b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
@@ -26,7 +26,7 @@ ms.date: 12/04/2017
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
-Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
@@ -49,12 +49,14 @@ The following topics give you more information about the things that you can do
|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). |
|[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
|[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](review-neutral-sites-with-site-list-manager.md) |How to flag sites listed as neutral, to ensure that they are intentional and not a result of schema conversion. This topic applies to the Enterprise Mode Site List Manager version 11.0 or later. |
|[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
|[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
|[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
|[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
|[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
|[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+| [Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](review-neutral-sites-with-site-list-manager.md)|How to flag sites listed as neutral, to ensure that they are intentional and not a result of schema conversion.
This topic applies to the latest version of the Enterprise Mode Site List Manager.
## Related topics
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
index 3a1f3b4596..14fcd048fc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
@@ -46,14 +46,6 @@ For IE11, the UI has been changed to provide just the controls needed to support
## Where did the search box go?
IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider.
->[!NOTE]
->Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
-
-
-
-
-
-
-
-
+> [!NOTE]
+> Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
index 710c69e3cb..07e3ce2e2b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
@@ -30,7 +30,7 @@ Before you begin, you should:
- **Check the operating system requirements.** Check that the requirements for the computer you're building your installation package from, and the computers you're installing IE11 to, all meet the system requirements for IEAK 11 and IE11. For Internet Explorer requirements, see [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). For IEAK 11 requirements, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md).
-- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, System Center System Center 2012 R2 Configuration Manager, or your network.
+- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, Microsoft Endpoint Configuration Manager, or your network.
- **Gather URLs and branding and custom graphics.** Collect the URLs for your company's own **Home**, **Search**, and **Support** pages, plus any custom branding and graphic files for the browser toolbar button and the **Favorites** list icons.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
index 8a161b2ffb..a3fce1731d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
@@ -8,7 +8,7 @@ ms.prod: ie11
title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer:
audience: itpro
manager: dansimp
ms.author: dansimp
@@ -18,18 +18,18 @@ ms.author: dansimp
**Applies to:**
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
->[!Important]
->This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
+> [!Important]
+> This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including:
-- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
+- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index da309b68cd..1a2c6fc17a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -20,11 +20,11 @@ ms.date: 10/25/2018
**Applies to:**
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
@@ -33,7 +33,7 @@ If you have specific websites and apps that you know have compatibility problems
Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11.
->[!TIP]
+> [!TIP]
> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly.
For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List.
@@ -54,8 +54,8 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools.
- >[!Important]
- >All centrally-made decisions override any locally-made choices.
+ > [!Important]
+ > All centrally-made decisions override any locally-made choices.
- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
@@ -121,11 +121,11 @@ There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and
- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema.
- We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
+ We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema.
- If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+ If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
index 98f659748d..4f1c56a922 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
@@ -29,8 +29,8 @@ ms.date: 05/10/2018
The Internet Explorer 11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the **Automatic Updates** feature of Windows Update.
->[!IMPORTANT]
->The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11.
+> [!IMPORTANT]
+> The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11.
## Install the toolkit
@@ -69,13 +69,13 @@ If you use Automatic Updates in your company, but want to stop your users from a
- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
- >[!NOTE]
+ > [!NOTE]
>The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11).
- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit.
->[!NOTE]
->If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company.
+> [!NOTE]
+> If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company.
### Prevent automatic installation of Internet Explorer 11 with WSUS
@@ -90,13 +90,13 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There
4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.**
- >[!NOTE]
- >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else.
+ > [!NOTE]
+ > If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else.
5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section.
- >[!NOTE]
- >The properties for this rule will resemble the following:
- When an update is in Update Rollups
- Approve the update for all computers
+ > [!NOTE]
+ > The properties for this rule will resemble the following:- When an update is in Update Rollups
- Approve the update for all computers
6. Clear the **Update Rollup** check box, and then click **OK**.
@@ -116,8 +116,8 @@ After the new Internet Explorer 11 package is available for download, you should
6. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update.
->[!NOTE]
->There may be multiple updates, depending on the imported language and operating system updates.
+> [!NOTE]
+> There may be multiple updates, depending on the imported language and operating system updates.
### Optional - Reset update rollups packages to auto-approve
@@ -135,8 +135,8 @@ After the new Internet Explorer 11 package is available for download, you should
7. Click **OK** to close the **Automatic Approvals** dialog box.
->[!NOTE]
->Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved.
+> [!NOTE]
+> Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved.
diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
index a4cb639bc5..e35b64b8a4 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
@@ -5,8 +5,8 @@ description: Get answers to commonly asked questions about the Internet Explorer
author: dansimp
ms.author: dansimp
ms.prod: ie11
-ms.assetid:
-ms.reviewer:
+ms.assetid:
+ms.reviewer:
audience: itpro
manager: dansimp
title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
@@ -16,50 +16,50 @@ ms.date: 05/10/2018
# Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
-Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
+Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
->[!Important]
->If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
+> [!Important]
+> If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
-- [Automatic updates delivery process](#automatic-updates-delivery-process)
+- [Automatic updates delivery process](#automatic-updates-delivery-process)
-- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works)
+- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works)
-- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services)
+- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services)
## Automatic Updates delivery process
-**Q. Which users will receive Internet Explorer 11 as an important update?**
-A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md).
-
-**Q. When is the Blocker Toolkit available?**
-A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
-
-**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?**
-A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx).
-
-**Q. How long does the blocker mechanism work?**
-A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed.
-
-**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?**
-A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers.
-
+**Q. Which users will receive Internet Explorer 11 as an important update?**
+A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md).
+
+**Q. When is the Blocker Toolkit available?**
+A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
+
+**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?**
+A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx).
+
+**Q. How long does the blocker mechanism work?**
+A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed.
+
+**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?**
+A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers.
+
The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that can’t use WSUS, Configuration Manager, or
-other update management solution.
-
-**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?**
+other update management solution.
+
+**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?**
A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable.
## How the Internet Explorer 11 Blocker Toolkit works
-**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?**
-A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary.
-
-**Q. What’s the registry key used to block delivery of Internet Explorer 11?**
-A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0
-
-**Q. What’s the registry key name and values?**
+**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?**
+A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary.
+
+**Q. What’s the registry key used to block delivery of Internet Explorer 11?**
+A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0
+
+**Q. What’s the registry key name and values?**
The registry key name is **DoNotAllowIE11**, where:
- A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option.
@@ -67,23 +67,23 @@ The registry key name is **DoNotAllowIE11**, where:
- Not providing a registry key, or using a value of anything other than **1**, lets the user install Internet Explorer 11 through Automatic Updates or a
manual update.
-**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?**
-A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media.
-
-**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?**
-A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11.
-
-**Q. How does the provided script work?**
+**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?**
+A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media.
+
+**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?**
+A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11.
+
+**Q. How does the provided script work?**
A. The script accepts one of two command line options:
- **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates.
- **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates.
-**Q. What’s the ADM template file used for?**
-A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company.
-
-**Q. Is the tool localized?**
+**Q. What’s the ADM template file used for?**
+A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company.
+
+**Q. Is the tool localized?**
A. No. The tool isn’t localized, it’s only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems.
## Internet Explorer 11 Blocker Toolkit and other update services
@@ -91,17 +91,17 @@ A. No. The tool isn’t localized, it’s only available in English (en-us). How
**Q: Is there a version of the Internet Explorer Blocker Toolkit that will prevent automatic installation of IE11?**
Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft Download Center.
-**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?**
-A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions.
-
-**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?**
+**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?**
+A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions.
+
+**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?**
A. You only need to change your settings if:
-- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation.
+- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation.
-and-
-- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed.
+- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed.
-and-
@@ -112,10 +112,10 @@ If these scenarios apply to your company, see [Internet Explorer 11 delivery thr
## Additional resources
-- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
+- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
-- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
+- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
-- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
+- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
-- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index)
+- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index)
diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.md b/browsers/internet-explorer/ie11-faq/faq-ieak11.md
index 8064c74737..7405392094 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ieak11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ieak11.md
@@ -36,22 +36,22 @@ You can customize and install IEAK 11 on the following supported operating syste
- Windows Server 2008 R2 Service Pack 1 (SP1)
->[!Note]
->IEAK 11 does not support building custom packages for Windows RT.
+> [!NOTE]
+> IEAK 11 does not support building custom packages for Windows RT.
**What can I customize with IEAK 11?**
The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable.
->[!Note]
->Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package.
+> [!NOTE]
+> Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package.
**Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?**
Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
->[!Note]
->IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md).
+> [!NOTE]
+> IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md).
**Q: Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?**
Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources:
diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md
index 3187f8b507..29b8c0ceca 100644
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ b/browsers/internet-explorer/ie11-ieak/index.md
@@ -14,12 +14,12 @@ manager: dansimp
# Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
-The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
+The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
->[!IMPORTANT]
->Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary.
+> [!IMPORTANT]
+> Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary.
## Included technology
@@ -41,7 +41,7 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1
## Related topics
- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
-- [Download IEAK 11](ieak-information-and-downloads.md)
+- [Download IEAK 11](ieak-information-and-downloads.md)
- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index)
- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index 296dec1688..ea1f1cb9e1 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -6,7 +6,7 @@ author: dansimp
ms.author: dansimp
ms.prod: ie11
ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15
-ms.reviewer:
+ms.reviewer:
audience: itpro
manager: dansimp
title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
@@ -21,8 +21,8 @@ In addition to the Software License Terms for the Internet Explorer Administrati
During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.
- >[!IMPORTANT]
- >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
+ > [!IMPORTANT]
+ > Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
- **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment.
@@ -64,10 +64,10 @@ During installation, you must pick a version of IEAK 11, either **External** or
Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
-- **External Distribution**
+- **External Distribution**
This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers).
-- **Internal Distribution**
+- **Internal Distribution**
This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet.
The table below identifies which customizations you may or may not perform based on the mode you selected.
@@ -100,8 +100,8 @@ Support for some of the Internet Explorer settings on the wizard pages varies de
Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
-- **External Distribution**
+- **External Distribution**
You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy).
-- **Internal Distribution - corporate intranet**
+- **Internal Distribution - corporate intranet**
The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet.
diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
index 7b0db0bbc4..9ae559b4b4 100644
--- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
@@ -98,14 +98,14 @@ Pressing the **F1** button on the **Automatic Version Synchronization** page of
## Certificate installation does not work on IEAK 11
IEAK 11 doesn't install certificates added using the Add a Root Certificate page of the Internet Explorer Customization Wizard 11. Administrators can manually install certificates using the Certificates Microsoft Management Console snap-in (Certmgr.msc) or using the command-line tool, Certificate Manager (Certmgr.exe).
->[!NOTE]
->This applies only when using the External licensing mode of IEAK 11.
+> [!NOTE]
+> This applies only when using the External licensing mode of IEAK 11.
## The Additional Settings page appears in the wrong language when using a localized version of IEAK 11
When using IEAK 11 in other languages, the settings on the Additional Settings page appear in the language of the target platform, regardless of the IEAK 11 language.
->[!NOTE]
->This applies only when using the Internal licensing mode of IEAK 11.
+> [!NOTE]
+> This applies only when using the Internal licensing mode of IEAK 11.
To work around this issue, run the customization wizard following these steps:
1. On the **Language Selection** page, select the language that matches the language of your installed IEAK 11.
diff --git a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
index 5e8b4e979e..06b86bce15 100644
--- a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
+++ b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
@@ -32,8 +32,8 @@ IEAK 10 and newer includes the ability to install using one of the following ins
- Internal
- External
->[!NOTE]
->IEAK 11 works in network environments, with or without Microsoft Active Directory service.
+> [!NOTE]
+> IEAK 11 works in network environments, with or without Microsoft Active Directory service.
### Corporations
diff --git a/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md b/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md
index 0031c6792e..7adcb24c17 100644
--- a/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md
+++ b/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md
@@ -9,7 +9,7 @@ ms.reviewer: ramakoni, DEV_Triage
ms.prod: internet-explorer
ms.technology:
ms.topic: kb-support
-ms.custom: CI=111020
+ms.custom: CI=111026
ms.localizationpriority: Normal
# localization_priority: medium
# ms.translationtype: MT
@@ -71,10 +71,18 @@ The batch file offers the following options:
**Contents of the batch file**
-```console
+```dos
@echo off
-:: AxelR Test Batch
-:: tested on Windows 8 + IE10, Windows7 + IE9
+# This sample script is not supported under any Microsoft standard support program or service.
+# The sample script is provided AS IS without warranty of any kind. Microsoft further disclaims
+# all implied warranties including, without limitation, any implied warranties of merchantability
+# or of fitness for a particular purpose. The entire risk arising out of the use or performance of
+# the sample scripts and documentation remains with you. In no event shall Microsoft, its authors,
+# or anyone else involved in the creation, production, or delivery of the scripts be liable for any
+# damages whatsoever (including, without limitation, damages for loss of business profits, business
+# interruption, loss of business information, or other pecuniary loss) arising out of the use of or
+# inability to use the sample scripts or documentation, even if Microsoft has been advised of the
+# possibility of such damages
:home
cls
@@ -83,55 +91,33 @@ echo Delete IE History
echo Please select the task you wish to run.
echo Pick one:
echo.
-echo 1. Delete Non-trusted web History(low level hidden clean up)
-echo 2. Delete History
-echo 3. Delete Cookies
-echo 4. Delete Temporary Internet Files
-echo 5. Delete Form Data
-echo 6. Delete Stored Passwords
-echo 7. Delete All
-echo 8. Delete All "Also delete files and settings stored by add-ons"
-echo 9. Delete IE10 and 9 Temporary Internet Files
-echo 10. Reset IE Settings
-echo 77. EXIT
+echo 1. Delete History
+echo 2. Delete Cookies
+echo 3. Delete Temporary Internet Files
+echo 4. Delete Form Data
+echo 5. Delete Stored Passwords
+echo 6. Delete All
+echo 7. Delete All "Also delete files and settings stored by add-ons"
+echo 8. Delete IE10 and 9 Temporary Internet Files
+echo 9. Reset IE Settings
+echo 00. EXIT
:choice
Echo Hit a number [1-10] and press enter.
set /P CH=[1-10]
-if "%CH%"=="1" set x=del /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah
-if "%CH%"=="2" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
-if "%CH%"=="3" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
-if "%CH%"=="4" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
-if "%CH%"=="5" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16
-if "%CH%"=="6" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32
-if "%CH%"=="7" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
-if "%CH%"=="8" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351
-if "%CH%"=="9" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9
-if "%CH%"=="10" set x=rundll32.exe inetcpl.cpl ResetIEtoDefaults
-if "%CH%"=="77" goto quit
+if "%CH%"=="1" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
+if "%CH%"=="2" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
+if "%CH%"=="3" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
+if "%CH%"=="4" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16
+if "%CH%"=="5" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32
+if "%CH%"=="6" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
+if "%CH%"=="7" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351
+if "%CH%"=="8" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9
+if "%CH%"=="9" set x=rundll32.exe inetcpl.cpl ResetIEtoDefaults
+if "%CH%"=="00" goto quit
%x%
-goto Home
-
-::Temporary Internet Files > Delete files - To delete copies of web pages, images, and media
-::that are saved for faster viewing.
-::Cookies > Delete cookies - To delete cookies, which are files that are stored on your computer by
-::websites to save preferences such as login information.
-::History > Delete history - To delete the history of the websites you have visited.
-::Form data > Delete forms - To delete all the saved information that you have typed into
-::forms.
-::Passwords > Delete passwords - To delete all the passwords that are automatically filled in
-::when you log on to a website that you've previously visited.
-::Delete all - To delete all of these listed items in one operation.
-
-::enter below in search/run to see Low history dir if exists
-::C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low
-
-::Delete all low (untrusted history) very hidden
-::this will clean any unlocked files under the dir and not delete the dir structure
-::del /s /q low\* /ah ::del /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah
-
goto Home
:quit
```
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index d1c0ab596f..7e5b56e47f 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -1,10 +1,11 @@
-# [HoloLens overview](index.md)
+# [Microsoft HoloLens](index.md)
-# Get Started with HoloLens 2
+# Get started with HoloLens 2
## [HoloLens 2 hardware](hololens2-hardware.md)
## [Get your HoloLens 2 ready to use](hololens2-setup.md)
## [Set up your HoloLens 2](hololens2-start.md)
## [HoloLens 2 fit and comfort FAQ](hololens2-fit-comfort-faq.md)
+## [HoloLens 2 cleaning FAQ](hololens2-maintenance.md)
## [Supported languages for HoloLens 2](hololens2-language-support.md)
## [Getting around HoloLens 2](hololens2-basic-usage.md)
@@ -16,54 +17,59 @@
## [Install localized version of HoloLens (1st gen)](hololens1-install-localized.md)
## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md)
-# Deploying HoloLens and Mixed Reality Apps in Commercial Environments
-## [Deployment planning](hololens-requirements.md)
-## [Commercial feature overview](hololens-commercial-features.md)
-## [Lincense Requriements](hololens-licenses-requirements.md)
-## [Commercial Infrastructure Guidance](hololens-commercial-infrastructure.md)
+# Deploy HoloLens and mixed-reality apps in commercial environments
+## [Commercial features](hololens-commercial-features.md)
+## [Deploy HoloLens in a commercial environment](hololens-requirements.md)
+## [Determine what licenses you need](hololens-licenses-requirements.md)
+## [Configure your network for HoloLens](hololens-commercial-infrastructure.md)
## [Unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md)
-## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
+## [Use a provisioning package to configure HoloLens](hololens-provisioning.md)
## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
-## [Set up ring based updates for HoloLens](hololens-updates.md)
+## [Manage HoloLens updates](hololens-updates.md)
## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
# Navigating Windows Holographic
## [Start menu and mixed reality home](holographic-home.md)
## [Use your voice with HoloLens](hololens-cortana.md)
-## [Find and save files](holographic-data.md)
-## [Create, share, and view photos and video](holographic-photos-and-videos.md)
+## [Find, open, and save files](holographic-data.md)
+## [Create mixed reality photos and videos](holographic-photos-and-videos.md)
# User management and access management
-## [Accounts on HoloLens](hololens-identity.md)
+## [Manage user identity and sign-in for HoloLens](hololens-identity.md)
## [Share your HoloLens with multiple people](hololens-multiple-users.md)
-## [Set up HoloLens as a kiosk (single application access)](hololens-kiosk.md)
-## [Set up limited application access](hololens-kiosk.md)
+## [Set up HoloLens as a kiosk](hololens-kiosk.md)
-# Holographic Applications
-## [Try 3D Viewer](holographic-3d-viewer-beta.md)
+# Holographic applications
+## [Use 3D Viewer on HoloLens](holographic-3d-viewer-beta.md)
## [Find, install, and uninstall applications](holographic-store-apps.md)
-## [Install and uninstall custom applications](holographic-custom-apps.md)
+## [Manage custom apps for HoloLens](holographic-custom-apps.md)
# Accessories and connectivity
## [Connect to Bluetooth and USB-C devices](hololens-connect-devices.md)
## [Use the HoloLens (1st gen) clicker](hololens1-clicker.md)
## [Connect to a network](hololens-network.md)
-## [Use HoloLens offline](hololens-offline.md)
+## [Manage connection endpoints for HoloLens](hololens-offline.md)
# Hologram optics and placement in space
-## [Tips for viewing clear Holograms](hololens-calibration.md)
+## [Improve visual quality and comfort](hololens-calibration.md)
## [Environment considerations for HoloLens](hololens-environment-considerations.md)
-## [Spatial mapping on HoloLens](hololens-spaces.md)
+## [Map physical spaces with HoloLens](hololens-spaces.md)
# Update, troubleshoot, or recover HoloLens
## [Update HoloLens](hololens-update-hololens.md)
-## [Restart, reset, or recover](hololens-recovery.md)
-## [Troubleshoot HoloLens](hololens-troubleshooting.md)
-## [Known issues](hololens-known-issues.md)
+## [Restart, reset, or recover HoloLens](hololens-recovery.md)
+## [Troubleshoot HoloLens issues](hololens-troubleshooting.md)
+## [Collect diagnostic information from HoloLens devices](hololens-diagnostic-logs.md)
+## [Known issues for HoloLens](hololens-known-issues.md)
## [Frequently asked questions](hololens-faq.md)
-## [Hololens services status](hololens-status.md)
+## [Frequently asked security questions](hololens-faq-security.md)
+## [Status of the HoloLens services](hololens-status.md)
+## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f)
-# [Release Notes](hololens-release-notes.md)
+# Resources
+## [Windows Autopilot for HoloLens 2 evaluation guide](hololens2-autopilot.md)
+
+# [HoloLens release notes](hololens-release-notes.md)
# [Give us feedback](hololens-feedback.md)
-# [Join the Windows Insider program](hololens-insider.md)
+# [Insider preview for Microsoft HoloLens](hololens-insider.md)
# [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index 4b3449e838..9a1b48b3eb 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -1,7 +1,7 @@
---
title: Change history for Microsoft HoloLens documentation
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: This topic lists new and updated topics for HoloLens.
keywords: change history
ms.prod: hololens
diff --git a/devices/hololens/holographic-3d-viewer-beta.md b/devices/hololens/holographic-3d-viewer-beta.md
index 0973813221..90c5b236fd 100644
--- a/devices/hololens/holographic-3d-viewer-beta.md
+++ b/devices/hololens/holographic-3d-viewer-beta.md
@@ -1,6 +1,6 @@
---
-title: Using 3D Viewer on HoloLens
-description: Describes the types of files and features that 3D Viewer Beta on HoloLens supports, and how to use and troubleshoot the app.
+title: Using 3D Viewer Beta on HoloLens
+description: Describes the types of files and features that 3D Viewer Beta on HoloLens (1st gen) supports, and how to use and troubleshoot the app.
ms.prod: hololens
ms.sitesec: library
author: Teresa-Motiv
@@ -15,15 +15,18 @@ appliesto:
- HoloLens (1st gen)
---
-# Using 3D Viewer on HoloLens
+# Using 3D Viewer Beta on HoloLens
-3D Viewer lets you view 3D models on HoloLens. You can open and view *supported* .fbx files from Microsoft Edge, OneDrive, and other apps.
+3D Viewer Beta lets you view 3D models on HoloLens (1st gen). You can open and view *supported* .fbx files from Microsoft Edge, OneDrive, and other apps.
-If you're having trouble opening a 3D model in 3D Viewer, or certain features of your 3D model are unsupported, see [Supported content specifications](#supported-content-specifications).
+>[!NOTE]
+>This article applies to the immersive Unity **3D Viewer Beta** app, which supports .fbx files and is only available on HoloLens (1st gen). The pre-installed **3D Viewer** app on HoloLens 2 supports opening custom .glb 3D models in the mixed reality home (see [Asset requirements overview](https://docs.microsoft.com/windows/mixed-reality/creating-3d-models-for-use-in-the-windows-mixed-reality-home#asset-requirements-overview) for more details.
-To build or optimize 3D models for use with 3D Viewer, see [Optimizing 3D models for 3D Viewer](#optimizing-3d-models-for-3d-viewer-beta).
+If you're having trouble opening a 3D model in 3D Viewer Beta, or certain features of your 3D model are unsupported, see [Supported content specifications](#supported-content-specifications).
-There are two ways to open a 3D model on HoloLens. See [Viewing 3D models on HoloLens](#viewing-3d-models-on-hololens) to learn more.
+To build or optimize 3D models for use with 3D Viewer Beta, see [Optimizing 3D models for 3D Viewer Beta](#optimizing-3d-models-for-3d-viewer-beta).
+
+There are two ways to open a 3D model on HoloLens. See [Viewing FBX files on HoloLens](#viewing-fbx-files-on-hololens) to learn more.
If you're having trouble after reading these topics, see [Troubleshooting](#troubleshooting).
@@ -122,7 +125,7 @@ By default, 3D Viewer Beta displays 3D models at a comfortable size and position
To prevent scaling of the model, add a Boolean custom attribute to any object in the scene named Microsoft_DisableScale and set it to true. 3D Viewer Beta will then respect the FbxSystemUnit information baked into the FBX file. Scale in 3D Viewer Beta is 1 meter per FBX unit.
-## Viewing 3D models on HoloLens
+## Viewing FBX files on HoloLens
### Open an FBX file from Microsoft Edge
diff --git a/devices/hololens/holographic-custom-apps.md b/devices/hololens/holographic-custom-apps.md
index 0a86a7b37a..3cc01691d6 100644
--- a/devices/hololens/holographic-custom-apps.md
+++ b/devices/hololens/holographic-custom-apps.md
@@ -1,6 +1,6 @@
---
title: Manage custom apps for HoloLens
-description: Side load custom apps on HoloLens. Learn more about installing, and uninstalling holographic apps.
+description: Side load custom apps on HoloLens. Learn more about installing, and uninstalling holographic apps.
ms.assetid: 6bd124c4-731c-4bcc-86c7-23f9b67ff616
ms.date: 07/01/2019
manager: v-miegge
@@ -11,12 +11,15 @@ author: mattzmsft
ms.author: mazeller
ms.topic: article
ms.localizationpriority: medium
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
-# Install and manage custom applications (non-store)
+# Manage custom apps for HoloLens
HoloLens supports many existing applications from the Microsoft Store, as well as new apps built specifically for HoloLens. This article focuses on custom holographic applications.
diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md
index a183165e4a..38964c7a7d 100644
--- a/devices/hololens/hololens-FAQ.md
+++ b/devices/hololens/hololens-FAQ.md
@@ -1,5 +1,5 @@
---
-title: Frequently asked questions about HoloLens and holograms
+title: Frequently asked questions about HoloLens devices and holograms
description: Do you have a quick question about HoloLens or interacting with holograms? This article provides a quick answer and more resources.
keywords: hololens, faq, known issue, help
ms.prod: hololens
@@ -9,40 +9,47 @@ ms.author: v-tea
ms.topic: article
audience: ITPro
ms.localizationpriority: medium
-ms.date: 10/30/2019
+ms.date: 02/27/2020
ms.reviewer:
+ms.custom:
+- CI 114606
+- CSSTroubleshooting
manager: jarrettr
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
-# HoloLens and holograms: Frequently asked questions
+# Frequently asked questions about HoloLens devices and holograms
-Here are some answers to questions you might have about using HoloLens, placing holograms, working with spaces, and more.
+This article answers some questions that you may have about how to use HoloLens, including how to place holograms, work with spaces, and more.
-Any time you're having problems, make sure HoloLens is [charged up](https://support.microsoft.com/help/12627/hololens-charge-your-hololens). Try [restarting it](hololens-restart-recover.md) to see if that fixes things. And please use the Feedback app to send us info about the issue—you'll find it on the [**Start** menu](holographic-home.md).
+Any time that you have problems, make sure that HoloLens is [charged up](https://support.microsoft.com/help/12627/hololens-charge-your-hololens). Try [restarting it](hololens-restart-recover.md) to see whether that fixes things. And please use the Feedback app to send us information about the issue. You'll find the Feedback app on the [**Start** menu](holographic-home.md).
-For tips about wearing your HoloLens, see [HoloLens fit and comfort: FAQ](https://support.microsoft.com/help/13405/hololens-fit-and-comfort-faq).
+For tips about hwo to wear your HoloLens, see [HoloLens (1st gen) fit and comfort frequently asked questions](hololens1-fit-comfort-faq.md).
-This FAQ addresses the following questions and issues:
+This article addresses the following questions and issues:
- [My holograms don't look right or are moving around](#my-holograms-dont-look-right-or-are-moving-around)
- [I see a message that says "Finding your space"](#i-see-a-message-that-says-finding-your-space)
-- [I'm not seeing the holograms I expect to see in my space](#im-not-seeing-the-holograms-i-expect-to-see-in-my-space)
-- [I can't place holograms where I want](#i-cant-place-holograms-where-i-want)
+- [I'm not seeing the holograms that I expect to see in my space](#im-not-seeing-the-holograms-that-i-expect-to-see-in-my-space)
+- [I can't place holograms where I want to](#i-cant-place-holograms-where-i-want-to)
- [Holograms disappear or are encased in other holograms or objects](#holograms-disappear-or-are-encased-in-other-holograms-or-objects)
- [I can see holograms that are on the other side of a wall](#i-can-see-holograms-that-are-on-the-other-side-of-a-wall)
-- [When I place a hologram on a wall, it seems to float](#when-i-place-a-hologram-on-a-wall-it-seems-to-float)
+- [When I place a hologram on a wall, the hologram seems to float](#when-i-place-a-hologram-on-a-wall-the-hologram-seems-to-float)
- [Apps appear too close to me when I'm trying to move them](#apps-appear-too-close-to-me-when-im-trying-to-move-them)
- [I'm getting a low disk space error](#im-getting-a-low-disk-space-error)
- [HoloLens doesn't respond to my gestures](#hololens-doesnt-respond-to-my-gestures)
- [HoloLens doesn't respond to my voice](#hololens-doesnt-respond-to-my-voice)
- [I'm having problems pairing or using a Bluetooth device](#im-having-problems-pairing-or-using-a-bluetooth-device)
-- [I'm having problems with the HoloLens clicker](#im-having-problems-with-the-hololens-clicker)
+- [HoloLens Settings lists devices as available, but the devices don't work](#hololens-settings-lists-devices-as-available-but-the-devices-dont-work)
+- [I'm having problems using the HoloLens clicker](#im-having-problems-using-the-hololens-clicker)
- [I can't connect to Wi-Fi](#i-cant-connect-to-wi-fi)
- [My HoloLens isn't running well, is unresponsive, or won't start](#my-hololens-isnt-running-well-is-unresponsive-or-wont-start)
+- [I can't sign in to a HoloLens device because it was previously set up for someone else](#i-cant-sign-in-to-a-hololens-device-because-it-was-previously-set-up-for-someone-else)
+- [Questions about managing HoloLens devices](#questions-about-managing-hololens-devices)
+- [Questions about securing HoloLens devices](#questions-about-securing-hololens-devices)
- [How do I delete all spaces?](#how-do-i-delete-all-spaces)
- [I cannot find or use the keyboard to type in the HoloLens 2 Emulator](#i-cannot-find-or-use-the-keyboard-to-type-in-the-hololens-2-emulator)
@@ -51,85 +58,85 @@ This FAQ addresses the following questions and issues:
If your holograms don't look right (for example, they're jittery or shaky, or you see black patches on top of them), try one of these fixes:
- [Clean your device visor](hololens1-hardware.md#care-and-cleaning) and make sure nothing is blocking the sensors.
-- Make sure you're in a well-lit room without a lot of direct sunlight.
-- Try walking around and gazing at your surroundings so HoloLens can scan them more completely.
+- Make sure that you're in a well-lit room that does not have a lot of direct sunlight.
+- Try walking around and gazing at your surroundings so that HoloLens can scan them more completely.
- If you've placed a lot of holograms, try removing some.
-If you're still having problems, trying running the Calibration app, which calibrates your HoloLens just for you, to help keep your holograms looking their best. Go to **Settings **>** System **>** Utilities**. Under Calibration, select **Open Calibration**.
+If you're still having problems, trying running the Calibration app. This app calibrates your HoloLens just for you to help keep your holograms looking their best. To do this, go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**.
[Back to list](#list)
-## I see a message that says Finding your space
+## I see a message that says "Finding your space"
-When HoloLens is learning or loading a space, you might see a brief message that says "Finding your space." If this message continues for more than a few seconds, you'll see another message under the Start menu that says "Still looking for your space."
+When HoloLens is learning or loading a space, you may see a brief message that says "Finding your space." If this message displays for more than a few seconds, you'll see another message under the Start menu that says "Still looking for your space."
-These messages mean that HoloLens is having trouble mapping your space. When this happens, you'll be able to open apps, but you won't be able to place holograms in your environment.
+These messages mean that HoloLens is having trouble mapping your space. When this happens, you can open apps, but you can't place holograms in your environment.
-If you see these messages often, try the following:
+If you see these messages often, try one or more of the following fixes:
-- Make sure you're in a well-lit room without a lot of direct sunlight.
-- Make sure your device visor is clean. [Learn how](hololens1-hardware.md#care-and-cleaning).
-- Make sure you have a strong Wi-Fi signal. If you enter a new environment that has no Wi-Fi or a weak signal, HoloLens won't be able find your space. Check your Wi-Fi connection by going to **Settings **> **Network & Internet** >** Wi-Fi**.
+- Make sure that you're in a well-lit room that does not have a lot of direct sunlight.
+- Make sure that your device visor is clean. [Learn how to clean your visor](hololens1-hardware.md#care-and-cleaning).
+- Make sure that you have a strong Wi-Fi signal. If you enter a new environment that has no Wi-Fi or a weak Wi-Fi signal, HoloLens won't be able find your space. Check your Wi-Fi connection by going to **Settings** > **Network & Internet** > **Wi-Fi**.
- Try moving more slowly.
[Back to list](#list)
-## I'm not seeing the holograms I expect to see in my space
+## I'm not seeing the holograms that I expect to see in my space
-If you don't see holograms you placed, or you're seeing some you don't expect, try the following:
+If you don't see the holograms that you placed, or if you're seeing some that you don't expect, try one or more of the following fixes:
-- Try turning on some lights. HoloLens works best in a well-lit space.
-- Remove holograms you don't need by going to **Settings** > **System** > **Holograms** > **Remove nearby holograms**. Or, if needed, select **Remove all holograms**.
+- Turn on some lights. HoloLens works best in a well-lit space.
+- Remove holograms that you don't need by going to **Settings** > **System** > **Holograms** > **Remove nearby holograms**. Or, if needed, select **Remove all holograms**.
> [!NOTE]
> If the layout or lighting in your space changes significantly, your device might have trouble identifying your space and showing your holograms.
[Back to list](#list)
-## I can't place holograms where I want
+## I can't place holograms where I want to
Here are some things to try if you're having trouble placing holograms:
-- Stand about 1 to 3 meters from where you're trying to place the hologram.
+- Stand between one and three meters from where you're trying to place the hologram.
- Don't place holograms on black or reflective surfaces.
-- Make sure you're in a well-lit room without a lot of direct sunlight.
+- Make sure that you're in a well-lit room that does not have a lot of direct sunlight.
- Walk around the rooms so HoloLens can rescan your surroundings. To see what's already been scanned, air tap to reveal the mapping mesh graphic.
[Back to list](#list)
## Holograms disappear or are encased in other holograms or objects
-If you get too close to a hologram, it will temporarily disappear—just move away from it. Also, if you've placed a lot of holograms close together, some may disappear. Try removing a few.
+If you get too close to a hologram, it will temporarily disappear—to restore the hologram, just move away from it. Also, if you've placed several holograms close together, some may disappear. Try removing a few.
-Holograms can also be blocked or encased by other holograms or by objects such as walls. If this happens, try one of the following:
+Holograms can also be blocked or encased by other holograms or by objects such as walls. If this happens, try one of the following fixes:
-- If the hologram is encased in another hologram, move it to another location: select **Adjust**, then tap and hold to position it.
+- If the hologram is encased in another hologram, move the encased hologram to another location. To do this, select **Adjust**, then tap and hold to position it.
- If the hologram is encased in a wall, select **Adjust**, then walk toward the wall until the hologram appears. Tap and hold, then pull the hologram forward and out of the wall.
-- If you can't move the hologram with gestures, use your voice to remove it. Gaze at the hologram, then say "Remove." Then reopen it and place it in a new location.
+- If you can't move the hologram by using gestures, use your voice to remove it. Gaze at the hologram, then say "Remove." Then reopen the hologram and place it in a new location.
[Back to list](#list)
## I can see holograms that are on the other side of a wall
-If you're very close to a wall, or if HoloLens hasn't scanned the wall yet, you'll be able to see holograms that are in the next room. Stand 1 to 3 meters from the wall and gaze to scan it.
+If you're very close to a wall, or if HoloLens hasn't scanned the wall yet, you can see holograms that are in the next room. To scan the wall, stand between one and three meters from the wall and gaze at it.
-If HoloLens has problems scanning the wall, it might be because there's a black or reflective object nearby (for example, a black couch or a stainless steel refrigerator). If there is, scan the other side of the wall.
+A black or reflective object (for example, a black couch or a stainless steel refrigerator) near the wall may cause problems when HoloLens tries to scan the wall. If there is such an object, scan the other side of the wall.
[Back to list](#list)
-## When I place a hologram on a wall, it seems to float
+## When I place a hologram on a wall, the hologram seems to float
-Holograms placed on walls will appear to be an inch or so away from the wall. If they appear farther away, try the following:
+A hologram that you place on a wall typically appears to be an inch or so away from the wall. If it appears to be farther away, try one or more of the following fixes:
-- Stand 1 to 3 meters from the wall when you place a hologram and face the wall straight on.
-- Air tap the wall to reveal the mapping mesh graphic. Make sure the mesh is lined up with the wall. If it isn't, remove the hologram, rescan the wall, and try again.
+- When you place a hologram on a wall, stand between one and three meters from the wall and face the wall straight on.
+- Air tap the wall to reveal the mapping mesh graphic. Make sure that the mesh aligns with the wall. If it doesn't, remove the hologram, rescan the wall, and then try again.
- If the issue persists, run the Calibration app. You'll find it in **Settings** > **System** > **Utilities**.
[Back to list](#list)
## Apps appear too close to me when I'm trying to move them
-Try walking around and looking at the area where you're placing the app so HoloLens will scan it from different angles. [Cleaning your device visor](hololens1-hardware.md#care-and-cleaning) may also help.
+Try walking around and looking at the area where you're placing the app so that HoloLens scans the area from different angles. [Cleaning your device visor](hololens1-hardware.md#care-and-cleaning) may also help.
[Back to list](#list)
@@ -137,21 +144,38 @@ Try walking around and looking at the area where you're placing the app so HoloL
Free up some storage space by doing one or more of the following:
-- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](holographic-data.md)
+- Remove some of the holograms that you've placed, or remove some saved data from within apps. [How do I find my data?](holographic-data.md)
- Delete some pictures and videos in the Photos app.
-- Uninstall some apps from your HoloLens. In the All apps list, tap and hold the app you want to uninstall, then select **Uninstall**. (This will also delete any of the app's data stored on the device.)
+- Uninstall some apps from your HoloLens. In the **All apps** list, tap and hold the app you want to uninstall, then select **Uninstall**. (Uninstalling the app also deletes any data that the app stores on the device.)
[Back to list](#list)
## HoloLens doesn't respond to my gestures
-To make sure HoloLens can see your gestures, keep your hand in the gesture frame, which extends a couple of feet on either side of you. HoloLens can also best see your hand when you hold it about 18 inches in front of your body (though you don't have to be precise about this). When HoloLens can see your hand, the cursor will change from a dot to a ring. Learn more about [using gestures in HoloLens 2](hololens2-basic-usage.md) or [using gestures in HoloLens (1st gen)](hololens1-basic-usage.md).
+To make sure that HoloLens can see your gestures, keep your hand in the gesture frame. The gesture frame extends a couple of feet on either side of you. HoloLens can also best see your hand when you hold it about 18 inches in front of your body (though you don't have to be precise about this). When HoloLens can see your hand, the cursor changes from a dot to a ring. Learn more about [using gestures in HoloLens 2](hololens2-basic-usage.md) or [using gestures in HoloLens (1st gen)](hololens1-basic-usage.md).
[Back to list](#list)
## HoloLens doesn't respond to my voice
-If Cortana isn't responding to your voice, make sure Cortana is on. In the **All apps** list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md).
+HoloLens (1st gen) and HoloLens 2 have built-in speech recognition, and also support Cortana (online speech recognition).
+
+### Built-in voice commands do not work
+
+On HoloLens (1st gen), built-in speech recognition is not configurable. It is always turned on. On HoloLens 2, you can choose whether to turn on both speech recognition and Cortana during device setup.
+
+If your HoloLens 2 is not responding to your voice, make sure Speech recognition is turned on. Go to **Start** > **Settings** > **Privacy** > **Speech** and turn on **Speech recognition**.
+
+### Cortana or Dictation doesn't work
+
+If Cortana or Dictation isn't responding to your voice, make sure online speech recognition is turned on. Go to **Start** > **Settings** > **Privacy** > **Speech** and verify the **Online speech recognition** settings.
+
+If Cortana is still not responding, do one of the following to verify that Cortana itself is turned on:
+
+- In **All apps**, select **Cortana** > select **Menu** > **Notebook** > **Settings** to make changes.
+- On HoloLens 2, select the **Speech settings** button or say "Speech settings."
+
+To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md).
[Back to list](#list)
@@ -159,42 +183,46 @@ If Cortana isn't responding to your voice, make sure Cortana is on. In the **All
If you're having problems [pairing a Bluetooth device](hololens-connect-devices.md), try the following:
-- Go to **Settings** > **Devices** and make sure Bluetooth is turned on. If it is, try turning if off and on again.
-- Make sure your Bluetooth device is fully charged or has fresh batteries.
-- If you still can't connect, [restart your HoloLens](hololens-recovery.md).
-
-If you're having trouble using a Bluetooth device, make sure it's a supported device. Supported devices include:
-
-- English-language QWERTY Bluetooth keyboards, which can be used anywhere you use the holographic keyboard.
-- Bluetooth mice.
-- The [HoloLens clicker](hololens1-clicker.md).
-
-Other Bluetooth HID and GATT devices can be paired, but they might require a companion app from Microsoft Store to work with HoloLens.
-
-HoloLens doesn't support Bluetooth audio profiles. Bluetooth audio devices, such as speakers and headsets, may appear as available in HoloLens settings, but they aren't supported.
+- Go to **Settings** > **Devices**, and make sure that Bluetooth is turned on. If it is, turn it off and on again.
+- Make sure that your Bluetooth device is fully charged or has fresh batteries.
+- If you still can't connect, [restart the HoloLens](hololens-recovery.md).
[Back to list](#list)
-## I'm having problems with the HoloLens clicker
+## HoloLens Settings lists devices as available, but the devices don't work
-Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Additional clicker gestures may vary from app to app.
+HoloLens doesn't support Bluetooth audio profiles. Bluetooth audio devices, such as speakers and headsets, may appear as available in HoloLens settings, but they aren't supported.
-If you're having trouble using the clicker, make sure its charged and paired with your HoloLens. If the battery is low, the indicator light will blink amber. To see if its paired, go to **Settings** > **Devices** and see if it shows up there. [Pair the clicker](hololens-connect-devices.md#pair-the-clicker).
+If you're having trouble using a Bluetooth device, make sure that it's a supported device. Supported devices include the following:
+
+- English-language QWERTY Bluetooth keyboards (you can use these anywhere that you use the holographic keyboard).
+- Bluetooth mice.
+- The [HoloLens clicker](hololens1-clicker.md).
+
+You can pair other Bluetooth HID and GATT devices together with your HoloLens. However, you may have to install corresponding companion apps from Microsoft Store to actually use the devices.
+
+[Back to list](#list)
+
+## I'm having problems using the HoloLens clicker
+
+Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Individial apps may support additional clicker gestures.
+
+If you're having trouble using the clicker, make sure that it's charged and paired with your HoloLens. If the battery is low, the indicator light blinks amber. To verify that the clicker is paired, go to **Settings** > **Devices** and see if it shows up there. For more information, see [Pair the clicker](hololens-connect-devices.md#hololens-1st-gen-pair-the-clicker).
If the clicker is charged and paired and you're still having problems, reset it by holding down the main button and the pairing button for 15 seconds. Then pair the clicker with your HoloLens again.
-If that doesn't help, see [Restart or recover the HoloLens clicker](hololens1-clicker.md#restart-or-recover-the-clicker).
+If resetting the clicker doesn't help, see [Restart or recover the HoloLens clicker](hololens1-clicker.md#restart-or-recover-the-clicker).
[Back to list](#list)
## I can't connect to Wi-Fi
-Here are some things to try if you can't connect to Wi-Fi on HoloLens:
+Here are some things to try if you can't connect your HoloLens to a Wi-Fi network:
-- Make sure Wi-Fi is turned on. Bloom to go to Start, then select **Settings** > **Network & Internet** > **Wi-Fi** to check. If Wi-Fi is on, try turning it off and on again.
+- Make sure that Wi-Fi is turned on. To check, use the Start gesture, then select **Settings** > **Network & Internet** > **Wi-Fi**. If Wi-Fi is on, try turning it off and then on again.
- Move closer to the router or access point.
- Restart your Wi-Fi router, then [restart HoloLens](hololens-recovery.md). Try connecting again.
-- If none of these things work, check to make sure your router is using the latest firmware. You can find this information on the manufacturers website.
+- If none of these things work, check to make sure that your router is using the latest firmware. You can find this information on the manufacturer website.
[Back to list](#list)
@@ -204,6 +232,54 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe
[Back to list](#list)
+## I can't sign in to a HoloLens device because it was previously set up for someone else
+
+If your device was previously set up for someone else, either for a client or for a former employee, and you don't have their password to unlock the device, you can do one of the following:
+
+- For a device that is enrolled in Intune mobile device management (MDM), you can use Intune to remotely [wipe](https://docs.microsoft.com/intune/remote-actions/devices-wipe) the device. The device then re-flashes itself.
+ > [!IMPORTANT]
+ > When you wipe the device, make sure to leave **Retain enrollment state and user account** unchecked.
+- For a non-MDM device, you can [put the device into **Flashing Mode** and use Advanced Recovery Companion](hololens-recovery.md#re-install-the-operating-system) to recover the device.
+
+[Back to list](#list)
+
+## Questions about managing HoloLens devices
+
+### Can I use System Center Configuration Manager (SCCM) to manage HoloLens devices?
+
+No. You have to use an MDM system to manage HoloLens devices.
+
+### Can I use Active Directory Domain Services (AD DS) to manage HoloLens user accounts?
+
+No. You have to use Azure Active Directory (AAD) to manage user accounts for HoloLens devices.
+
+### Is HoloLens capable of Automated Data Capture Systems (ADCS) auto-enrollment?
+
+No.
+
+### Can HoloLens participate in Integrated Windows Authentication?
+
+No.
+
+### Does HoloLens support branding?
+
+No. However, you can work around this issue by using one of the following approaches:
+
+- Create a custom app, and then [enable Kiosk mode](hololens-kiosk.md). The custom app can have branding, and can launch other apps (such as Remote Assist).
+- Change all of the user profile pictures in AAD to your company logo. However, this may not be desirable for all scenarios.
+
+### What logging capabilities do HoloLens (1st gen) and HoloLens 2 offer?
+
+Logging is limited to traces that can be captured in development or troubleshooting scenarios, or telemetry that the devices send to Microsoft servers.
+
+[Back to list](#list)
+
+## Questions about securing HoloLens devices
+
+See [frequently asked questions about securing HoloLens devices](hololens-faq-security.md).
+
+[Back to list](#list)
+
## How do I delete all spaces?
*Coming soon*
diff --git a/devices/hololens/hololens-calibration.md b/devices/hololens/hololens-calibration.md
index cfc55d1070..b03fb4479f 100644
--- a/devices/hololens/hololens-calibration.md
+++ b/devices/hololens/hololens-calibration.md
@@ -33,7 +33,8 @@ HoloLens 2 prompts a user to calibrate the device under the following circumstan
- The user previously opted out of the calibration process
- The calibration process did not succeed the last time the user used the device
- The user has deleted their calibration profiles
-- The visor is raised and the lowered and any of the above circumstances apply (this may be disabled in **Settings > System > Calibration**.)
+- The device is taken off and put back on and any of the above circumstances apply
+
@@ -85,6 +86,8 @@ If calibration is unsuccessful try:
If you followed all guidelines and calibration is still failing, please let us know by filing feedback in [Feedback Hub](hololens-feedback.md).
+Note that setting IPD is not applicable for Hololens 2, since eye positions are computed by the system.
+
### Calibration data and security
Calibration information is stored locally on the device and is not associated with any account information. There is no record of who has used the device without calibration. This mean new users will get prompted to calibrate visuals when they use the device for the first time, as well as users who opted out of calibration previously or if calibration was unsuccessful.
@@ -104,6 +107,8 @@ You can also disable the calibration prompt by following these steps:
### HoloLens 2 eye-tracking technology
The device uses its eye-tracking technology to improve display quality, and to ensure that all holograms are positioned accurately and comfortable to view in 3D. Because it uses the eyes as landmarks, the device can adjust itself for every user and tune its visuals as the headset shifts slightly throughout use. All adjustments happen on the fly without a need for manual tuning.
+> [!NOTE]
+> Setting the IPD is not applicable for Hololens 2, since eye positions are computed by the system.
HoloLens applications use eye tracking to track where you are looking in real time. This is the main capability developers can leverage to enable a whole new level of context, human understanding and interactions within the Holographic experience. Developers don’t need to do anything to leverage this capability.
diff --git a/devices/hololens/hololens-commercial-features.md b/devices/hololens/hololens-commercial-features.md
index 309d81e904..f53558ec75 100644
--- a/devices/hololens/hololens-commercial-features.md
+++ b/devices/hololens/hololens-commercial-features.md
@@ -5,6 +5,9 @@ keywords: HoloLens, commercial, features, mdm, mobile device management, kiosk m
author: scooley
ms.author: scooley
ms.date: 08/26/2019
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
ms.topic: article
audience: ITPro
ms.prod: hololens
@@ -40,7 +43,7 @@ HoloLens (1st gen) came with two licensing options, the developer license and a
- **Windows Update for Business.** Windows Update for Business provides controlled operating system updates to devices and support for the long-term servicing channel.
- **Data security.** BitLocker data encryption is enabled on HoloLens to provide the same level of security protection as any other Windows device.
- **Work access.** Anyone in your organization can remotely connect to the corporate network through virtual private network (VPN) on a HoloLens. HoloLens can also access Wi-Fi networks that require credentials.
-- **Microsoft Store for Business.** Your IT department can also set up an enterprise private store, containing only your company’s apps for your specific HoloLens usage. Securely distribute your enterprise software to selected group of enterprise users.
+- **Microsoft Store for Business.** Your IT department can also set up an enterprise private store, containing only your company's apps for your specific HoloLens usage. Securely distribute your enterprise software to selected group of enterprise users.
## Feature comparison between editions
@@ -48,7 +51,7 @@ HoloLens (1st gen) came with two licensing options, the developer license and a
|---|:---:|:---:|:---:|
|Device Encryption (BitLocker) | |✔️ |✔️ |
|Virtual Private Network (VPN) | |✔️ |✔️ |
-|[Kiosk mode](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#kiosk-mode) | |✔️ |✔️ |
+|[Kiosk mode](hololens-kiosk.md) | |✔️ |✔️ |
|**Management and deployment** | | | |
|Mobile Device Management (MDM) | |✔️ |✔️ |
|Ability to block unenrollment | |✔️ |✔️ |
@@ -67,12 +70,12 @@ HoloLens (1st gen) came with two licensing options, the developer license and a
## Enabling commercial features
-Your organization's IT admin can set up commercial features such as Microsoft Store for Business, kiosk mode, and enterprise Wi-Fi access. The [Microsoft HoloLens](https://docs.microsoft.com/hololens) documentation provides step-by-step instructions for enrolling devices and installing apps from Microsoft Store for Business.
+Your organization's IT admin can set up commercial features such as Microsoft Store for Business, kiosk mode, and enterprise Wi-Fi access. The [Microsoft HoloLens](index.md) documentation provides step-by-step instructions for enrolling devices and installing apps from Microsoft Store for Business.
## See also
-- [Microsoft HoloLens](https://docs.microsoft.com/hololens)
-- [Kiosk mode](/windows/mixed-reality/using-the-windows-device-portal.md#kiosk-mode)
+- [Microsoft HoloLens](index.md)
+- [Kiosk mode](hololens-kiosk.md)
- [CSPs supported in HoloLens devices](/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices)
- [Microsoft Store For Business and line of business applications](https://blogs.technet.microsoft.com/sbucci/2016/04/13/windows-store-for-business-and-line-of-business-applications/)
- [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps)
diff --git a/devices/hololens/hololens-commercial-infrastructure.md b/devices/hololens/hololens-commercial-infrastructure.md
index ad23e185ee..ddeb2b11b2 100644
--- a/devices/hololens/hololens-commercial-infrastructure.md
+++ b/devices/hololens/hololens-commercial-infrastructure.md
@@ -10,104 +10,181 @@ ms.topic: article
ms.localizationpriority: high
ms.date: 1/23/2020
ms.reviewer:
+audience: ITPro
manager: bradke
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
-# Configure Your Network
+# Configure Your Network for HoloLens
This portion of the document will require the following people:
-1. Network Admin with permissions to make changes to the proxy/firewall
-2. Azure Active Directory Admin
-3. Mobile Device Manager Admin
-4. Teams admin for Remote Assist only
+
+1. Network Admin with permissions to make changes to the proxy/firewall
+2. Azure Active Directory Admin
+3. Mobile Device Manager Admin
## Infrastructure Requirements
+HoloLens is, at its core, a Windows mobile device integrated with Azure. It works best in commercial environments with wireless network availability (wi-fi) and access to Microsoft services.
+
+Critical cloud services include:
+
+- Azure active directory (AAD)
+- Windows Update (WU)
+
+Commercial customers will need enterprise mobility management (EMM) or mobile device management (MDM) infrastructure to manage HoloLens devices at scale. This guide uses [Microsoft Intune](https://www.microsoft.com/enterprise-mobility-security/microsoft-intune) as an example, though any provider with full support for Microsoft Policy can support HoloLens. Ask your mobile device management provider if they support HoloLens 2.
+
+HoloLens does support a limited set of cloud disconnected experiences.
+
+### Wireless network EAP support
+
+- PEAP-MS-CHAPv2
+- PEAP-TLS
+- TLS
+- TTLS-CHAP
+- TTLS-CHAPv2
+- TTLS-MS-CHAPv2
+- TTLS-PAP
+- TTLS-TLS
+
### HoloLens Specific Network Requirements
-Make sure that these ports and URLs are allowed on your network firewall. This will enable HoloLens to function properly. The latest list can be found [here](hololens-offline.md).
+
+Make sure that [this list](hololens-offline.md) of endpoints are allowed on your network firewall. This will enable HoloLens to function properly.
### Remote Assist Specific Network Requirements
-1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network).
-**Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer.**
+1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network).
+**(Please note, if you don't network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).**
1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams).
### Guides Specific Network Requirements
+
Guides only require network access to download and use the app.
## Azure Active Directory Guidance
-This step is only necessary if your company plans on managing the HoloLens and mixed reality apps.
-### 1. Ensure that you have an Azure AD License.
-Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md)for additional information.
+> [!NOTE]
+> This step is only necessary if your company plans on managing the HoloLens.
-### 2. Ensure that your company’s users are in Azure Active Directory (Azure AD).
+1. Ensure that you have an Azure AD License.
+Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md) for additional information.
+
+1. If you plan on using Auto Enrollment, you will have to [Configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/.set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment)
+
+1. Ensure that your company's users are in Azure Active Directory (Azure AD).
Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory).
-### 3. We suggest that users who will be need similar licenses are added to a group.
-1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal)
+1. We suggest that users who need similar licenses are added to the same group.
+ 1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal)
+ 1. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal)
-2. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal)
-
-### 4. Ensure that your company’s users (or group of users) are assigned the necessary licenses.
+1. Ensure that your company's users (or group of users) are assigned the necessary licenses.
Directions for assigning licenses can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/license-users-groups).
-### 5. **IMPORTANT:** Only do this step if users are expected to enroll their HoloLens/Mobile device onto the network.
-These steps ensure that your company’s users (or a group of users) can add devices.
-1. Option 1: Give all users permission to join devices to Azure AD.
+1. Only do this step if users are expected to enroll their HoloLens/Mobile device into you (There are three options)
+These steps ensure that your company's users (or a group of users) can add devices.
+ 1. **Option 1:** Give all users permission to join devices to Azure AD.
**Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** >
**Set Users may join devices to Azure AD to *All***
-1. Option 2: Give selected users/groups permission to join devices to Azure AD
+ 1. **Option 2:** Give selected users/groups permission to join devices to Azure AD
**Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** >
**Set Users may join devices to Azure AD to *Selected***
-1. Option 3: You can block all users from joining their devices to the domain. This means that all devices will need to be manually enrolled by your IT department.
+ 1. **Option 3:** You can block all users from joining their devices to the domain. This means that all devices will need to be manually enrolled.
-## Mobile Device Manager Admin Steps
+## Mobile Device Manager Guidance
-### Scenario 1: Kiosk Mode
-As a note, auto-launching an app does not currently work for HoloLens.
+### Ongoing device management
-How to Set Up Kiosk Mode Using Microsoft Intune.
-#### 1. Sync Microsoft Store to Intune ([Here](https://docs.microsoft.com/intune/apps/windows-store-for-business))
+> [!NOTE]
+> This step is only necessary if your company plans to manage the HoloLens.
-#### 2. Check your app settings
+Ongoing device management will depend on your mobile device management infrastructure. Most have the same general functionality but the user interface may vary widely.
-1. Log into your Microsoft Store Business account
-1. **Manage** > **Products and Services** > **Apps and Software** > **Select the app you want to sync** > **Private Store Availability** > **Select “Everyone” or “Specific Groups”**
-1. If you do not see your apps in **Intune** > **Client Apps** > **Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again.
+1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. A list of CSPs for HoloLens can be found [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices).
-#### 3. Configuring Kiosk Mode using MDM
+1. [Compliance policies](https://docs.microsoft.com/intune/device-compliance-get-started) are rules and settings that devices must meet to be compliant in your corporate infrastructure. Use these policies with Conditional Access to block access to company resources for devices that are non-compliant. For example, you can create a policy that requires Bitlocker be enabled.
-Information on configuring Kiosk Mode in Intune can be found [here](https://docs.microsoft.com/hololens/hololens-kiosk#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)
+1. [Create Compliance Policy](https://docs.microsoft.com/intune/protect/compliance-policy-create-windows).
- >[!NOTE]
- >You can configure different users to have different Kiosk Mode experiences by using “Azure AD” as the “User logon type”. However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps.
+1. Conditional Access allows/denies mobile devices and mobile applications from accessing company resources. Two documents you may find helpful are [Plan your CA Deployment](https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access) and [Best Practices](https://docs.microsoft.com/azure/active-directory/conditional-access/best-practices).
-
+1. [This article](https://docs.microsoft.com/intune/fundamentals/windows-holographic-for-business) talks about Intune's management tools for HoloLens.
-If you are configuring Kiosk Mode on an MDM other than Intune, please check your MDM provider's documentation.
+1. [Create a device profile](https://docs.microsoft.com/intune/configuration/device-profile-create)
-## Additional Intune Quick Links
+### Manage updates
-1. [Create Profiles:](https://docs.microsoft.com/intune/configuration/device-profile-create) Profiles allow you to add and configure settings that will be pushed to the devices in your organization.
+Intune includes a feature called Update rings for Windows 10 devices, including HoloLens 2 and HoloLens v1 (with Holographic for Business). Update rings include a group of settings that determine how and when updates are installed.
-1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. Some CSPs are supported by HoloLens devices. (See the list of CSPs for HoloLens [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices).
+For example, you can create a maintenance window to install updates, or choose to restart after updates are installed. You can also choose to pause updates indefinitely until you're ready to update.
-1. [Create Compliance Policy](https://docs.microsoft.com/intune/protect/create-compliance-policy)
+Read more about [configuring update rings with Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
-1. Conditional Access allows/denies mobile devices and mobile applications from accessing company resources. Two documents you may find helpful are [Plan your CA Deployment](https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access) and [Best Practices](https://docs.microsoft.com/azure/active-directory/conditional-access/best-practices).
+### Application management
-## Certificates and Authentication
-### MDM Certificate Distribution
-If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certs for HoloLens Authentication, PFX or SCEP may be right for you.
+Manage HoloLens applications through:
+
+1. Microsoft Store
+ The Microsoft Store is the best way to distribute and consume applications on HoloLens. There is a great set of core HoloLens applications already available in the store or you can [publish your own](https://docs.microsoft.com/windows/uwp/publish/).
+ All applications in the store are available publicly to everyone, but if it isn't acceptable, checkout the Microsoft Store for Business.
+
+1. [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/)
+ Microsoft Store for Business and Education is a custom store for your corporate environment. It lets you use the Microsoft Store built into Windows 10 and HoloLens to find, acquire, distribute, and manage apps for your organization. It also lets you deploy apps that are specific to your commercial environment but not to the world.
+
+1. Application deployment and management via Intune or another mobile device management solution
+ Most mobile device management solutions, including Intune, provide a way to deploy line of business applications directly to a set of enrolled devices. See this article for [Intune app install](https://docs.microsoft.com/intune/apps-deploy).
+
+1. _not recommended_ Device Portal
+ Applications can also be installed on HoloLens directly using the Windows Device Portal. This isn't recommended since Developer Mode has to be enabled to use the device portal.
+
+Read more about [installing apps on HoloLens](https://docs.microsoft.com/hololens/hololens-install-apps).
+
+### Certificates
+
+You can distribute certificates through your MDM provider. If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certificates for HoloLens Authentication, PFX or SCEP may be right for you.
Steps for SCEP can be found [here](https://docs.microsoft.com/intune/protect/certificates-profile-scep).
-### Device Certificates
-Certificates can also be added to the HoloLens through package provisioning. Please see [HoloLens Provisioning](hololens-provisioning.md) for additional information.
+### How to Upgrade to Holographics for Business Commercial Suite
+
+> [!NOTE]
+> Windows Holographics for Business (commercial suite) is only intended for HoloLens 1st gen devices. The profile will not be applied to HoloLens 2 devices.
+
+Directions for upgrading to the commercial suite can be found [here](https://docs.microsoft.com/intune/configuration/holographic-upgrade).
+
+### How to Configure Kiosk Mode Using Microsoft Intune
+
+1. Sync Microsoft Store to Intune ([Here](https://docs.microsoft.com/intune/apps/windows-store-for-business)).
+
+1. Check your app settings
+ 1. Log into your Microsoft Store Business account
+ 1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select "Everyone" or "Specific Groups"**
+ >[!NOTE]
+ >If you don't see the app you want, you will have to "get" the app by searching the store for your app. **Click the "Search" bar in the upper right-hand corner > type in the name of the app > click on the app > select "Get"**.
+ 1. If you do not see your apps in **Intune > Client Apps > Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again.
+
+1. [Create a device profile for Kiosk mode](https://docs.microsoft.com/intune/configuration/kiosk-settings#create-the-profile)
+
+> [!NOTE]
+> You can configure different users to have different Kiosk Mode experiences by using "Azure AD" as the "User logon type". However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps.
+
+
+
+For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, additional directions can be found [here](hololens-kiosk.md#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk)
+
+## Certificates and Authentication
+
+Certificates can be deployed via you MDM (see "certificates" in the [MDM Section](hololens-commercial-infrastructure.md#mobile-device-manager-guidance)). Certificates can also be deployed to the HoloLens through package provisioning. Please see [HoloLens Provisioning](hololens-provisioning.md) for additional information.
+
+### Additional Intune Quick Links
+
+1. [Create Profiles:](https://docs.microsoft.com/intune/configuration/device-profile-create) Profiles allow you to add and configure settings that will be pushed to the devices in your organization.
+
+## Next (Optional) Step: [Configure HoloLens using a provisioning package](hololens-provisioning.md)
+
+## Next Step: [Enroll your device](hololens-enroll-mdm.md)
diff --git a/devices/hololens/hololens-connect-devices.md b/devices/hololens/hololens-connect-devices.md
index bbe2dad4d3..7926dab884 100644
--- a/devices/hololens/hololens-connect-devices.md
+++ b/devices/hololens/hololens-connect-devices.md
@@ -8,7 +8,7 @@ author: Teresa-Motiv
ms.author: v-tea
ms.topic: article
ms.localizationpriority: high
-ms.date: 09/13/2019
+ms.date: 03/11/2020
manager: jarrettr
appliesto:
- HoloLens (1st gen)
@@ -19,56 +19,58 @@ appliesto:
## Pair Bluetooth devices
-Pair a Bluetooth mouse and keyboard with HoloLens, then use them to interact with holograms and to type anywhere you'd use the holographic keyboard.
-
-Classes of Bluetooth devices supported by HoloLens 2:
+HoloLens 2 supports the following classes of Bluetooth devices:
- Mouse
- Keyboard
- Bluetooth audio output (A2DP) devices
-Classes of Bluetooth devices supported by HoloLens (1st gen):
+HoloLens (1st gen) supports the following classes of Bluetooth devices:
- Mouse
- Keyboard
- HoloLens (1st gen) clicker
> [!NOTE]
-> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may appear as available in HoloLens settings, but aren't supported on HoloLens (1st gen). [Learn more](https://go.microsoft.com/fwlink/p/?LinkId=746660).
+> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may be listed as available in HoloLens settings. However, these devices aren't supported on HoloLens (1st gen). For more information, see [HoloLens Settings lists devices as available, but the devices don't work](hololens-FAQ.md#hololens-settings-lists-devices-as-available-but-the-devices-dont-work).
### Pair a Bluetooth keyboard or mouse
-1. Turn on your keyboard or mouse and make it discoverable. The way you make it discoverable depends on the device. To learn how to do this, check the device or visit the manufacturer's website.
+1. Turn on your keyboard or mouse, and make it discoverable. To learn how to make the device discoverable, look for information on the device (or its documentation) or visit the manufacturer's website.
-1. Use the bloom gesture (HoloLens (1st gen) or the start gesture (HoloLens 2) to go to **Start**, then select **Settings**.
-1. Select **Devices** and make sure that Bluetooth is on. When you see the device name, select **Pair** and follow the instructions.
+1. Use the bloom gesture (HoloLens (1st gen)) or the start gesture (HoloLens 2) to go to **Start**, and then select **Settings**.
+1. Select **Devices**, and make sure that Bluetooth is on.
+1. When you see the device name, select **Pair**, and then follow the instructions.
-### Pair the clicker
+### HoloLens (1st gen): Pair the clicker
-> Applies to HoloLens (1st gen) only.
-
-1. Use the bloom gesture to go to **Start**, then select **Settings**.
-
-1. Select **Devices** and make sure that Bluetooth is on.
-1. Use the tip of a pen to press and hold the clicker's pairing button until the status light blinks white. Make sure to hold the button down until the light starts blinking. [Where's the pairing button?](hololens1-clicker.md)
+1. Use the bloom gesture to go to **Start**, and then select **Settings**.
+1. Select **Devices**, and make sure that Bluetooth is on.
+1. Use the tip of a pen to press and hold the clicker pairing button until the clicker status light blinks white. Make sure to hold down the button until the light starts blinking.
+ The pairing button is on the underside of the clicker, next to the finger loop.
+ 
1. On the pairing screen, select **Clicker** > **Pair**.
-## Connect USB-C devices
+## HoloLens 2: Connect USB-C devices
-> Applies to HoloLens 2 only.
-
-HoloLens 2 lets you connect a wide range of USB-C devices.
-
-HoloLens 2 supports the following devices classes:
+HoloLens 2 supports the following classes of USB-C devices:
- Mass storage devices (such as thumb drives)
-- Ethernet adapters (including ethernet with charging)
-- USB-C to 3.5mm digital audio adapters
-- USB-C digital audio headsets (including headset adapters with charging)
+- Ethernet adapters (including ethernet plus charging)
+- USB-C-to-3.5mm digital audio adapters
+- USB-C digital audio headsets (including headset adapters plus charging)
- Wired mouse
- Wired keyboard
-- Combination PD hubs (USB A + PD charging)
+- Combination PD hubs (USB A plus PD charging)
## Connect to Miracast
-Use Miracast by opening the **Start** menu and selecting the display icon or saying "Connect" while gazing at the **Start** menu. Choose an available device from the list that appears and complete pairing to begin projection.
+To use Miracast, follow these steps:
+
+1. Do one of the following:
+
+ - Open the **Start** menu, and select the display icon.
+ - Say "Connect" while you gaze at the **Start** menu.
+
+1. On the list of devices that appears, select an available device.
+1. Complete the pairing to begin projecting.
diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md
index 82ded27dd3..89a01c0628 100644
--- a/devices/hololens/hololens-cortana.md
+++ b/devices/hololens/hololens-cortana.md
@@ -2,13 +2,13 @@
title: Use your voice with HoloLens
description: Cortana can help you do all kinds of things on your HoloLens
ms.assetid: fd96fb0e-6759-4dbe-be1f-58bedad66fed
-ms.date: 11/8/2019
+ms.date: 03/10/2020
keywords: hololens
ms.prod: hololens
ms.sitesec: library
-author: v-miegge
+author: Teresa-Motiv
audience: ITPro
-ms.author: v-miegge
+ms.author: v-tea
ms.topic: article
manager: jarrettr
ms.localizationpriority: high
@@ -30,14 +30,14 @@ This article teaches you how to control HoloLens and your holographic world with
## Built-in voice commands
-Get around HoloLens faster with these basic commands. In order to use these you need to enable Speech during first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of Start menu.
+Get around HoloLens faster with these basic commands. In order to use these, you need to enable Speech during the first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of the Start menu. For the best speech recognition results, HoloLens 2 uses the Microsoft cloud-based services. However, you can use Settings to disable this feature. To do this, in Settings, turn off **Online speech recognition**. After you change this setting, HoloLens 2 will only process voice data locally to recognize commands and dictation, and Cortana will not be available.
### General speech commands
Use these commands throughout Windows Mixed Reality to get around faster. Some commands use the gaze cursor, which you bring up by saying “select.”
->[!NOTE]
->Hand rays are not supported on HoloLens (1st Gen).
+> [!NOTE]
+> Hand rays are not supported on HoloLens (1st Gen).
| Say this | To do this |
| - | - |
@@ -48,6 +48,19 @@ Use these commands throughout Windows Mixed Reality to get around faster. Some c
|Hide and show hand ray | "Hide hand ray" / "Show hand ray" |
|See available speech commands | "What can I say?" |
+Starting with version 19041.x of HoloLens 2, you can also use these commands:
+
+| Say this | To do this |
+| - | - |
+| "Restart device" | Bring up a dialogue to confirm you want to restart the device. You can say "yes" to restart. |
+| "Shutdown device" | Bring up a dialogue to confirm you want to turn off the device. You can say "yes" to confirm. |
+| "Brightness up/down" | Increase or decrease the display brightness by 10%. |
+| "Volume up/down" | Increase or decrease the volume by 10%. |
+| "What's my IP address" | Bring up a dialogue displaying your device's current IP address on the local network. |
+| "Take a picture" | Capture a mixed reality photo of what you are currently seeing. |
+| "Take a video" | Start recording a mixed reality video. |
+| "Stop recording" | Stops the current mixed reality video recording if one is in progress. |
+
### Hologram commands
To use these commands, gaze at a 3D object, hologram, or app window.
@@ -63,11 +76,11 @@ To use these commands, gaze at a 3D object, hologram, or app window.
### See it, say it
-Many buttons and other elements on HoloLens also respond to your voice—for example, **Follow me** and **Close** on the app bar, or the **Back** button in Edge. To find out if a button is voice-enabled, rest your **gaze cursor** on it for a moment to see a voice tip.
+Many buttons and other elements on HoloLens also respond to your voice—for example, **Follow me** and **Close** on the app bar, or the **Back** button in Edge. To find out if a button is voice-enabled, rest your **gaze cursor**,**touch cursor** or one **hand ray** on it for a moment. If the button is voice-enabled, you'll see a voice tip.
### Dictation mode
-Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone button or say "Start dictating." To stop dictating, select the button again or say "Stop dictating." To delete what you just dictated, say "Delete that."
+Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone button or say "Start dictating." To stop dictating, select the button again or say "Stop dictating." To delete what you just dictated, say "Delete that."
> [!NOTE]
> To use dictation mode, you have to have an internet connection.
@@ -87,7 +100,7 @@ Sometimes it's helpful to spell out things like email addresses. For instance, t
## Do more with Cortana
-Cortana can help you do all kinds of things on your HoloLens, from searching the web to shutting down your device. She can give you suggestions, ideas, reminders, alerts, and more. To get her attention, select Cortana on **Start** or say "Hey Cortana" anytime.
+Cortana can help you do all kinds of things on your HoloLens, but depending on which version of Windows Holographic you're using, the capablities may be different. You can learn more about the updated capabilites of the latest version of Cortana [here](https://blogs.windows.com/windowsexperience/2020/02/28/cortana-in-the-upcoming-windows-10-release-focused-on-your-productivity-with-enhanced-security-and-privacy/).
@@ -96,22 +109,27 @@ Here are some things you can try saying (remember to say "Hey Cortana" first).
**Hey, Cortana**...
- What can I say?
+- Launch <*app name*>.
+- What time is it?
+- Show me the latest NBA scores.
+- Tell me a joke.
+
+If you're using *version 18362.x or earlier*, you can also use these commands:
+
+**Hey, Cortana**...
+
- Increase the volume.
- Decrease the brightness.
- Shut down.
- Restart.
- Go to sleep.
- Mute.
-- Launch <*app name*>.
- Move <*app name*> here (gaze at the spot that you want the app to move to).
- Go to Start.
- Take a picture.
- Start recording. (Starts recording a video.)
- Stop recording. (Stops recording a video.)
-- What time is it?
-- Show me the latest NBA scores.
- How much battery do I have left?
-- Tell me a joke.
Some Cortana features that you're used to from Windows on your PC or phone (for example, reminders and notifications) aren't supported in Microsoft HoloLens, and the Cortana experience may vary from one region to another.
diff --git a/devices/hololens/hololens-diagnostic-logs.md b/devices/hololens/hololens-diagnostic-logs.md
new file mode 100644
index 0000000000..212f936079
--- /dev/null
+++ b/devices/hololens/hololens-diagnostic-logs.md
@@ -0,0 +1,269 @@
+---
+title: Collect and use diagnostic information from HoloLens devices
+description:
+author: Teresa-Motiv
+ms.author: v-tea
+ms.date: 03/23/2020
+ms.prod: hololens
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.topic: article
+ms.custom:
+- CI 115131
+- CSSTroubleshooting
+audience: ITPro
+ms.localizationpriority: medium
+keywords:
+manager: jarrettr
+appliesto:
+- HoloLens (1st gen)
+- HoloLens 2
+---
+
+# Collect and use diagnostic information from HoloLens devices
+
+HoloLens users and administrators can choose from among four different methods to collect diagnostic information from HoloLens:
+
+- Feedback Hub app
+- DiagnosticLog CSP
+- Settings app
+- Fallback diagnostics
+
+> [!IMPORTANT]
+> Device diagnostic logs contain personally identifiable information (PII), such as about what processes or applications the user starts during typical operations. When multiple users share a HoloLens device (for example, users sign in to the same device by using different Microsoft Azure Active Directory (AAD) accounts) the diagnostic logs may contain PII information that applies to multiple users. For more information, see [Microsoft Privacy statement](https://privacy.microsoft.com/privacystatement).
+
+The following table compares the four collection methods. The method names link to more detailed information in the sections that follow the table.
+
+|Method |Prerequisites |Data locations |Data access and use |Data retention |
+| --- | --- | --- | --- | --- |
+|[Feedback Hub](#feedback-hub) |Network and internet connection
Feedback Hub app
Permission to upload files to the Microsoft cloud |Microsoft cloud
HoloLens device (optional) |User requests assistance, agrees to the terms of use, and uploads the data
Microsoft employees view the data, as consistent with the terms of use |Data in the cloud is retained for the period that is defined by Next Generation Privacy (NGP). Then the data is deleted automatically.
Data on the device can be deleted at any time by a user who has **Device owner** or **Admin** permissions. |
+|[Settings Troubleshooter](#settings-troubleshooter) |Settings app |HoloLens device
Connected computer (optional) |The user stores the data, and only the user accesses the data (unless the user specifically shares the data with another user). |The data is retained until the user deletes it. |
+|[DiagnosticLog CSP](#diagnosticlog-csp) |Network connection
MDM environment that supports the DiagnosticLog CSP |Administrator configures storage locations |In the managed environment, the user implicitly consents to administrator access to the data.
Administrator configures access roles and permissions. | Administrator configures retention policy. |
+|[Fallback diagnostics](#fallback-diagnostics) |Device configuration:- Powered on and connected to computer
- Power and Volume buttons functioning
|HoloLens device
Connected computer |The user stores the data, and only the user accesses the data (unless the user specifically shares the data with another user). |The data is retained until the user deletes it. |
+
+## Feedback Hub
+
+A HoloLens user can use the Microsoft Feedback Hub desktop app to send diagnostic information to Microsoft Support. For details and complete instructions, see [Give us feedback](hololens-feedback.md).
+
+> [!NOTE]
+> **Commercial or enterprise users:** If you use the Feedback Hub app to report a problem that relates to MDM, provisioning, or any other device management aspect, change the app category to **Enterprise Management** > **Device category**.
+
+### Prerequisites
+
+- The device is connected to a network.
+- The Feedback Hub app is available on the user's desktop computer, and the user can upload files to the Microsoft cloud.
+
+### Data locations, access, and retention
+
+By agreeing to the terms-of-use of the Feedback Hub, the user explicitly consents to the storage and usage of the data (as defined by that agreement).
+
+The Feedback Hub provides two places for the user to store diagnostic information:
+
+- **The Microsoft cloud**. Data that the user uploads by using the Feedback Hub app is stored for the number of days that is consistent with Next Generation Privacy (NGP) requirements. Microsoft employees can use an NGP-compliant viewer to access the information during this period.
+ > [!NOTE]
+ > These requirements apply to data in all Feedback Hub categories.
+
+- **The HoloLens device**. While filing a report in Feedback Hub, the user can select **Save a local copy of diagnostics and attachments created when giving feedback**. If the user selects this option, the Feedback Hub stores a copy of the diagnostic information on the HoloLens device. This information remains accessible to the user (or anyone that uses that account to sign in to HoloLens). To delete this information, a user must have **Device owner** or **Admin** permissions on the device. A user who has the appropriate permissions can sign in to the Feedback Hub, select **Settings** > **View diagnostics logs**, and delete the information.
+
+## Settings Troubleshooter
+
+A HoloLens user can use the Settings app on the device to troubleshoot problems and collect diagnostic information. To do this, follow these steps:
+
+1. Open the Settings app and select **Update & Security** > **Troubleshoot** page.
+1. Select the appropriate area, and select **Start**.
+1. Reproduce the issue.
+1. After you reproduce the issue, return to Settings and then select **Stop**.
+
+### Prerequisites
+
+- The Settings app is installed on the device and is available to the user.
+
+### Data locations, access, and retention
+
+Because the user starts the data collection, the user implicitly consents to the storage of the diagnostic information. Only the user, or anyone with whom that the user shares the data, can access the data.
+
+The diagnostic information is stored on the device. If the device is connected to the user's computer, the information also resides on the computer in the following file:
+
+> This PC\\\<*HoloLens device name*>\\Internal Storage\\Documents\\Trace\<*ddmmyyhhmmss*>.etl
+
+> [!NOTE]
+> In this file path and name, \<*HoloLens device name*> represents the name of the HoloLens device, and \<*ddmmyyhhmmss*> represents the date and time that the file was created.
+
+The diagnostic information remains in these locations until the user deletes it.
+
+## DiagnosticLog CSP
+
+In a Mobile Device Management (MDM) environment, the IT administrator can use the the [DiagnosticLog configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/diagnosticlog-csp) to configure diagnostic settings on enrolled HoloLens devices. The IT administrator can configure these settings to collect logs from enrolled devices.
+
+### Prerequisites
+
+- The device is connected to a network.
+- The device is enrolled in an MDM environment that supports the DiagnosticLog CSP.
+
+### Data locations, access, and retention
+
+Because the device is part of the managed environment, the user implicitly consents to administrative access to diagnostic information.
+
+The IT administrator uses the DiagnosticLog CSP to configure the data storage, retention, and access policies, including the policies that govern the following:
+
+- The cloud infrastructure that stores the diagnostic information.
+- The retention period for the diagnostic information.
+- Permissions that control access to the diagnostic information.
+
+## Fallback diagnostics
+
+While device telemetry usually provides an initial understanding of a problem report, some issues require a broader and deeper understanding of the device state. When you (as a user or an administrator) investigate such issues, diagnostic logs that reside on the device are more useful than the basic device telemetry.
+
+The fallback diagnostics process provides a way for you to gather diagnostic information if no other methods are available. Such scenarios include the following:
+
+- The network or network-based resources (such as the Feedback Hub, MDM, and so on) are not available.
+- The device is "stuck" or locked in a state in which usual troubleshooting capabilities (such as the Settings app) are not available. Such scenarios include the Out-of-Box-Experience (OOBE), kiosk mode, and a locked or "hung" user interface.
+
+> [!IMPORTANT]
+> - On HoloLens 2 devices, you can use fallback diagnostics under the following conditions only:
+> - During the Out-of-the-Box-Experience (OOBE) and when you select **Send Full Diagnostics Data**.
+> - If the environment's Group Policy enforces the **System\AllowTelemetry** policy value of **Full**.
+> - On HoloLens (1st gen) devices, you can use fallback diagnostics on HoloLens version 17763.316 or a later version. This version is the version that the Windows Device Recovery Tool restores when it resets the device.
+
+### How to use fallback diagnostics
+
+Before you start the fallback diagnostics process, make sure of the following:
+
+- The device is connected to a computer by using a USB cable.
+- The device is powered on.
+- The Power and Volume buttons on the device are functioning correctly.
+
+To collect fallback diagnostic information, follow these steps:
+
+1. On the device, press the Power and Volume Down buttons at the same time and then release them.
+1. Wait for few seconds while the device collects the data.
+
+### Data locations
+
+The device stores the data locally. You can access that information from the connected desktop computer at the following location:
+
+> This PC\\\<*HoloLens device name*>\\Internal Storage\\Documents
+
+For more information about the files that the fallback diagnostics process collects, see [What diagnostics files does the fallback diagnostics process collect?](#what-diagnostics-files-does-the-fallback-diagnostics-process-collect).
+
+### Data access, use, and retention
+
+Because you store the data yourself, only you have access to the data. If you choose to share the data with another user, you implicitly grant permission for that user to access or store the data.
+
+The data remains until you delete it.
+
+### Frequently asked questions about fallback diagnostics on HoloLens
+
+#### Does the device have to be enrolled with an MDM system?
+
+No.
+
+#### How can I use fallback diagnostics on HoloLens?
+
+Before you start the fallback diagnostics process, make sure of the following:
+
+- The device is connected to a computer by using a USB cable.
+- The device is powered on.
+- The Power and Volume buttons on the device are functioning correctly.
+
+To collect fallback diagnostic information, follow these steps:
+
+1. On the device, press the Power and Volume Down buttons at the same time and then release them.
+1. Wait for few seconds while the device collects the data.
+
+#### How would I know that data collection finished?
+
+The fallback diagnostics process does not have a user interface. On HoloLens 2, when the process starts to collect data, it creates a file that is named HololensDiagnostics.temp. When the process finishes, it removes the file.
+
+#### What diagnostics files does the fallback diagnostics process collect?
+
+The fallback diagnostics process collects one or more .zip files, depending on the version of HoloLens. The following table lists each of the possible .zip files, and the applicable versions of HoloLens.
+
+|File |Contents |HoloLens (1st gen) |HoloLens 2 10.0.18362+ |HoloLens 2 10.0.19041+ |
+| --- | --- | --- | --- | --- |
+|HololensDiagnostics.zip |Files for tracing sessions that ran on the device.
Diagnostic information that's specific to Hololens. |✔️ |✔️ |✔️ |
+|DeviceEnrollmentDiagnostics.zip |Information that's related to MDM, device enrollment, CSPs, and policies. | |✔️ |✔️ |
+|AutoPilotDiagnostics.zip |Information that's related to autopilot and licensing.| | |✔️ |
+|TPMDiagnostics.zip |Information that's related to the trusted platform module (TPM) on the device | | |✔️ |
+
+> [!NOTE]
+> Starting on May 2, 2019, the fallback diagnostics process collects EventLog*.etl files only if the signed-in user is the device owner. This is because these files may contain PII data. Such data is accessible to device owners only. This behavior matches the behavior of Windows desktop computers, where administrators have access to event log files but other users do not.
+
+**Sample diagnostic content for HoloLens (1st gen)**
+
+HololensDiagnostics.zip contains files such as the following:
+
+- AuthLogon.etl
+- EventLog-HupRe.etl.001
+- FirstExperience.etl.001
+- HetLog.etl
+- HoloInput.etl.001
+- HoloShell.etl.001
+- WiFi.etl.001
+
+**Sample diagnostic content for HoloLens 2 10.0.18362+**
+
+HololensDiagnostics.zip contains files such as the following:
+
+- EventLog-Application.etl.001*
+- EventLog-System.etl.001*
+- AuthLogon.etl
+- EventLog-HupRe.etl.001
+- FirstExperience.etl.001
+- HetLog.etl
+- HoloInput.etl.001
+- HoloShell.etl.001
+- WiFi.etl.001
+- CSPsAndPolicies.etl.001
+- RadioMgr.etl
+- WiFiDriverIHVSession.etl
+
+DeviceEnrollmentDiagnostics.zip contains files such as the following:
+
+- MDMDiagHtmlReport.html
+- MdmDiagLogMetadata.json
+- MDMDiagReport.xml
+- MdmDiagReport_RegistryDump.reg
+- MdmLogCollectorFootPrint.txt
+
+**Sample diagnostic content for HoloLens 2 10.0.19041+**
+
+HololensDiagnostics.zip contains files such as the following:
+
+- EventLog-Application.etl.001*
+- EventLog-System.etl.001*
+- AuthLogon.etl
+- EventLog-HupRe.etl.001
+- FirstExperience.etl.001
+- HetLog.etl
+- HoloInput.etl.001
+- HoloShell.etl.001
+- WiFi.etl.001
+- CSPsAndPolicies.etl.001
+- RadioMgr.etl
+- WiFiDriverIHVSession.etl
+- DisplayDiagnosticData.json
+- HUP dumps
+
+DeviceEnrollmentDiagnostics.zip contains files such as the following:
+
+- MDMDiagHtmlReport.html
+- MdmDiagLogMetadata.json
+- MDMDiagReport.xml
+- MdmDiagReport_RegistryDump.reg
+- MdmLogCollectorFootPrint.txt
+
+AutoPilotDiagnostics.zip contains files such as the following:
+
+- DeviceHash_HoloLens-U5603.csv
+- LicensingDiag.cab
+- LicensingDiag_Output.txt
+- TpmHliInfo_Output.txt
+- DiagnosticLogCSP_Collector_DeviceEnrollment_\*.etl
+- DiagnosticLogCSP_Collector_Autopilot_*.etl
+
+TPMDiagnostics.zip contains files such as the following:
+
+- CertReq_enrollaik_Output.txt
+- CertUtil_tpminfo_Output.txt
+- TPM\*.etl
diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md
index 6c8b9118e6..6b2cfb74bc 100644
--- a/devices/hololens/hololens-encryption.md
+++ b/devices/hololens/hololens-encryption.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.date: 01/26/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
appliesto:
- HoloLens (1st gen)
---
@@ -51,22 +51,22 @@ Provisioning packages are files created by the Windows Configuration Designer to
1. Find the XML license file that was provided when you purchased the Commercial Suite.
1. Browse to and select the XML license file that was provided when you purchased the Commercial Suite.
- >[!NOTE]
- >You can configure [additional settings in the provisioning package](hololens-provisioning.md).
+ > [!NOTE]
+ > You can configure [additional settings in the provisioning package](hololens-provisioning.md).
1. On the **File** menu, click **Save**.
1. Read the warning explaining that project files may contain sensitive information and click **OK**.
- >[!IMPORTANT]
- >When you build a provisioning package, you may include sensitive information in the project files and provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when no longer needed.
+ > [!IMPORTANT]
+ > When you build a provisioning package, you may include sensitive information in the project files and provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when no longer needed.
1. On the **Export** menu, click **Provisioning package**.
1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next**.
1. Set a value for **Package Version**.
- >[!TIP]
- >You can make changes to existing packages and change the version number to update previously applied packages.
+ > [!TIP]
+ > You can make changes to existing packages and change the version number to update previously applied packages.
1. On the **Select security details for the provisioning package**, click **Next**.
1. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
@@ -87,8 +87,8 @@ Provisioning packages are files created by the Windows Configuration Designer to
1. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
1. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with device setup.
->[!NOTE]
->If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package.
+> [!NOTE]
+> If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package.
## Verify device encryption
diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md
index dc042a0f9f..0e557e9c50 100644
--- a/devices/hololens/hololens-enroll-mdm.md
+++ b/devices/hololens/hololens-enroll-mdm.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.date: 07/15/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
appliesto:
- HoloLens (1st gen)
- HoloLens 2
@@ -20,8 +20,8 @@ appliesto:
You can manage multiple Microsoft HoloLens devices simultaneously using solutions like [Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business). You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need. See [Manage devices running Windows Holographic with Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business), the [configuration service providers (CSPs) that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens), and the [policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies).
->[!NOTE]
->Mobile device management (MDM), including the VPN, Bitlocker, and kiosk mode features, is only available when you [upgrade to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
+> [!NOTE]
+> Mobile device management (MDM), including the VPN, Bitlocker, and kiosk mode features, is only available when you [upgrade to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
## Requirements
@@ -29,7 +29,7 @@ You can manage multiple Microsoft HoloLens devices simultaneously using solution
## Auto-enrollment in MDM
-If your organization uses Azure Active Directory (Azure AD) and an MDM solution that accepts an AAD token for authentication (currently, only supported in Microsoft Intune and AirWatch), your IT admin can configure Azure AD to automatically allow MDM enrollment after the user signs in with their Azure AD account. [Learn how to configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment)
+If your organization uses Azure Active Directory (Azure AD) and an MDM solution that accepts an AAD token for authentication (currently, only supported in Microsoft Intune and AirWatch), your IT admin can configure Azure AD to automatically allow MDM enrollment after the user signs in with their Azure AD account. [Learn how to configure Azure AD enrollment.](https://docs.microsoft.com/mem/intune/enrollment/windows-enroll#enable-windows-10-automatic-enrollment)
When auto-enrollment is enabled, no additional manual enrollment is needed. When the user signs in with an Azure AD account, the device is enrolled in MDM after completing the first-run experience.
@@ -45,4 +45,4 @@ Your device is now enrolled with your MDM server. The device will need to restar
## Unenroll HoloLens from Intune
-You cannot [unenroll](https://docs.microsoft.com/intune-user-help/unenroll-your-device-from-intune-windows) HoloLens from Intune remotely. If the administrator unenrolls the device using MDM, the device will age out of the Intune dashboard.
\ No newline at end of file
+You cannot [unenroll](https://docs.microsoft.com/intune-user-help/unenroll-your-device-from-intune-windows) HoloLens from Intune remotely. If the administrator unenrolls the device using MDM, the device will age out of the Intune dashboard.
diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md
new file mode 100644
index 0000000000..85f66c8318
--- /dev/null
+++ b/devices/hololens/hololens-faq-security.md
@@ -0,0 +1,125 @@
+---
+title: Frequently Asked Security Questions
+description: security questions frequently asked about the hololens
+ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b
+author: pawinfie
+ms.author: pawinfie
+ms.date: 02/19/2020
+keywords: hololens, Windows Mixed Reality, security
+ms.prod: hololens
+ms.sitesec: library
+ms.topic: article
+audience: ITPro
+ms.localizationpriority: high
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
+manager: bradke
+appliesto:
+- HoloLens 1 (1st gen)
+- HoloLens 2
+---
+
+# Frequently asked questions about HoloLens security
+
+## HoloLens (1st gen) Security Questions
+
+1. **What type of wireless is used?**
+ 1. 802.11ac and Bluetooth 4.1 LE
+1. **What type of architecture is incorporated? For example: point to point, mesh or something else?**
+ 1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points.
+ 1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices.
+1. **What is FCC ID?**
+ 1. C3K1688
+1. **What frequency range and channels does the device operate on and is it configurable?**
+ 1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
+ 1. Bluetooth: Bluetooth uses the standard 2.4-2.48 GHz range.
+1. **Can the device blacklist or white list specific frequencies?**
+ 1. This is not controllable by the user/device
+1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
+ 1. Our emissions testing standards can be found [here](https://fccid.io/C3K1688). Range of operation is highly dependent on the access point and environment - but is roughly equivalent to other high-quality phones, tablets, or PCs.
+1. **What is the duty cycle/lifetime for normal operation?**
+ 1. 2-3hrs of active use and up to 2 weeks of standby time
+ 1. Battery lifetime is unavailable.
+1. **What is transmit and receive behavior when a tool is not in range?**
+ 1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect.
+1. **What is deployment density per square foot?**
+ 1. This is dependent on your network infrastructure.
+1. **Can device use the infrastructure as a client?**
+ 1. Yes
+1. **What protocol is used?**
+ 1. HoloLens does not use any proprietary protocols
+1. **OS update frequency – What is the frequency of OS updates for the HL? Is there a set schedule? Does Microsoft release security patches as needed, etc.**
+ 1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device.
+1. **OS hardening – What options are there to harden the OS? Can we remove or shutdown unnecessary apps or services?**
+ 1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted.
+1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?**
+ 1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed.
+1. **What is the frequency of updates to apps in the store for HoloLens?**
+ 1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well.
+1. **Is there a secure boot capability for the HoloLens?**
+ 1. Yes
+1. **Is there an ability to disable or disconnect peripheral support from the device?**
+ 1. Yes
+1. **Is there an ability to control or disable the use of ports on the device?**
+ 1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.
+1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.**
+ 1. Windows Holographic for Business (commercial suite) does support Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
+ 1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
+1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.**
+ 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
+1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**
+ 1. No
+1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
+ 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client.
+ 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices.
+
+## HoloLens 2nd Gen Security Questions
+
+1. **What type of wireless is used?**
+ 1. 802.11ac and Bluetooth 5.0
+1. **What type of architecture is incorporated? For example: point to point, mesh or something else?**
+ 1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points.
+ 1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices.
+1. **What is FCC ID?**
+ 1. C3K1855
+1. **What frequency range and channels does the device operate on and is it configurable?**
+ 1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
+1. **Can the device blacklist or white list specific frequencies?**
+ 1. This is not controllable by the user/device
+1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
+ 1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region's regulatory rules.
+1. **What is the duty cycle/lifetime for normal operation?**
+ 1. *Currently unavailable.*
+1. **What is transmit and receive behavior when a tool is not in range?**
+ 1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect.
+1. **What is deployment density per square foot?**
+ 1. This is dependent on your network infrastructure.
+1. **Can device use the infrastructure as a client?**
+ 1. Yes
+1. **What protocol is used?**
+ 1. HoloLens does not use any proprietary protocols
+1. **OS update frequency – What is the frequency of OS updates for the HL? Is there a set schedule? Does Microsoft release security patches as needed, etc.**
+ 1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device.
+1. **OS hardening – What options are there to harden the OS? Can we remove or shutdown unnecessary apps or services?**
+ 1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted.
+1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?**
+ 1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed.
+1. **What is the frequency of updates to apps in the store for HoloLens?**
+ 1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well.
+1. **Is there a secure boot capability for the HoloLens?**
+ 1. Yes
+1. **Is there an ability to disable or disconnect peripheral support from the device?**
+ 1. Yes
+1. **Is there an ability to control or disable the use of ports on the device?**
+ 1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.
+1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.**
+ 1. HoloLens 2nd Gen supports Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
+ 1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
+1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.**
+ 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
+1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**
+ 1. No
+1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
+ 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client.
+ 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices.
diff --git a/devices/hololens/hololens-identity.md b/devices/hololens/hololens-identity.md
index 3cc6cc4cfc..e1fab33818 100644
--- a/devices/hololens/hololens-identity.md
+++ b/devices/hololens/hololens-identity.md
@@ -1,12 +1,15 @@
---
-title: Managing user identity and login on HoloLens
-description: Manage user identity, security, and login on HoloLens.
+title: Manage user identity and sign-in for HoloLens
+description: Manage user identity, security, and sign-in for HoloLens.
keywords: HoloLens, user, account, aad, adfs, microsoft account, msa, credentials, reference
ms.assetid: 728cfff2-81ce-4eb8-9aaa-0a3c3304660e
author: scooley
ms.author: scooley
-ms.date: 1/6/2019
+ms.date: 1/6/2020
ms.prod: hololens
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
ms.topic: article
ms.sitesec: library
ms.topic: article
@@ -18,7 +21,7 @@ appliesto:
- HoloLens 2
---
-# User identity and signin
+# Manage user identity and sign-in for HoloLens
> [!NOTE]
> This article is a technical reference for IT Pros and tech enthusiasts. If you're looking for HoloLens set up instructions, read "[Setting up your HoloLens (1st gen)](hololens1-start.md)" or "[Setting up your HoloLens 2](hololens2-start.md)".
diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md
index 633f296a3e..e82148dd22 100644
--- a/devices/hololens/hololens-insider.md
+++ b/devices/hololens/hololens-insider.md
@@ -1,54 +1,147 @@
---
-title: Insider preview for Microsoft HoloLens (HoloLens)
-description: It’s simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens.
+title: Insider preview for Microsoft HoloLens
+description: It's simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens.
ms.prod: hololens
ms.sitesec: library
author: scooley
ms.author: scooley
ms.topic: article
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
ms.localizationpriority: medium
audience: ITPro
-ms.date: 1/6/2020
+ms.date: 4/21/2020
ms.reviewer:
-manager: dansimp
+manager: laurawi
appliesto:
-- HoloLens (1st gen)
- HoloLens 2
---
# Insider preview for Microsoft HoloLens
-Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens.
+Welcome to the latest Insider Preview builds for HoloLens! It's simple to get started and provide valuable feedback for our next major operating system update for HoloLens.
## Start receiving Insider builds
-On a device running the Windows 10 April 2018 Update, go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider.
+On a HoloLens 2 device go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider.
-Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms.
+Then, select **Active development of Windows**, choose whether you'd like to receive **Fast** or **Slow** builds, and review the program terms.
Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build.
## Stop receiving Insider builds
-If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic.
+If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Advanced Recovery Companion to recover your device to a non-Insider version of Windows Holographic.
+
+> [!CAUTION]
+> There is a known issue in which users who un-enroll from Insider Preview builds after manually reinstalling a fresh preview build would experience a blue screen. Afterwards they must manually recover their device. For full details on if you would be impacted or not, please view more on this [Known Issue](https://docs.microsoft.com/hololens/hololens-known-issues?source=docs#blue-screen-is-shown-after-unenrolling-from-insider-preview-builds-on-a-device-reflashed-with-a-insider-build).
To verify that your HoloLens is running a production build:
-- Go to **Settings > System > About**, and find the build number.
-- [See the release notes for production build numbers.](hololens-release-notes.md)
+1. Go to **Settings > System > About**, and find the build number.
+1. [See the release notes for production build numbers.](hololens-release-notes.md)
To opt out of Insider builds:
-- On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**.
-- Follow the instructions to opt out your device.
+1. On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**.
+1. Follow the instructions to opt out your device.
+
+
## Provide feedback and report issues
Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way.
->[!NOTE]
->Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted).
+> [!NOTE]
+> Be sure to accept the prompt that asks whether you'd like Feedback Hub to access your Documents folder (select **Yes** when prompted).
## Note for developers
You are welcome and encouraged to try developing your applications using Insider builds of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development.
+
+
+## Windows Insider Release Notes
+
+HoloLens 2 Windows Insider builds are full of new features and improvements. Sign up for Windows Insider Fast or Slow flights to test them out!
+Here's a quick summary of what's new:
+
+- Support for FIDO2 Security Keys to enable secure and easy authentication for shared devices
+- Seamlessly apply a provisioning package from a USB drive to your HoloLens
+- Use a provisioning packages to enroll your HoloLens to your Mobile Device Management system
+- Use Windows Autopilot to set up and pre-configure new devices, quickly getting them ready for productive use. To participate in the program you'll need to meet a few requirements. While the program is in preview mode you'll need to be using Microsoft Intune. You'll need to use a tenant that is flighted for HoloLens. Lastly you'll need to have installed an insider preview buildon your HoloLens 2. To praticipate in the preview of this new program send a note to hlappreview@microsoft.com to join the preview.
+- Dark Mode - HoloLens customers can now choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time.
+- Support for additional system voice commands
+- An updated Cortana app with a focus on productivity
+- Hand Tracking improvements to reduce the tendency to close the index finger when pointing. This should make button pressing and 2D slate usage feel more accurate
+- Performance and stability improvements across the product
+- More information in settings on HoloLens about the policy pushed to the device
+
+Once you've had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers.
+
+### FIDO 2 support
+Many of you share a HoloLens with lots of people in a work or school environment. Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long user names and passwords. FIDO lets anyone in your organization (AAD tenant) seamlessly sign in to HoloLens without entering a username or password.
+
+Read the [passwordless security docs](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to get started.
+
+### Provisioning package updates
+Provisioning packages let you set HoloLens configuration through a config file rather than going through the HoloLens out of box experience. Previously, provisioning packages had to be copied onto HoloLens' internal memory, now they can be on a USB drive so they're easier to re-use on multiple HoloLens and so more people can provision HoloLens in parallel.
+
+1. To try it out, download the latest version of the Windows Configuration Designer from the Windows store onto your PC.
+1. Select **Provision HoloLens Devices** > Select **Provision HoloLens 2 devices**
+1. Build your configuration profile and, when you're done, copy all files created to a USB-C storage device.
+1. Plug it into any freshly flashed HoloLens and press **Volume down + Power** to apply your provisioning package.
+
+### System voice commands
+You can now access these commands with your voice:
+- "Restart device"
+- "Shutdown device"
+- "Brightness up"
+- "Brightness down"
+- "Volume up"
+- "Volume down"
+- "What is my IP address?"
+- "Take a picture"
+- "Take a video" / "Stop recording"
+
+If you're running your system with a different language, please try the appropriate commands in that language.
+
+### Cortana updates
+The updated app integrates with Microsoft 365, currently in English (United States) only, to help you get more done across your devices. On HoloLens 2, Cortana will no longer support certain device-specific commands like adjusting the volume or restarting the device, which are now supported with the new system voice commands above. Learn more about the new Cortana app and its direction on our blog [here](https://blogs.windows.com/windowsexperience/2020/02/28/cortana-in-the-upcoming-windows-10-release-focused-on-your-productivity-with-enhanced-security-and-privacy/).
+
+There's currently an issue we're investigating that requires you to launch the app once after booting the device in order to use the "Hey Cortana" keyword activation, and if you updated from a 18362 build, you may see an app tile for the previous version of the Cortana app in Start that no longer works.
+
+### Dark mode
+Many Windows apps support both dark and light modes, and now HoloLens customers can choose the default mode for apps that support both. Once updated, the default app mode will be "dark," but can be changed easily. Navigate to **Settings > System > Colors to find "Choose your default app mode."**
+Here are some of the in-box apps that support Dark mode!
+- Settings
+- Microsoft Store
+- Mail
+- Calendar
+- File Explorer
+- Feedback Hub
+- OneDrive
+- Photos
+- 3D Viewer
+- Movies & TV
+
+### Windows Autopilot for HoloLens 2
+
+This Autopilot program supports Autopilot self-deploying mode to provision HoloLens 2 devices as shared devices under your tenant. Self-deploying mode leverages the device's preinstalled OEM image and drivers during the provisioning process. A user can provision the device without putting the device on and going through the Out-of-the-box Experience (OOBE).
+
+When a user starts the Autopilot self-deploying process, the process completes the following steps:
+1. Join the device to Azure Active Directory (Azure AD).
+2. Use Azure AD to enroll the device in Microsoft Intune (or another MDM service).
+3. Download the device-targeted policies, certificates, and networking profiles.
+4. Provision the device.
+5. Present the sign-in screen to the user.
+
+For full information about Autopilot, see [Windows Autopilot for HoloLens 2 evaluation guide](hololens2-autopilot.md).
+
+### FFU download and flash directions
+To test with a flight signed ffu, you first have to flight unlock your device prior to flashing the flight signed ffu.
+1. On PC
+ 1. Download ffu to your PC from: [https://aka.ms/hololenspreviewdownload](https://aka.ms/hololenspreviewdownload)
+ 1. Install ARC (Advanced Recovery Companion) from the Microsoft Store: [https://www.microsoft.com/store/productId/9P74Z35SFRS8](https://www.microsoft.com/store/productId/9P74Z35SFRS8)
+1. On HoloLens - Flight Unlock: Open **Settings** > **Update & Security** > **Windows Insider Program** then sign up, reboot device
+1. Flash FFU - Now you can flash the flight signed FFU using ARC
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index d0dbb126b7..c08a6c076b 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -1,5 +1,5 @@
---
-title: Set up HoloLens in kiosk mode (HoloLens)
+title: Set up HoloLens as a kiosk
description: Use a kiosk configuration to lock down the apps on HoloLens.
ms.prod: hololens
ms.sitesec: library
@@ -7,78 +7,359 @@ author: dansimp
ms.author: dansimp
ms.topic: article
ms.localizationpriority: medium
-ms.date: 11/13/2018
+ms.date: 04/27/2020
+ms.custom:
+- CI 115262
+- CI 111456
+- CSSTroubleshooting
ms.reviewer:
-manager: dansimp
+manager: laurawi
+appliesto:
+- HoloLens (1st gen)
+- HoloLens 2
---
-# Set up HoloLens in kiosk mode
+# Set up HoloLens as a kiosk
+You can configure a HoloLens device to function as a fixed-purpose device, also called a *kiosk*, by configuring the device to run in kiosk mode. Kiosk mode limits the applications (or users) that are available on the device. Kiosk mode is a convenient feature that you can use to dedicate a HoloLens device to business apps, or to use the HoloLens device in an app demo.
+This article provides information about aspects of kiosk configuration that are specific to HoloLens devices. For general information about the different types of Windows-based kiosks and how to configure them, see [Configure kiosks and digital signs on Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-methods).
-In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#add-guest-access-to-the-kiosk-configuration-optional)
+> [!IMPORTANT]
+> Kiosk mode determines which apps are available when a user signs in to the device. However, kiosk mode is not a security method. It does not stop an "allowed" app from opening another app that is not allowed. In order to block apps or processes from opening, use [Windows Defender Application Control (WDAC) CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) to create appropriate policies.
-When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
+You can use kiosk mode in either a single-app or a multi-app configuration, and you can use one of three processes to set up and deploy the kiosk configuration.
-Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the [start gestures](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) (including [Bloom](https://docs.microsoft.com/hololens/hololens1-basic-usage) on HoloLens (1st Gen)) and Cortana are disabled, and placed apps aren't shown in the user's surroundings.
+> [!IMPORTANT]
+> Deleting the multi-app configuration removes the user lockdown profiles that the assigned access feature created. However, it does not revert all the policy changes. To revert these policies, you have to reset the device to the factory settings.
-The following table lists the device capabilities in the different kiosk modes.
+## Plan the kiosk deployment
-Kiosk mode | Voice and Bloom commands | Quick actions menu | Camera and video | Miracast
---- | --- | --- | --- | ---
-Single-app kiosk |  |  |  | 
-Multi-app kiosk |  |  with **Home** and **Volume** (default)
Photo and video buttons shown in Quick actions menu if the Camera app is enabled in the kiosk configuration.
Miracast is shown if the Camera app and device picker app are enabled in the kiosk configuration. |  if the Camera app is enabled in the kiosk configuration. |  if the Camera app and device picker app are enabled in the kiosk configuration.
+### Kiosk mode requirements
->[!NOTE]
->Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`.
+You can configure any HoloLens 2 device to use kiosk mode.
-The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration.
+To configure a HoloLens (1st gen) device to use kiosk mode, you must first make sure that the device runs Windows 10, version 1803, or a later version. If you have used the Windows Device Recovery Tool to recover your HoloLens (1st gen) device to its default build, or if you have installed the most recent updates, your device is ready to configure.
->[!WARNING]
->The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access.
->
->Be aware that voice commands are enabled for kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app.
+> [!IMPORTANT]
+> To help protect devices that run in kiosk mode, consider adding device management policies that turn off features such as USB connectivity. Additionally, check your update ring settings to make sure that automatic updates do not occur during business hours.
-For HoloLens devices running Windows 10, version 1803, there are three methods that you can use to configure the device as a kiosk:
-- You can use [Microsoft Intune or other mobile device management (MDM) service](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) to configure single-app and multi-app kiosks.
-- You can [use a provisioning package](#setup-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure single-app and multi-app kiosks.
-- You can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks. This method is recommended only for demonstrations, as it requires that developer mode be enabled on the device.
+### Decide between a single-app kiosk or a multi-app kiosk
-For HoloLens devices running Windows 10, version 1607, you can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks.
+A single-app kiosk starts the specified app when the user signs in to the device. The Start menu is disabled, as is Cortana. A HoloLens 2 device does not respond to the [Start](hololens2-basic-usage.md#start-gesture) gesture. A HoloLens (1st gen) device does not respond to the [bloom](hololens1-basic-usage.md) gesture. Because only one app can run, the user cannot place other apps.
-## Start layout for HoloLens
+A multi-app kiosk displays the Start menu when the user signs in to the device. The kiosk configuration determines which apps are available on the Start menu. You can use a multi-app kiosk to provide an easy-to-understand experience for users by presenting to them only the things that they have to use, and removing the things they don't need to use.
-If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803), or a [provisioning package](#setup-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout.
+The following table lists the feature capabilities in the different kiosk modes.
->[!NOTE]
->Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed.
+| |Start menu |Quick Actions menu |Camera and video |Miracast |Cortana |Built-in voice commands |
+| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
+|Single-app kiosk |Disabled |Disabled |Disabled |Disabled |Disabled |Enabled1 |
+|Multi-app kiosk |Enabled |Enabled2 |Available2 |Available2 |Available2, 3 |Enabled1 |
-### Start layout file for MDM (Intune and others)
+> 1 Voice commands that relate to disabled features do not function.
+> 2 For more information about how to configure these features, see [Select kiosk apps](#plan-kiosk-apps).
+> 3 Even if Cortana is disabled, the built-in voice commands are enabled.
-Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile).
+The following table lists the user support features of the different kiosk modes.
->[!NOTE]
->If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package).
+| |Supported user types | Automatic sign-in | Multiple access levels |
+| --- | --- | --- | --- |
+|Single-app kiosk |Managed Service Account (MSA) in Azure Active Directory (AAD) or local account |Yes |No |
+|Multi-app kiosk |AAD account |No |Yes |
+
+For examples of how to use these capabilities, see the following table.
+
+|Use a single-app kiosk for: |Use a multi-app kiosk for: |
+| --- | --- |
+|A device that runs only a Dynamics 365 Guide for new employees. |A device that runs both Guides and Remote Assistance for a range of employees. |
+|A device that runs only a custom app. |A device that functions as a kiosk for most users (running only a custom app), but functions as a standard device for a specific group of users. |
+
+### Plan kiosk apps
+
+For general information about how to choose kiosk apps, see [Guidelines for choosing an app for assigned access (kiosk mode)](https://docs.microsoft.com/windows/configuration/guidelines-for-assigned-access-app).
+
+If you use the Windows Device Portal to configure a single-app kiosk, you select the app during the setup process.
+
+If you use a Mobile Device Management (MDM) system or a provisioning package to configure kiosk mode, you use the [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to specify applications. The CSP uses [Application User Model IDs (AUMIDs)](https://docs.microsoft.com/windows/configuration/find-the-application-user-model-id-of-an-installed-app) to identify applications. The following table lists the AUMIDs of some in-box applications that you can use in a multi-app kiosk.
+
+> [!CAUTION]
+> You cannot select the Shell app as a kiosk app. Addition, we recommend that you do **not** select Microsoft Edge, Microsoft Store, or File Explorer as a kiosk app.
+
+
+
+|App Name |AUMID |
+| --- | --- |
+|3D Viewer |Microsoft.Microsoft3DViewer\_8wekyb3d8bbwe\!Microsoft.Microsoft3DViewer |
+|Calendar |microsoft.windowscommunicationsapps\_8wekyb3d8bbwe\!microsoft.windowslive.calendar |
+|Camera1, 2 |HoloCamera\_cw5n1h2txyewy\!HoloCamera |
+|Cortana3 |Microsoft.549981C3F5F10\_8wekyb3d8bbwe\!App |
+|Device Picker |HoloDevicesFlow\_cw5n1h2txyewy\!HoloDevicesFlow |
+|Dynamics 365 Guides |Microsoft.Dynamics365.Guides\_8wekyb3d8bbwe\!MicrosoftGuides |
+|Dynamics 365 Remote Assist |Microsoft.MicrosoftRemoteAssist\_8wekyb3d8bbwe\!Microsoft.RemoteAssist |
+|Feedback Hub |Microsoft.WindowsFeedbackHub\_8wekyb3d8bbwe\!App |
+|Mail |c5e2524a-ea46-4f67-841f-6a9465d9d515\_cw5n1h2txyewy\!App |
+|Miracast4 | |
+|Movies & TV |Microsoft.ZuneVideo\_8wekyb3d8bbwe\!Microsoft.ZuneVideo |
+|OneDrive |microsoft.microsoftskydrive\_8wekyb3d8bbwe\!App |
+|Photos |Microsoft.Windows.Photos\_8wekyb3d8bbwe\!App |
+|Settings |HolographicSystemSettings\_cw5n1h2txyewy\!App |
+|Tips |Microsoft.HoloLensTips\_8wekyb3d8bbwe\!HoloLensTips |
+
+> 1 To enable photo or video capture, you have to enable the Camera app as a kiosk app.
+> 2 When you enable the Camera app, be aware of the following conditions:
+> - The Quick Actions menu includes the Photo and Video buttons.
+> - You should also enable an app (such as Photos, Mail, or OneDrive) that can interact with or retrieve pictures.
+>
+> 3 Even if you do not enable Cortana as a kiosk app, built-in voice commands are enabled. However, commands that are related to disabled features have no effect.
+> 4 You cannot enable Miracast directly. To enable Miracast as a kiosk app, enable the Camera app and the Device Picker app.
+
+### Plan user and device groups
+
+In an MDM environment, you use groups to manage device configurations and user access.
+
+The kiosk configuration profile includes the **User logon type** setting. **User logon type** identifies the user (or group that contains the users) who can use the app or apps that you add. If a user signs in by using an account that is not included in the configuration profile, that user cannot use apps on the kiosk.
+
+> [!NOTE]
+> The **User logon type** of a single-app kiosk specifies a single user account. This is the user context under which the kiosk runs. The **User logon type** of a multi-app kiosk can specify one or more user accounts or groups that can use the kiosk.
+
+Before you can deploy the kiosk configuration to a device, you have to *assign* the kiosk configuration profile to a group that contains the device or a user who can sign in to the device. This setting produces behavior such as the following.
+
+- If the device is a member of the assigned group, the kiosk configuration deploys to the device the first time that any user signs in on the device.
+- If the device is not a member of the assigned group, but a user who is a member of that group signs in, the kiosk configuration deploys to the device at that time.
+
+For a full discussion of the effects of assigning configuration profiles in Intune, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/intune/configuration/device-profile-assign).
+
+> [!NOTE]
+> The following examples describe multi-app kiosks. Single-app kiosks behave in a similar manner, but only one user account gets the kiosk experience.
+
+**Example 1**
+
+You use a single group (Group 1) for both devices and users. One device and users A, B, and C are members of this group. You configure the kiosk configuration profile as follows:
+
+- **User logon type**: Group 1
+- **Assigned group**: Group 1
+
+Regardless of which user signs on to the device first (and goes through the Out-of-Box Experience, or OOBE), the kiosk configuration deploys to the device. Users A, B, and C can all sign in to the device and get the kiosk experience.
+
+**Example 2**
+
+You contract out devices to two different vendors who need different kiosk experiences. Both vendors have users, and you want all the users to have access to kiosks from both their own vendor and the other vendor. You configure groups as follows:
+
+- Device Group 1:
+ - Device 1 (Vendor 1)
+ - Device 2 (Vendor 1)
+
+- Device Group 2:
+ - Device 3 (Vendor 2)
+ - Device 4 (Vendor 2)
+
+- User Group:
+ - User A (Vendor 1)
+ - User B (Vendor 2)
+
+You create two kiosk configuration profiles that have the following settings:
+
+- Kiosk Profile 1:
+ - **User logon type**: User Group
+ - **Assigned group**: Device Group 1
+
+- Kiosk Profile 2:
+ - **User logon type**: User Group
+ - **Assigned group**: Device Group 2
+
+These configurations produce the following results:
+
+- When any user signs in to Device 1 or Device 2, Intune deploys Kiosk Profile 1 to that device.
+- When any user signs in to Device 3 or Device 4, Intune deploys Kiosk Profile 2 to that device.
+- User A and user B can sign in to any of the four devices. If they sign in to Device 1 or Device 2, they see the Vendor 1 kiosk experience. If they sign in to Device 3 or Device 4, they see the Vendor 2 kiosk experience.
+
+#### Profile conflicts
+
+If two or more kiosk configuration profiles target the same device, they conflict. In the case of Intune-managed devices, Intune does not apply any of the conflicting profiles.
+
+Other kinds of profiles and policies, such as device restrictions that are not related to the kiosk configuration profile, do not conflict with the kiosk configuration profile.
+
+### Select a deployment method
+
+You can select one of the following methods to deploy kiosk configurations:
+
+- [Microsoft Intune or other mobile device management (MDM) service](#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk)
+
+- [Provisioning package](#use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk)
+
+- [Windows Device Portal](#use-the-windows-device-portal-to-set-up-a-single-app-kiosk)
+
+ > [!NOTE]
+ > Because this method requires that Developer Mode be enabled on the device, we recommend that you use it only for demonstrations.
+
+The following table lists the capabilities and benefits of each of the deployment methods.
+
+| |Deploy by using Windows Device Portal |Deploy by using a provisioning package |Deploy by using MDM |
+| --------------------------- | ------------- | -------------------- | ---- |
+|Deploy single-app kiosks | Yes | Yes | Yes |
+|Deploy multi-app kiosks | No | Yes | Yes |
+|Deploy to local devices only | Yes | Yes | No |
+|Deploy by using Developer Mode |Required | Not required | Not required |
+|Deploy by using Azure Active Directory (AAD) | Not required | Not required | Required |
+|Deploy automatically | No | No | Yes |
+|Deployment speed | Fastest | Fast | Slow |
+|Deploy at scale | Not recommended | Not recommended | Recommended |
+
+## Use Microsoft Intune or other MDM to set up a single-app or multi-app kiosk
+
+To set up kiosk mode by using Microsoft Intune or another MDM system, follow these steps.
+
+1. [Prepare to enroll the devices](#mdmenroll).
+1. [Create a kiosk configuration profile](#mdmprofile).
+1. Configure the kiosk.
+ - [Configure the settings for a single-app kiosk](#mdmconfigsingle).
+ - [Configure the settings for a multi-app kiosk](#mdmconfigmulti).
+1. [Assign the kiosk configuration profile to a group](#mdmassign).
+1. Deploy the devices.
+ - [Deploy a single-app kiosk](#mdmsingledeploy).
+ - [Deploy a multi-app kiosk](#mdmmultideploy).
+
+### MDM, step 1 – Prepare to enroll the devices
+
+You can configure your MDM system to enroll HoloLens devices automatically when the user first signs in, or have users enroll devices manually. The devices also have to be joined to your Azure AD domain, and assigned to the appropriate groups.
+
+For more information about how to enroll the devices, see [Enroll HoloLens in MDM](hololens-enroll-mdm.md) and [Intune enrollment methods for Windows devices](https://docs.microsoft.com/mem/intune/enrollment/windows-enrollment-methods).
+
+### MDM, step 2 – Create a kiosk configuration profile
+
+1. Open the [Azure](https://portal.azure.com/) portal and sign in to your Intune administrator account.
+1. Select **Microsoft Intune** > **Device configuration - Profiles** > **Create profile**.
+1. Enter a profile name.
+1. Select **Platform** > **Windows 10 and later**, and then select **Profile type** >**Device restrictions**.
+1. Select **Configure** > **Kiosk**, and then select one of the following:
+ - To create a single-app kiosk, select **Kiosk Mode** > **Single-app kiosk**.
+ - To create a multi-app kiosk, select **Kiosk Mode** > **Multi-app kiosk**.
+1. To start configuring the kiosk, select **Add**.
+
+Your next steps differ depending on the type of kiosk that you want. For more information, select one of the following options:
+
+- [Single-app kiosk](#mdmconfigsingle)
+- [Multi-app kiosk](#mdmconfigmulti)
+
+For more information about how to create a kiosk configuration profile, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/configuration/kiosk-settings).
+
+### MDM, step 3 (single-app) – Configure the settings for a single-app kiosk
+
+This section summarizes the settings that a single-app kiosk requires. For more details, see the following articles:
+
+- For information about how to configure a kiosk configuration profile in Intune, see [How to Configure Kiosk Mode Using Microsoft Intune](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune).
+- For more information about the available settings for single-app kiosks in Intune, see [Single full-screen app kiosks](https://docs.microsoft.com/intune/configuration/kiosk-settings-holographic#single-full-screen-app-kiosks)
+- For other MDM services, check your provider's documentation for instructions. If you have to use a custom XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#ppkioskconfig).
+
+1. Select **User logon type** > **Local user account**, and then enter the user name of the local (device) account or Microsoft Account (MSA) that can sign in to the kiosk.
+ > [!NOTE]
+ > **Autologon** user account types aren't supported on Windows Holographic for Business.
+1. Select **Application type** > **Store app**, and then select an app from the list.
+
+Your next step is to [assign](#mdmassign) the profile to a group.
+
+### MDM, step 3 (multi-app) – Configure the settings for a multi-app kiosk
+
+This section summarizes the settings that a multi-app kiosk requires. For more detailed information, see the following articles:
+
+- For information about how to configure a kiosk configuration profile in Intune, see [How to Configure Kiosk Mode Using Microsoft Intune](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune).
+- For more information about the available settings for multi-app kiosks in Intune, see [Multi-app kiosks](https://docs.microsoft.com/mem/intune/configuration/kiosk-settings-holographic#multi-app-kiosks)
+- For other MDM services, check your provider's documentation for instructions. If you need to use a custom XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#ppkioskconfig). If you use an XML file, make sure to include the [Start layout](#start-layout-for-hololens).
+- You can optionally use a custom Start layout with Intune or other MDM services. For more information, see [Start layout file for MDM (Intune and others)](#start-layout-file-for-mdm-intune-and-others).
+
+1. Select **Target Windows 10 in S mode devices** > **No**.
+ >[!NOTE]
+ > S mode isn't supported on Windows Holographic for Business.
+1. Select **User logon type** > **Azure AD user or group** or **User logon type** > **HoloLens visitor**, and then add one or more user groups or accounts.
+
+ Only users who belong to the groups or accounts that you specify in **User logon type** can use the kiosk experience.
+
+1. Select one or more apps by using the following options:
+ - To add an uploaded line-of-business app, select **Add store app** and then select the app that you want.
+ - To add an app by specifying its AUMID, select **Add by AUMID** and then enter the AUMID of the app. [See the list of available AUMIDs](#aumids)
+
+Your next step is to [assign](#mdmassign) the profile to a group.
+
+### MDM, step 4 – Assign the kiosk configuration profile to a group
+
+Use the **Assignments** page of the kiosk configuration profile to set where you want the kiosk configuration to deploy. In the simplest case, you assign the kiosk configuration profile to a group that will contain the HoloLens device when the device enrolls in MDM.
+
+### MDM, step 5 (single-app) – Deploy a single-app kiosk
+
+When you use an MDM system, you can enroll the device in MDM during OOBE. After OOBE finishes, signing in to the device is easy.
+
+During OOBE, follow these steps:
+
+1. Sign in by using the account that you specified in the kiosk configuration profile.
+1. Enroll the device. Make sure that the device is added to the group that the kiosk configuration profile is assigned to.
+1. Wait for OOBE to finish, for the store app to download and install, and for policies to be applied. Then restart the device.
+
+The next time you sign in to the device, the kiosk app should automatically start.
+
+If you don't see your kiosk configuration at this point, [check the assignment status](https://docs.microsoft.com/intune/configuration/device-profile-monitor).
+
+### MDM, step 5 (multi-app) – Deploy a multi-app kiosk
+
+When you use an MDM system, you can join the device to your Azure AD tenant and enroll the device in MDM during OOBE. If appropriate, provide the enrollment information to the users so that they have it available during the OOBE process.
+
+> [!NOTE]
+> If you have assigned the kiosk configuration profile to a group that contains users, make sure that one of those user accounts is the first account to sign in to the device.
+
+During OOBE, follow these steps:
+
+1. Sign in by using the account that belongs to the **User logon type** group.
+1. Enroll the device.
+1. Wait for any apps that are part of the kiosk configuration profile to download and install. Also, wait for policies to be applied.
+1. After OOBE finishes, you can install additional apps from the Microsoft store or by sideloading. [Required apps](https://docs.microsoft.com/mem/intune/apps/apps-deploy#assign-an-app) for the group that the device belongs to install automatically.
+1. After the installation finishes, restart the device.
+
+The next time you sign in to the device by using an account that belongs to the **User logon type**, the kiosk app should automatically launch.
+
+If you don't see your kiosk configuration at this point, [check the assignment status](https://docs.microsoft.com/intune/configuration/device-profile-monitor).
+
+## Use a provisioning package to set up a single-app or multi-app kiosk
+
+To set up kiosk mode by using a provisioning package, follow these steps.
+
+1. [Create an XML file that defines the kiosk configuration.](#ppkioskconfig), including a [Start layout](#start-layout-for-hololens).
+2. [Add the XML file to a provisioning package.](#ppconfigadd)
+3. [Apply the provisioning package to HoloLens.](#ppapply)
+
+### Provisioning package, step 1 – Create a kiosk configuration XML file
+
+Follow [the general instructions to create a kiosk configuration XML file for Windows desktop](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#create-xml-file), except for the following:
+
+- Do not include Classic Windows applications (Win32). HoloLens does not support these applications.
+- Use the [placeholder Start layout XML](#start-layout-for-hololens) for HoloLens.
+- Optional: Add guest access to the kiosk configuration
+
+#### Optional: Add guest access to the kiosk configuration
+
+In the [**Configs** section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured to support the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data that is associated with the account is deleted when the account signs out.
+
+To enable the **Guest** account, add the following snippet to your kiosk configuration XML:
```xml
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
```
-### Start layout for a provisioning package
+#### Placeholder Start layout for HoloLens
-You will [create an XML file](#setup-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to define the kiosk configuration to be included in a provisioning package. Use the following sample in the `StartLayout` section of your XML file.
+If you use a [provisioning package](##use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Windows Holographic for Business. Therefore, you'll have to use a placeholder Start layout.
+
+> [!NOTE]
+> Because a single-app kiosk starts the kiosk app when a user signs in, it does not use a Start menu and does not have to have a Start layout.
+
+> [!NOTE]
+> If you use [MDM](#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk) to set up a multi-app kiosk, you can optionally use a Start layout. For more information, see [Placeholder Start layout file for MDM (Intune and others)](#start-layout-file-for-mdm-intune-and-others).
+
+For the Start layout, add the following **StartLayout** section to the kiosk provisioning XML file:
```xml
@@ -100,119 +381,94 @@ You will [create an XML file](#setup-kiosk-mode-using-a-provisioning-package-win
```
-## Set up kiosk mode using Microsoft Intune or MDM (Windows 10, version 1803)
+#### Placeholder Start layout file for MDM (Intune and others)
-For HoloLens devices that are managed by Microsoft Intune, you [create a device profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk settings](https://docs.microsoft.com/intune/kiosk-settings).
+Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile).
-For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-a-kiosk-configuration-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file.
-
-## Setup kiosk mode using a provisioning package (Windows 10, version 1803)
-
-Process:
-1. [Create an XML file that defines the kiosk configuration.](#create-a-kiosk-configuration-xml-file)
-2. [Add the XML file to a provisioning package.](#add-the-kiosk-configuration-xml-file-to-a-provisioning-package)
-3. [Apply the provisioning package to HoloLens.](#apply-the-provisioning-package-to-hololens)
-
-### Create a kiosk configuration XML file
-
-Follow [the instructions for creating a kiosk configuration XML file for desktop](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package), with the following exceptions:
-
-- Do not include Classic Windows applications (Win32) since they aren't supported on HoloLens.
-- Use the [placeholder Start XML](#start-layout-for-hololens) for HoloLens.
-
-#### Add guest access to the kiosk configuration (optional)
-
-In the [Configs section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured with the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data associated with the account is deleted when the account signs out.
-
-Use the following snippet in your kiosk configuration XML to enable the **Guest** account:
+> [!NOTE]
+> If you have to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-hololens).
```xml
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
```
-### Add the kiosk configuration XML file to a provisioning package
+### Prov. package, step 2 – Add the kiosk configuration XML file to a provisioning package
1. Open [Windows Configuration Designer](https://www.microsoft.com/store/apps/9nblggh4tx22).
-2. Choose **Advanced provisioning**.
-3. Name your project, and click **Next**.
-4. Choose **Windows 10 Holographic** and click **Next**.
-5. Select **Finish**. The workspace for your package opens.
-6. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**.
-7. In the center pane, click **Browse** to locate and select the kiosk configuration XML file that you created.
+1. Select **Advanced provisioning**, enter a name for your project, and then select **Next**.
+1. Select **Windows 10 Holographic**, and then select **Next**.
+1. Select **Finish**. The workspace for your package opens.
+1. Select **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**.
+1. In the center pane, select **Browse** to locate and select the kiosk configuration XML file that you created.
- 
+ 
-8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
-9. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
-10. On the **File** menu, select **Save.**
-11. On the **Export** menu, select **Provisioning package**.
-12. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+1. **Optional**. (If you want to apply the provisioning package after the initial setup of the device, and there is an admin user already available on the kiosk device, skip this step.) Select **Runtime settings** > **Accounts** > **Users**, and then create a user account. Provide a user name and password, and then select **UserGroup** > **Administrators**.
+
+ By using this account, you can view the provisioning status and logs.
+1. **Optional**. (If you already have a non-admin account on the kiosk device, skip this step.) Select **Runtime settings** > **Accounts** > **Users**, and then create a local user account. Make sure that the user name is the same as for the account that you specify in the configuration XML. Select **UserGroup** > **Standard Users**.
+1. Select **File** > **Save**.
+1. Select **Export** > **Provisioning package**, and then select **Owner** > **IT Admin**. This sets the precedence of this provisioning package higher than provisioning packages that are applied to this device from other sources.
+1. Select **Next**.
+1. On the **Provisioning package security** page, select a security option.
+ > [!IMPORTANT]
+ > If you select **Enable package signing**, you also have to select a valid certificate to use for signing the package. To do this, select **Browse** and select the certificate that you want to use to sign the package.
+
+ > [!CAUTION]
+ > Do not select **Enable package encryption**. On HoloLens devices, this setting causes provisioning to fail.
+1. Select **Next**.
+1. Specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. If you want to change the output location, select **Browse**. When you are finished, select **Next**.
+1. Select **Build** to start building the package. The provisioning package doesn't take long to build. The build page displays the project information, and the progress bar indicates the build status.
-13. On the **Provisioning package security** page, do not select **Enable package encryption** or provisioning will fail on HoloLens. You can choose to enable package signing.
+### Provisioning package, step 3 – Apply the provisioning package to HoloLens
- - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
+The "Configure HoloLens by using a provisioning package" article provides detailed instructions to apply the provisioning package under the following circumstances:
-14. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. Optionally, you can click **Browse** to change the default output location.
+- You can initially [apply a provisioning package to HoloLens during setup](hololens-provisioning.md#apply-a-provisioning-package-to-hololens-during-setup).
-15. Click **Next**.
+- You can also [apply a provisioning package to HoloLens after setup](hololens-provisioning.md#4-apply-a-provisioning-package-to-hololens-after-setup).
-16. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+## Use the Windows Device Portal to set up a single-app kiosk
+To set up kiosk mode by using the Windows Device Portal, follow these steps.
+
+> [!IMPORTANT]
+> Kiosk mode is available only if the device has [Windows Holographic for Business](hololens1-upgrade-enterprise.md) installed.
+
+1. [Set up the HoloLens device to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
+
+ > [!CAUTION]
+ > When you set up HoloLens to use the Device Portal, you have to enable Developer Mode on the device. Developer Mode on a device that has Windows Holographic for Business enables you to side-load apps. However, this setting creates a risk that a user can install apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable Developer Mode by using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider). [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
-### Apply the provisioning package to HoloLens
+1. On a computer, connect to the HoloLens by using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#connecting_over_usb).
-1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box).
+1. Do one of the following:
+ - If you are connecting to the Windows Device Portal for the first time, [create a user name and password](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#creating_a_username_and_password)
+ - Enter the user name and password that you previously set up.
-3. HoloLens will show up as a device in File Explorer on the PC.
+ > [!TIP]
+ > If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#security_certificate).
-4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
+1. In the Windows Device Portal, select **Kiosk Mode**.
-5. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the **fit** page.
-
-6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
-
-7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
-
-
-## Set up kiosk mode using the Windows Device Portal (Windows 10, version 1607 and version 1803)
-
-1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
-
- >[!IMPORTANT]
- >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
-
-2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_usb).
-
-3. [Create a user name and password](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
-
- >[!TIP]
- >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#security_certificate).
-
-4. In the Windows Device Portal, click **Kiosk Mode**.
+1. Select **Enable Kiosk Mode**, select an app to run when the device starts, and then select **Save**.
-
- >[!NOTE]
- >The kiosk mode option will be available if the device is [enrolled in device management](hololens-enroll-mdm.md) and has a [license to upgrade to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
-
-5. Select **Enable Kiosk Mode**, choose an app to run when the device starts, and click **Save**.
-
-
-## Kiosk app recommendations
-
-- You cannot select Microsoft Edge, Microsoft Store, or the Shell app as a kiosk app.
-- We recommend that you do **not** select the Settings app and the File Explorer app as a kiosk app.
-- You can select Cortana as a kiosk app.
-- To enable photo or video capture, the HoloCamera app must be enabled as a kiosk app.
+1. Restart HoloLens. If you still have your Device Portal page open, you can select **Restart** at the top of the page.
## More information
-
-
-Watch how to configure a kiosk in a provisioning package.
->[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
+Watch how to configure a kiosk by using a provisioning package.
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
diff --git a/devices/hololens/hololens-known-issues.md b/devices/hololens/hololens-known-issues.md
index 3cb3f43717..de39da5999 100644
--- a/devices/hololens/hololens-known-issues.md
+++ b/devices/hololens/hololens-known-issues.md
@@ -1,32 +1,81 @@
---
-title: HoloLens known issues
+title: Known issues for HoloLens
description: This is the list of known issues that may affect HoloLens developers.
keywords: troubleshoot, known issue, help
author: mattzmsft
ms.author: mazeller
-ms.date: 8/30/2019
+ms.date: 4/20/2020
ms.topic: article
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
HoloLens and holograms: Frequently asked questions
manager: jarrettr
ms.prod: hololens
appliesto:
-- HoloLens 1
+- HoloLens (1st Gen)
+- HoloLens 2
---
-# HoloLens known issues
+# Known issues for HoloLens
-This is the current list of known issues for HoloLens that affect developers. Check here first if you are seeing an odd behavior. This list will be kept updated as new issues are discovered or reported, or as issues are addressed in future HoloLens software updates.
-
-## Unable to connect and deploy to HoloLens through Visual Studio
+This is the current list of known issues for HoloLens devices. Check here first if you are seeing an odd behavior. This list will be kept updated as new issues are discovered or reported, or as issues are addressed in future HoloLens software updates.
>[!NOTE]
->Last Update: 8/8 @ 5:11PM - Visual Studio has released VS 2019 Version 16.2 which includes a fix to this issue. We recommend updating to this newest version to avoid experiencing this error.
+> - If you discover an issue that is not blocking you please report it on your HoloLens device via [Feedback Hub](hololens-feedback.md).
+> - If the issue you are facing is blocking you, in addtion to filing feedback, please [file a support request](https://aka.ms/hlsupport).
+
+- [Known issues for all HoloLens generations](#known-issues-for-all-hololens-generations)
+- [Known issues for HoloLens 2 devices](#known-issues-for-hololens-2-devices)
+- [Known issues for HoloLens (1st Gen)](#known-issues-for-hololens-1st-gen)
+- [Known issues for HoloLens emulator](#known-issues-for-hololens-emulator)
+
+## Known issues for all HoloLens generations
+
+### Unity
+
+- See [Install the tools](https://docs.microsoft.com/windows/mixed-reality/install-the-tools) for the most up-to-date version of Unity recommended for HoloLens development.
+- Known issues with the Unity HoloLens Technical Preview are documented in the [HoloLens Unity forums](https://forum.unity3d.com/threads/known-issues.394627/).
+
+### Windows Device Portal
+
+- The Live Preview feature in Mixed Reality capture may exhibit several seconds of latency.
+- On the Virtual Input page, the Gesture and Scroll controls under the Virtual Gestures section are not functional. Using them will have no effect. The virtual keyboard on the same page works correctly.
+- After enabling Developer Mode in Settings, it may take a few seconds before the switch to turn on the Device Portal is enabled.
+
+## Known issues for HoloLens 2 devices
+
+### Blue screen is shown after unenrolling from Insider preview builds on a device reflashed with a Insider build
+
+This is an issue affecting that affects users who are were on an Insider preview build, reflashed their HoloLens 2 with a new insider preview build, and then unenrolled from the Insider program.
+
+This does not affect:
+- Users who are not enrolled in Windows Insider
+- Insiders:
+ - If a device has been enrolled since Insider builds were version 18362.x
+ - If they flashed a Insider signed 19041.x build AND stay enrolled in the Insider program
+
+Work-around:
+- Avoid the issue
+ - Flash a non-insider build. One of the regular monthly updates.
+ - Stay on Insider Preview
+- Reflash the device
+ 1. Put the [HoloLens 2 into flashing mode](https://review.docs.microsoft.com/hololens/hololens-recovery?branch=master#hololens-2) manually by fully powering down while not connect. Then while holding Volume up, tap the Power button.
+ 1. Connect to the PC and open Advanced Recovery Companion.
+ 1. Flash the HoloLens 2 to the default build.
+
+## Known issues for HoloLens (1st Gen)
+
+### Unable to connect and deploy to HoloLens through Visual Studio
+
+> [!NOTE]
+> Last Update: 8/8 @ 5:11PM - Visual Studio has released VS 2019 Version 16.2 which includes a fix to this issue. We recommend updating to this newest version to avoid experiencing this error.
Visual Studio has released VS 2019 Version 16.2 which includes a fix to this issue. We recommend updating to this newest version to avoid experiencing this error.
Issue root-cause: Users who used Visual Studio 2015 or early releases of Visual Studio 2017 to deploy and debug applications on their HoloLens and then subsequently used the latest versions of Visual Studio 2017 or Visual Studio 2019 with the same HoloLens will be affected. The newer releases of Visual Studio deploy a new version of a component, but files from the older version are left over on the device, causing the newer version to fail. This causes the following error message: DEP0100: Please ensure that target device has developer mode enabled. Could not obtain a developer license on \ due to error 80004005.
-### Workaround
+#### Workaround
Our team is currently working on a fix. In the meantime, you can use the following steps to work around the issue and help unblock deployment and debugging:
@@ -36,14 +85,14 @@ Our team is currently working on a fix. In the meantime, you can use the followi
1. Give the project a name (such as "HoloLensDeploymentFix") and make sure the Framework is set to at least .NET Framework 4.5, then Select **OK**.
1. Right-click on the **References** node in Solution Explorer and add the following references (select to the **Browse** section and select **Browse**):
- ``` CMD
+ ```CMD
C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\Microsoft.Tools.Deploy.dll
C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\Microsoft.Tools.Connectivity.dll
C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\SirepInterop.dll
```
- >[!NOTE]
- >If you don't have 10.0.18362.0 installed, use the most recent version that you have.
+ > [!NOTE]
+ > If you don't have 10.0.18362.0 installed, use the most recent version that you have.
1. Right-click on the project in Solution Explorer and select **Add** > **Existing Item**.
1. Browse to C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86 and change the filter to **All Files (\*.\*)**.
@@ -51,14 +100,14 @@ Our team is currently working on a fix. In the meantime, you can use the followi
1. Locate and select both files in Solution Explorer (they should be at the bottom of the list of files) and change **Copy to Output Directory** in the **Properties** window to **Copy always**.
1. At the top of the file, add the following to the existing list of `using` statements:
- ``` CMD
+ ```CMD
using Microsoft.Tools.Deploy;
using System.Net;
```
1. Inside of `static void Main(...)`, add the following code:
- ``` PowerShell
+ ```PowerShell
RemoteDeployClient client = RemoteDeployClient.CreateRemoteDeployClient();
client.Connect(new ConnectionOptions()
{
@@ -70,13 +119,13 @@ Our team is currently working on a fix. In the meantime, you can use the followi
1. Select **Build** > **Build Solution**.
1. Open a Command Prompt Window and cd to the folder that contains the compiled .exe file (for example, C:\MyProjects\HoloLensDeploymentFix\bin\Debug)
-1. Run the executable and provide the device's IP address as a command-line argument. (If connected using USB, you can use 127.0.0.1, otherwise use the device’s Wi-Fi IP address.) For example, "HoloLensDeploymentFix 127.0.0.1"
+1. Run the executable and provide the device's IP address as a command-line argument. (If connected using USB, you can use 127.0.0.1, otherwise use the device's Wi-Fi IP address.) For example, "HoloLensDeploymentFix 127.0.0.1"
1. After the tool has exited without any messages (this should only take a few seconds), you will now be able to deploy and debug from Visual Studio 2017 or newer. Continued use of the tool is not necessary.
We will provide further updates as they become available.
-## Issues launching the Microsoft Store and apps on HoloLens
+### Issues launching the Microsoft Store and apps on HoloLens
> [!NOTE]
> Last Update: 4/2 @ 10 AM - Issue resolved.
@@ -84,9 +133,9 @@ We will provide further updates as they become available.
You may experience issues when trying to launch the Microsoft Store and apps on HoloLens. We've determined that the issue occurs when background app updates deploy a newer version of framework packages in specific sequences while one or more of their dependent apps are still running. In this case, an automatic app update delivered a new version of the .NET Native Framework (version 10.0.25531 to 10.0.27413) caused the apps that are running to not correctly update for all running apps consuming the prior version of the framework. The flow for framework update is as follows:
1. The new framework package is downloaded from the store and installed
-1. All apps using the older framework are ‘updated’ to use the newer version
+1. All apps using the older framework are 'updated' to use the newer version
-If step 2 is interrupted before completion then any apps for which the newer framework wasn’t registered will fail to launch from the start menu. We believe any app on HoloLens could be affected by this issue.
+If step 2 is interrupted before completion then any apps for which the newer framework wasn't registered will fail to launch from the start menu. We believe any app on HoloLens could be affected by this issue.
Some users have reported that closing hung apps and launching other apps such as Feedback Hub, 3D Viewer or Photos resolves the issue for them—however, this does not work 100% of the time.
@@ -112,10 +161,10 @@ If you would not like to take the update, we have released a new version of the
If your device is still unable to load apps, you can sideload a version of the .NET Native Framework and Runtime through the download center by following these steps:
1. Please download [this zip file](https://download.microsoft.com/download/8/5/C/85C23745-794C-419D-B8D7-115FBCCD6DA7/netfx_1.7.zip) from the Microsoft Download Center. Unzipping will produce two files. Microsoft.NET.Native.Runtime.1.7.appx and Microsoft.NET.Native.Framework.1.7.appx
-1. Please verify that your device is dev unlocked. If you haven’t done that before the instructions to do that are [here](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal).
+1. Please verify that your device is dev unlocked. If you haven't done that before the instructions to do that are [here](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal).
1. You then want to get into the Windows Device Portal. Our recommendation is to do this over USB and you would do that by typing http://127.0.0.1:10080 into your browser.
-1. After you have the Windows Device Portal up we need you to “side load” the two files that you downloaded. To do that you need to go down the left side bar until you get to the **Apps** section and select **Apps**.
-1. You will then see a screen that is similar to the below. You want to go to the section that says **Install App** and browse to where you unzipped those two APPX files. You can only do one at a time, so after you select the first one, then click on “Go” under the Deploy section. Then do this for the second APPX file.
+1. After you have the Windows Device Portal up we need you to "side load" the two files that you downloaded. To do that you need to go down the left side bar until you get to the **Apps** section and select **Apps**.
+1. You will then see a screen that is similar to the below. You want to go to the section that says **Install App** and browse to where you unzipped those two APPX files. You can only do one at a time, so after you select the first one, then click on "Go" under the Deploy section. Then do this for the second APPX file.
1. At this point we believe your applications should start working again and that you can also get to the Store.
@@ -123,38 +172,27 @@ If your device is still unable to load apps, you can sideload a version of the .
We appreciate your patience as we have gone through the process to get this issue resolved, and we look forward to continued working with our community to create successful Mixed Reality experiences.
-## Device Update
+### Device Update
- 30 seconds after a new update, the shell may disappear one time. Please perform the **bloom** gesture to resume your session.
-## Visual Studio
+### Visual Studio
- See [Install the tools](https://docs.microsoft.com/windows/mixed-reality/install-the-tools) for the most up-to-date version of Visual Studio that is recommended for HoloLens development.
- When deploying an app from Visual Studio to your HoloLens, you may see the error: **The requested operation cannot be performed on a file with a user-mapped section open. (Exception from HRESULT: 0x800704C8)**. If this happens, try again and your deployment will generally succeed.
-## Emulator
-
-- Not all apps in the Microsoft Store are compatible with the emulator. For example, Young Conker and Fragments are not playable on the emulator.
-- You cannot use the PC webcam in the Emulator.
-- The Live Preview feature of the Windows Device Portal does not work with the emulator. You can still capture Mixed Reality videos and images.
-
-## Unity
-
-- See [Install the tools](https://docs.microsoft.com/windows/mixed-reality/install-the-tools) for the most up-to-date version of Unity recommended for HoloLens development.
-- Known issues with the Unity HoloLens Technical Preview are documented in the [HoloLens Unity forums](https://forum.unity3d.com/threads/known-issues.394627/).
-
-## Windows Device Portal
-
-- The Live Preview feature in Mixed Reality capture may exhibit several seconds of latency.
-- On the Virtual Input page, the Gesture and Scroll controls under the Virtual Gestures section are not functional. Using them will have no effect. The virtual keyboard on the same page works correctly.
-- After enabling Developer Mode in Settings, it may take a few seconds before the switch to turn on the Device Portal is enabled.
-
-## API
+### API
- If the application sets the [focus point](https://docs.microsoft.com/windows/mixed-reality/focus-point-in-unity) behind the user or the normal to camera.forward, holograms will not appear in Mixed Reality Capture photos or videos. Until this bug is fixed in Windows, if applications actively set the [focus point](https://docs.microsoft.com/windows/mixed-reality/focus-point-in-unity) they should ensure the plane normal is set opposite camera-forward (for example, normal = -camera.forward).
-## Xbox Wireless Controller
+### Xbox Wireless Controller
- Xbox Wireless Controller S must be updated before it can be used with HoloLens. Ensure you are [up to date](https://support.xbox.com/xbox-one/accessories/update-controller-for-stereo-headset-adapter) before attempting to pair your controller with a HoloLens.
- If you reboot your HoloLens while the Xbox Wireless Controller is connected, the controller will not automatically reconnect to HoloLens. The Guide button light will flash slowly until the controller powers off after 3 minutes. To reconnect your controller immediately, power off the controller by holding the Guide button until the light turns off. When you power your controller on again, it will reconnect to HoloLens.
- If your HoloLens enters standby while the Xbox Wireless Controller is connected, any input on the controller will wake the HoloLens. You can prevent this by powering off your controller when you are done using it.
+
+## Known issues for HoloLens emulator
+
+- Not all apps in the Microsoft Store are compatible with the emulator. For example, Young Conker and Fragments are not playable on the emulator.
+- You cannot use the PC webcam in the Emulator.
+- The Live Preview feature of the Windows Device Portal does not work with the emulator. You can still capture Mixed Reality videos and images.
diff --git a/devices/hololens/hololens-licenses-requirements.md b/devices/hololens/hololens-licenses-requirements.md
index 6d33228879..ef727bfc77 100644
--- a/devices/hololens/hololens-licenses-requirements.md
+++ b/devices/hololens/hololens-licenses-requirements.md
@@ -10,41 +10,55 @@ ms.topic: article
ms.localizationpriority: high
ms.date: 1/23/2020
ms.reviewer:
+audience: ITPro
manager: bradke
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
-# Licenses Required for Mixed Reality Deployment
-
-If you plan on using a Mobile Device Management system (MDM) to manage your HoloLens, please review the MDM License Guidance section.
+# Determine what licenses you need
## Mobile Device Management (MDM) Licenses Guidance
+If you plan on managing your HoloLens devices, you will need Azure AD and an MDM. Active Director (AD) cannot be used to manage HoloLens devices.
If you plan on using an MDM other than Intune, an [Azure Active Directory Licenses](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) is required.
-
-If you plan on using Intune as your MDM, you can acquire an [Enterprise Mobility + Security (EMS) suite (E3 or E5) licenses](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing). **Please note that Azure AD is included in both suites.**
+If you plan on using Intune as your MDM, [here](https://docs.microsoft.com/intune/fundamentals/licenses) are a list of suites that includes Intune licenses. **Please note that Azure AD is included in the majority of these suites.**
## Identify the licenses needed for your scenario and products
+### HoloLens Licenses Requirements
+
+You may need to upgrade your HoloLens 1st Gen Device to Windows Holographic for Business. (See [HoloLens commercial features](holoLens-commercial-features.md#feature-comparison-between-editions) to determine if you need to upgrade).
+
+ If so, you will need to do the following:
+
+- Acquire a HoloLens Enterprise license XML file
+- Apply the XML file to the HoloLens. You can do this through a [Provisioning package](hololens-provisioning.md) or through your [Mobile Device Manager](https://docs.microsoft.com/intune/configuration/holographic-upgrade)
+
### Remote Assist License Requirements
+
Make sure you have the required licensing and device. Updated licensing and product requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/requirements).
-1. [Remote Assist License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
-1. [Teams Freemium/Teams](https://products.office.com/microsoft-teams/free)
-1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
+1. [Remote Assist License](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/buy-and-deploy-remote-assist)
+1. [Teams Freemium/Teams](https://products.office.com/microsoft-teams/free)
+1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
+
+If you plan on implementing **[this cross-tenant scenario](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/cross-tenant-overview#scenario-2-leasing-services-to-other-tenants)**, you may need an Information Barriers license. Please see [this article](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/cross-tenant-licensing-implementation#step-1-determine-if-information-barriers-are-necessary) to determine if an Information Barrier License is required.
### Guides License Requirements
+
Updated licensing and device requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/guides/requirements).
-1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
-1. [Power BI](https://powerbi.microsoft.com/desktop/)
-1. [Guides](https://docs.microsoft.com/dynamics365/mixed-reality/guides/setup)
+1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
+1. [Power BI](https://powerbi.microsoft.com/desktop/)
+1. [Guides](https://docs.microsoft.com/dynamics365/mixed-reality/guides/setup)
### Scenario 1: Kiosk Mode
-If you are not planning to use an MDM to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages.
-1. If you are **not** planning to use an MDM to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages.
-1. If you are planning to use an MDM other than Intune, your MDM provider will have steps on configuring Kiosk mode.
-1. If you are planning to use **Intune** as your MDM, implementation directions can be found in [Configuring your Network for HoloLens]().
+1. If you are **not** planning to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages.
+1. If you are planning to use an MDM to implement Kiosk mode, you will need an [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis).
+
+Additional information regarding kiosk mode will be covered in [Configuring your Network for HoloLens](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune).
+
+## Next Step: [Configure your network for HoloLens](hololens-commercial-infrastructure.md)
\ No newline at end of file
diff --git a/devices/hololens/hololens-multiple-users.md b/devices/hololens/hololens-multiple-users.md
index 4bd8b317ef..d65929d676 100644
--- a/devices/hololens/hololens-multiple-users.md
+++ b/devices/hololens/hololens-multiple-users.md
@@ -9,7 +9,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.date: 09/16/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
appliesto:
- HoloLens (1st gen)
- HoloLens 2
diff --git a/devices/hololens/hololens-network.md b/devices/hololens/hololens-network.md
index 19c9669559..bd9286a91e 100644
--- a/devices/hololens/hololens-network.md
+++ b/devices/hololens/hololens-network.md
@@ -5,7 +5,6 @@ ms.assetid: 0895606e-96c0-491e-8b1c-52e56b00365d
author: mattzmsft
ms.author: mazeller
keywords: HoloLens, wifi, wireless, internet, ip, ip address
-ms.date: 08/30/19
ms.prod: hololens
ms.sitesec: library
ms.localizationpriority: high
@@ -55,6 +54,12 @@ You can also confirm you are connected to a Wi-Fi network by checking the Wi-Fi
1. Open the **Start** menu.
1. Look at the top left of the **Start** menu for Wi-Fi status. The state of Wi-Fi and the SSID of the connected network will be shown.
+## Troubleshooting your connection to Wi-Fi
+
+If you experience problems connecting to Wi-Fi, see [I can't connect to Wi-Fi](./hololens-faq.md#i-cant-connect-to-wi-fi).
+
+When you sign into an enterprise or organizational account on the device, it may also apply Mobile Device Management (MDM) policy, if the policy is configured by your IT administrator.
+
## Disabling Wi-Fi on HoloLens (1st gen)
### Using the Settings app on HoloLens
diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md
index e3b11960b1..b9ee084421 100644
--- a/devices/hololens/hololens-offline.md
+++ b/devices/hololens/hololens-offline.md
@@ -5,9 +5,12 @@ keywords: hololens, offline, OOBE
audience: ITPro
ms.date: 07/01/2019
ms.assetid: b86f603c-d25f-409b-b055-4bbc6edcd301
-author: v-miegge
-ms.author: v-miegge
-manager: v-miegge
+author: Teresa-Motiv
+ms.author: v-tea
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
+manager: jarrettr
ms.topic: article
ms.prod: hololens
ms.sitesec: library
@@ -17,9 +20,9 @@ appliesto:
- HoloLens 2
---
-# Manage connection endpoints for HoloLens
+# Manage connection endpoints for HoloLens
-Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuratiion (e.g. proxy or firewall) for those components to be functional.
+Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuration (e.g. proxy or firewall) for those components to be functional.
## Near-offline setup
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index b22a4ef671..197084ced1 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -1,184 +1,197 @@
---
-title: Configure HoloLens using a provisioning package (HoloLens)
+title: Configure HoloLens by using a provisioning package (HoloLens)
+
description: Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging.
ms.prod: hololens
ms.sitesec: library
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
author: dansimp
ms.author: dansimp
ms.topic: article
+ms.custom:
+- CI 115190
+- CSSTroubleshooting
ms.localizationpriority: medium
-ms.date: 11/13/2018
-ms.reviewer:
-manager: dansimp
+ms.date: 03/10/2020
+ms.reviewer: Teresa-Motiv
+manager: laurawi
+appliesto:
+- HoloLens (1st gen)
+- HoloLens 2
---
-# Configure HoloLens using a provisioning package
+# Configure HoloLens by using a provisioning package
+[Windows provisioning](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) makes it easy for IT administrators to configure end-user devices without imaging. Windows Configuration Designer is a tool for configuring images and runtime settings which are then built into provisioning packages.
+Some of the HoloLens configurations that you can apply in a provisioning package include the following:
-[Windows provisioning](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) makes it easy for IT administrators to configure end-user devices without imaging. Windows Configuration Designer is a tool for configuring images and runtime settings which are then built into provisioning packages.
-
-Some of the HoloLens configurations that you can apply in a provisioning package:
-- Upgrade to Windows Holographic for Business
+- Upgrade to Windows Holographic for Business [here](hololens1-upgrade-enterprise.md)
- Set up a local account
- Set up a Wi-Fi connection
- Apply certificates to the device
+- Enable Developer Mode
+- Configure Kiosk mode (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md#use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk).
-To create provisioning packages, you must install Windows Configuration Designer [from Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) or [from the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
-
-
-
-
-## Create a provisioning package for HoloLens using the HoloLens wizard
+## Provisioning package HoloLens wizard
The HoloLens wizard helps you configure the following settings in a provisioning package:
- Upgrade to the enterprise edition
- >[!NOTE]
- >Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
+ > [!NOTE]
+ > This should only be used for HoloLens 1st gen devices. Settings in a provisioning package are only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
- Configure the HoloLens first experience (OOBE)
-- Configure Wi-Fi network
-- Enroll device in Azure Active Directory or create a local account
+- Configure the Wi-Fi network
+- Enroll the device in Azure Active Directory, or create a local account
- Add certificates
- Enable Developer Mode
+- Configure kiosk mode. (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md##use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk)).
->[!WARNING]
->You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
+> [!WARNING]
+> You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
-Provisioning packages can include management instructions and policies, customization of network connections and policies, and more.
+Provisioning packages can include management instructions and policies, custom network connections and policies, and more.
> [!TIP]
> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
+## Steps for creating provisioning packages
-### Create the provisioning package
+1. **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). This includes HoloLens 2 capabilities.
+2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configuration Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box. This option does not include HoloLens 2 capabilities.
+
+> [!NOTE]
+> If you know you will be using an offline PC that needs access to Windows Configuration Designer please follow the offline app install [here](https://docs.microsoft.com/hololens/hololens-recovery#downloading-arc-without-using-the-app-store) for Advanced Recovery Companion but making Windows Confiugration Desinger your selection instead.
+
+### 2. Create the provisioning package
Use the Windows Configuration Designer tool to create a provisioning package.
1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
-2. Click **Provision HoloLens devices**.
+2. Select **Provision HoloLens devices**.
- 
+ 
-3. Name your project and click **Finish**.
+3. Name your project and select **Finish**.
-4. Read the instructions on the **Getting started** page and select **Next**. The pages for desktop provisioning will walk you through the following steps.
+4. Read the instructions on the **Getting started** page and select **Next**. The pages for desktop provisioning walk you through the following steps.
> [!IMPORTANT]
> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
### Configure settings
-
  Browse to and select the enterprise license file to upgrade the HoloLens edition.You can also toggle Yes or No to hide parts of the first experience.To set up the device without the need to connect to a Wi-Fi network, toggle Skip Wi-Fi setup to On.Select a region and timezone in which the device will be used. |  |
-  In this section, you can enter the details of the Wi-Fi wireless network that the device should connect to automatically. To do this, select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network. |  |
-  You can enroll the device in Azure Active Directory, or create a local account on the deviceBefore you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions. To create a local account, select that option and enter a user name and password. Important: (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. |  |
+| In this section, you can enter the details of the Wi-Fi wireless network that the device should automatically connect to. To do this, select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network. | |
+ You can enroll the device in Azure Active Directory, or create a local account on the deviceBefore you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Select Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Select Accept to give Windows Configuration Designer the necessary permissions. To create a local account, select that option and enter a user name and password. Important:
(For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. | |
  To provision the device with a certificate, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used. |  |
  Toggle Yes or No to enable Developer Mode on the HoloLens. Learn more about Developer Mode. |  |
  Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail. |  |
-After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
+After you're done, select **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
- **Next step**: [How to apply a provisioning package](#apply)
+### 3. Create a provisioning package for HoloLens by using advanced provisioning
-
-## Create a provisioning package for HoloLens using advanced provisioning
-
->[!NOTE]
->Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
+> [!NOTE]
+> A provisioning package that you create in **Advanced provisioning** does not need to include an edition upgrade license to Windows Holographic for Business to succesfully apply to a HoloLens (1st gen). [See more on Windows Holographic for Business for HoloLens (1st gen)](hololens1-upgrade-enterprise.md).
1. On the Windows Configuration Designer start page, select **Advanced provisioning**.
2. In the **Enter project details** window, specify a name for your project and the location for your project. Optionally, enter a brief description to describe your project.
-3. Click **Next**.
+3. Select **Next**.
-4. In the **Choose which settings to view and configure** window, select **Windows 10 Holographic**, and then click **Next**.
+4. In the **Choose which settings to view and configure** window, select **Windows 10 Holographic**, and then select **Next**.
-6. Click **Finish**.
+5. Select **Finish**.
-7. Expand **Runtime settings** and customize the package with any of the settings [described below](#what-you-can-configure).
+6. Expand **Runtime settings** and customize the package by using any of the settings [described later in this article](#what-you-can-configure).
- >[!IMPORTANT]
- >(For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens#perform_a_full_device_recovery).
+ > [!IMPORTANT]
+ > (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens#perform_a_full_device_recovery).
-8. On the **File** menu, click **Save**.
+7. Select **File** > **Save**.
-4. Read the warning that project files may contain sensitive information, and click **OK**.
+8. Read the warning that project files may contain sensitive information, and select **OK**.
- >[!IMPORTANT]
- >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+ > [!IMPORTANT]
+ > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-3. On the **Export** menu, click **Provisioning package**.
+9. Select **Export** > **Provisioning package**.
-4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next**.
+10. Change **Owner** to **IT Admin**. This sets the precedence of this provisioning package higher than provisioning packages applied to this device from other sources. Select **Next**.
-5. Set a value for **Package Version**.
+11. Set a value for **Package Version**.
- >[!TIP]
- >You can make changes to existing packages and change the version number to update previously applied packages.
+ > [!TIP]
+ > You can make changes to existing packages and change the version number to update previously applied packages.
-6. On the **Select security details for the provisioning package**, click **Next**.
+12. On the **Select security details for the provisioning package**, select **Next**.
- >[!WARNING]
- >If you encrypt the provisioning package, provisioning the HoloLens device will fail.
+ > [!WARNING]
+ > If you encrypt the provisioning package, provisioning the HoloLens device will fail.
-7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location.
+13. Select **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location.
- Optionally, you can click **Browse** to change the default output location.
+ Optionally, you can select **Browse** to change the default output location.
-8. Click **Next**.
+14. Select **Next**.
-9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+15. Select **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
-10. When the build completes, click **Finish**.
+16. When the build completes, select **Finish**.
+
## Apply a provisioning package to HoloLens during setup
-1. Connect the device via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box).
+1. Use the USB cable to connect the device to a PC, and then start the device. Do not continue past the **First interactable moment** page of OOBE.
+ - On HoloLens (1st gen), this page contains a blue box.
+ - On HoloLens 2, this page contains the hummingbird.
-2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously. (This step isn't needed in Windows 10, version 1803.)
+2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously.
-3. HoloLens will show up as a device in File Explorer on the PC.
+3. HoloLens shows up as a device in File Explorer on the PC.
4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
5. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the **fit** page.
-6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
+6. The device asks you if you trust the package and would like to apply it. Confirm that you trust the package.
7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
->[!NOTE]
->If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package.
+> [!NOTE]
+> If the device was purchased before August 2016, you will need to sign in to the device by using a Microsoft account, get the latest operating system update, and then reset the operating system in order to apply the provisioning package.
-## Apply a provisioning package to HoloLens after setup
+### 4. Apply a provisioning package to HoloLens after setup
->[!NOTE]
->Windows 10, version 1809 only
+> [!NOTE]
+> These steps apply only toWindows 10, version 1809.
-On your PC:
-1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md).
-2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC.
-3. Drag and drop the provisioning package to the Documents folder on the HoloLens.
+On your PC, follow these steps:
+1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md).
+2. Connect the HoloLens device to a PC by using a USB cable. HoloLens shows up as a device in File Explorer on the PC.
+3. Drag and drop the provisioning package to the Documents folder on the HoloLens.
-On your HoloLens:
-1. Go to **Settings > Accounts > Access work or school**.
+On your HoloLens, follow these steps:
+1. Go to **Settings** > **Accounts** > **Access work or school**.
2. In **Related Settings**, select **Add or remove a provisioning package**.
3. On the next page, select **Add a package** to launch the file picker and select your provisioning package. If the folder is empty, make sure you select **This Device** and select **Documents**.
-After your package has been applied, it will show in the list of **Installed packages**. To view package details or to remove the package from the device, select the listed package.
+After your package has been applied, it shows up in the list of **Installed packages**. To view the package details or to remove the package from the device, select the listed package.
## What you can configure
-Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
+Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://docs.microsoft.com/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers).
-In Windows Configuration Designer, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens). The following table describes settings that you might want to configure for HoloLens.
+In Windows Configuration Designer, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices). The following table describes settings that you might want to configure for HoloLens.
@@ -187,14 +200,9 @@ In Windows Configuration Designer, when you create a provisioning package for Wi
| **Certificates** | Deploy a certificate to HoloLens. |
| **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens. |
| **EditionUpgrade** | [Upgrade to Windows Holographic for Business.](hololens1-upgrade-enterprise.md) |
-| **Policies** | Allow or prevent developer mode on HoloLens. [Policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies) |
-
->[!NOTE]
->App installation (**UniversalAppInstall**) using a provisioning package is not currently supported for HoloLens.
-
-
-
-
-
+| **Policies** | Allow or prevent developer mode on HoloLens. [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#hololenspolicies) |
+> [!NOTE]
+> HoloLens does not currently support installing apps (**UniversalAppInstall**) by using a provisioning package.
+## Next Step: [Enroll your device](hololens-enroll-mdm.md)
diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md
index b2e0d48bc7..8ef5f12b0a 100644
--- a/devices/hololens/hololens-recovery.md
+++ b/devices/hololens/hololens-recovery.md
@@ -1,5 +1,5 @@
---
-title: Reset or recover your HoloLens
+title: Restart, reset, or recover HoloLens
ms.reviewer: Both basic and advanced instructions for rebooting or resetting your HoloLens.
description: How to use Advanced Recovery Companion to flash an image to HoloLens 2.
keywords: how-to, reboot, reset, recover, hard reset, soft reset, power cycle, HoloLens, shut down, arc, advanced recovery companion
@@ -7,7 +7,10 @@ ms.prod: hololens
ms.sitesec: library
author: mattzmsft
ms.author: mazeller
-ms.date: 08/30/2019
+ms.date: 04/27/2020
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
ms.topic: article
ms.localizationpriority: high
manager: jarrettr
@@ -18,9 +21,9 @@ appliesto:
# Restart, reset, or recover HoloLens
-If you’re experiencing problems with your HoloLens you may want to try a restart, reset, or even re-flash with device recovery.
+If you're experiencing problems with your HoloLens you may want to try a restart, reset, or even re-flash with device recovery.
-Here are some things to try if your HoloLens isn’t running well. This article will guide you through the recommended recovery steps in succession.
+Here are some things to try if your HoloLens isn't running well. This article will guide you through the recommended recovery steps in succession.
This article focuses on the HoloLens device and software, if your holograms don't look right, [this article](hololens-environment-considerations.md) talks about environmental factors that improve hologram quality.
@@ -33,9 +36,9 @@ First, try restarting the device.
The safest way to restart the HoloLens is by using Cortana. This is generally a great first-step when experiencing an issue with HoloLens:
1. Put on your device
-1. Make sure it’s powered on, a user is logged in, and the device is not waiting for a password to unlock it.
-1. Say “Hey Cortana, reboot” or "Hey Cortana, restart."
-1. When she acknowledges she will ask you for confirmation. Wait a second for a sound to play after she has finished her question, indicating she is listening to you and then say “Yes.”
+1. Make sure it's powered on, a user is logged in, and the device is not waiting for a password to unlock it.
+1. Say "Hey Cortana, reboot" or "Hey Cortana, restart."
+1. When she acknowledges she will ask you for confirmation. Wait a second for a sound to play after she has finished her question, indicating she is listening to you and then say "Yes."
1. The device will now restart.
### Perform a safe restart by using the power button
@@ -45,7 +48,7 @@ If you still can't restart your device, you can try to restart it by using the p
1. Press and hold the power button for five seconds.
1. After one second, you will see all five LEDs illuminate, then slowly turn off from right to left.
1. After five seconds, all LEDs will be off, indicating the shutdown command was issued successfully.
- 1. Note that it’s important to stop pressing the button immediately after all the LEDs have turned off.
+ 1. Note that it's important to stop pressing the button immediately after all the LEDs have turned off.
1. Wait one minute for the shutdown to cleanly succeed. Note that the shutdown may still be in progress even if the displays are turned off.
1. Power on the device again by pressing and holding the power button for one second.
@@ -66,20 +69,20 @@ If none of the previous methods are able to successfully restart your device, yo
1. Press and hold the power button for at least 10 seconds.
- - It’s okay to hold the button for longer than 10 seconds.
- - It’s safe to ignore any LED activity.
+ - It's okay to hold the button for longer than 10 seconds.
+ - It's safe to ignore any LED activity.
1. Release the button and wait for two or three seconds.
1. Power on the device again by pressing and holding the power button for one second.
-If you’re still having problems, press the power button for 4 seconds, until all of the battery indicators fade out and the screen stops displaying holograms. Wait 1 minute, then press the power button again to turn on the device.
+If you're still having problems, press the power button for 4 seconds, until all of the battery indicators fade out and the screen stops displaying holograms. Wait 1 minute, then press the power button again to turn on the device.
## Reset to factory settings
->[!NOTE]
->The battery needs at least 40 percent charge to reset.
+> [!NOTE]
+> The battery needs at least 40 percent charge to reset.
-If your HoloLens is still experiencing issues after restarting, try resetting it to factory state. Resetting your HoloLens keeps the version of the Windows Holographic software that’s installed on it and returns everything else to factory settings.
+If your HoloLens is still experiencing issues after restarting, try resetting it to factory state. Resetting your HoloLens keeps the version of the Windows Holographic software that's installed on it and returns everything else to factory settings.
-If you reset your device, all your personal data, apps, and settings will be erased. Resetting will only install the latest installed version of Windows Holographic and you will have to redo all the initialization steps (calibrate, connect to Wi-Fi, create a user account, download apps, and so forth).
+If you reset your device, all your personal data, apps, and settings will be erased, including TPM reset. Resetting will only install the latest installed version of Windows Holographic and you will have to redo all the initialization steps (calibrate, connect to Wi-Fi, create a user account, download apps, and so forth).
1. Launch the Settings app, and then select **Update** > **Reset**.
1. Select the **Reset device** option and read the confirmation message.
@@ -97,7 +100,7 @@ All of the data HoloLens needs to reset is packaged in a Full Flash Update (ffu)
### HoloLens 2
-The Advanced Recovery Companion is a new app in Microsoft Store restore the operating system image to your HoloLens 2 device.
+The Advanced Recovery Companion is a new app in Microsoft Store restore the operating system image to your HoloLens 2 device. Advanced Recovery Companion erases all your personal data, apps, and settings, and resets TPM.
1. On your computer, get [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from Microsoft Store.
2. Connect HoloLens 2 to your computer.
@@ -106,13 +109,47 @@ The Advanced Recovery Companion is a new app in Microsoft Store restore the oper
5. On the **Device info** page, select **Install software** to install the default package. (If you have a Full Flash Update (FFU) image that you want to install instead, select **Manual package selection**.)
6. Software installation will begin. Do not use the device or disconnect the cable during installation. When you see the **Installation finished** page, you can disconnect and use your device.
->[!TIP]
->In the event that a HoloLens 2 gets into a state where Advanced Recovery Companion cannot recognize the device, and it does not boot, try forcing the device into Flashing Mode and recovering it with Advanced Recovery Companion:
+#### Manual flashing mode
+
+> [!TIP]
+> In the event that a HoloLens 2 gets into a state where Advanced Recovery Companion cannot recognize the device, and it does not boot, try forcing the device into Flashing Mode and recovering it with Advanced Recovery Companion:
+
+1. Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed.
+1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit.
+1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device.
+1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2.
+
+#### Downloading ARC without using the app store
+
+If an IT environment prevents the use of the Windows Store app or limits access to the retail store, IT administrators can make this app available through other ‘offline’ deployment paths.
+
+- This process may also be used for other apps, as seen in step 2. This guide will focus on Advanced Recovery Companion, but my be modified for other offline apps.
+
+This deployment path can be enabled with the following steps:
+1. Go to the [Store For Business website](https://businessstore.microsoft.com) and sign-in with an Azure AD identity.
+1. Go to **Manage – Settings**, and turn on **Show offline apps** under **Shopping experience** as described at https://businessstore.microsoft.com/manage/settings/shop
+1. Go to **shop for my group** and search for the [Advanced Recovery Companion](https://businessstore.microsoft.com/store/details/advanced-recovery-companion/9P74Z35SFRS8) app.
+1. Change the **License Type** box to offline and click **Manage**.
+1. Under Download the package for offline use click the second blue **“Download”** button . Ensure the file extension is .appxbundle.
+1. At this stage, if the Desktop PC has Internet access, simply double click and install.
+1. The IT administrator can also distribute this app through System Center Configuration Manager (SCCM) or Intune.
+1. If the target PC has no Internet connectivity, some additional steps are needed:
+ 1. Select the unencoded license and click **“Generate license”** and under **“Required Frameworks”** click **“Download.”**
+ 1. PCs without internet access will need to use DISM to apply the package with the dependency and license. In an administrator command prompt, type:
+
+ ```console
+ C:\WINDOWS\system32>dism /online /Add-ProvisionedAppxPackage /PackagePath:"C:\ARCoffline\Microsoft.AdvancedRecoveryCompanion_1.19050.1301.0_neutral_~_8wekyb3d8bbwe.appxbundle" /DependencyPackagePath:"C:\ARCoffline\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x86__8wekyb3d8bbwe.appx" /LicensePath:"C:\ARCoffline\Microsoft.AdvancedRecoveryCompanion_8wekyb3d8bbwe_f72ce112-dd2e-d771-8827-9cbcbf89f8b5.xml" /Region:all
+ ```
+> [!NOTE]
+> The version number in this code example may not match the currently avalible version. You may have also choosen a different download location than in the example given. Please make sure to make any changes as needed.
+
+> [!TIP]
+> When planning to use Advanced Recovery Companion to install an ffu offline it may be useful to download your flashing image to be availible, here is the [current image for HoloLens 2](https://aka.ms/hololens2download).
+
+Other resources:
+- https://docs.microsoft.com/microsoft-store/distribute-offline-apps
+- https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-app-package--appx-or-appxbundle--servicing-command-line-options
-1. Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed.
-1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit. It will the the only lit LED.
- 1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device:
-1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2.
### HoloLens (1st gen)
@@ -120,7 +157,7 @@ If necessary, you can install a completely new operating system on your HoloLens
Before you use this tool, determine if restarting or resetting your HoloLens fixes the problem. The recovery process may take some time. When you're done, the latest version of the Windows Holographic software approved for your HoloLens will be installed.
-To use the tool, you’ll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can’t run this tool on a virtual machine.
+To use the tool, you'll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can't run this tool on a virtual machine.
To recover your HoloLens
@@ -128,4 +165,4 @@ To recover your HoloLens
1. Connect the HoloLens (1st gen) to your computer using the Micro USB cable that came with your HoloLens.
1. Run the Windows Device Recovery Tool and follow the instructions.
-If the HoloLens (1st gen) isn’t automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode.
+If the HoloLens (1st gen) isn't automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode.
diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md
index aaf200a4b0..b289b56df1 100644
--- a/devices/hololens/hololens-release-notes.md
+++ b/devices/hololens/hololens-release-notes.md
@@ -1,14 +1,17 @@
---
-title: What's new in Microsoft HoloLens
+title: HoloLens release notes
description: Learn about updates in each new HoloLens release.
author: scooley
ms.author: scooley
-manager: dansimp
+manager: laurawi
ms.prod: hololens
ms.sitesec: library
ms.topic: article
ms.localizationpriority: medium
ms.date: 12/02/2019
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
audience: ITPro
appliesto:
- HoloLens 1
@@ -16,12 +19,51 @@ appliesto:
---
-# HoloLens Release Notes
+# HoloLens release notes
## HoloLens 2
+
> [!Note]
> HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive).
+### April Update - build 18362.1059
+
+**Dark mode for supported apps**
+
+Many Windows apps support both dark and light modes, and soon HoloLens 2 customers can choose the default mode for apps that support both color schemes! Based on overwhelmingly positive customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time.
+Navigate to **Settings > System > Colors** to find **"Choose your default app mode."**
+
+Here are some of the in-box apps that support dark mode:
+- Settings
+- Microsoft Store
+- Mail
+- Calendar
+- File Explorer
+- Feedback Hub
+- OneDrive
+- Photos
+- 3D Viewer
+- Movies & TV
+
+**Improvements and fixes also in the update:**
+- Ensure shell overlays are included in mixed reality captures.
+- Unreal developers are now able to use the 3D View page in Device Portal to test and debug their applications.
+- Improve hologram stability in mixed reality capture when the HolographicDepthReprojectionMethod DepthReprojection algorithm is used.
+- Fixed WinRT IStreamSocketListener API Class Not Registered error on 32-bit ARM app.
+
+### March Update - build 18362.1056
+
+- Improve hologram stability in mixed reality capture when the HolographicDepthReprojectionMethod AutoPlanar algorithm is used.
+- Ensures the coordinate system attached to a depth MF sample is consistent with public documentation.
+- Developers productivity improvement by enabling customers to paste large amount of text through device portal.
+
+### February Update - build 18362.1053
+
+- Temporarily disabled the HolographicSpace.UserPresence API for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled.
+- Fixed a random HUP crash cased by hand tracking, in which user will notice an UI freeze then back to shell after several seconds.
+- We made an improvement in hand tracking so that while poking using index finger, the upper part of that finger will be less likely to curl unexpectedly.
+- Improved reliability of head tracking, spatial mapping, and other runtimes.
+
### January Update - build 18362.1043
- Stability improvements for exclusive apps when working with the HoloLens 2 emulator.
@@ -49,12 +91,12 @@ appliesto:
| Feature | Details |
|---|---|
| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app.
See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.
 |
-| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) |
+| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you'll be able to stop recording from the same place. (Don't forget, you can always do this with voice commands too.) |
| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. |
-| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). |
-| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. |
-| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. |
-| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. |
+| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you're in an immersive experience, use the bloom gesture). |
+| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You'll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. |
+| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you'll see a visual display of the volume level. |
+| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it's between the "Hello" message and the Windows boot logo. |
| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. |
| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. |
@@ -85,7 +127,7 @@ Windows 10, version 1803, is the first feature update to Windows Holographic for
- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md).
- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq).
-- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#wizard).
+- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard).
@@ -97,7 +139,7 @@ Windows 10, version 1803, is the first feature update to Windows Holographic for
- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically.
-- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business.
+- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business.
- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts.
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index eb068d6e65..c8be6947ae 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -6,6 +6,7 @@ ms.sitesec: library
ms.assetid: 88bf50aa-0bac-4142-afa4-20b37c013001
author: scooley
ms.author: scooley
+audience: ITPro
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/15/2019
@@ -13,48 +14,90 @@ ms.date: 07/15/2019
# Deploy HoloLens in a commercial environment
-You can deploy and configure HoloLens at scale in a commercial setting.
+You can deploy and configure HoloLens at scale in a commercial setting. This article provides instructions for deploying HoloLens devices in a commercial environment. This guide assumes basic familiarity with HoloLens. Follow the [get started guide](hololens1-setup.md) to set up HoloLens for the first time.
-This article includes:
+This document also assumes that the HoloLens has been evaluated by security teams as safe to use on the corporate network. Frequently asked security questions can be found [here](hololens-faq-security.md)
-- Infrastructure requirements and recommendations for HoloLens management
-- Tools for provisioning HoloLens
-- Instructions for remote device management
-- Options for application deployment
+## Overview of Deployment Steps
-This guide assumes basic familiarity with HoloLens. Follow the [get started guide](hololens1-setup.md) to set up HoloLens for the first time.
+1. [Determine what features you need](hololens-requirements.md#step-1-determine-what-you-need)
+1. [Determine what licenses you need](hololens-licenses-requirements.md)
+1. [Configure your network for HoloLens](hololens-commercial-infrastructure.md).
+ 1. This section includes bandwidth requirements, URL, and ports that need to be whitelisted on your firewall; Azure AD guidance; Mobile Device Management (MDM) Guidance; app deployment/management guidance; and certificate guidance.
+1. (Optional) [Configure HoloLens using a provisioning package](hololens-provisioning.md)
+1. [Enroll Device](hololens-enroll-mdm.md)
+1. [Set up ring based updates for HoloLens](hololens-updates.md)
+1. [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
-## Infrastructure for managing HoloLens
+## Step 1. Determine what you need
-HoloLens is, at its core, a Windows mobile device integrated with Azure. It works best in commercial environments with wireless network availability (wi-fi) and access to Microsoft services.
+Before deploying the HoloLens in your environment, it is important to first determine what features, apps, and type of identities are needed. It is also important to ensure that your security team has approved of the use of the HoloLens on the company's network. Please see [Frequently ask security questions](hololens-faq-security.md) for additional security information.
-Critical cloud services include:
+### Type of Identity
-- Azure active directory (AAD)
-- Windows Update (WU)
+Determine the type of identity that will be used to sign into the device.
-Commercial customers will need enterprise mobility management (EMM) or mobile device management (MDM) infrastructure to manage HoloLens devices at scale. This guide uses [Microsoft Intune](https://www.microsoft.com/enterprise-mobility-security/microsoft-intune) as an example, though any provider with full support for Microsoft Policy can support HoloLens. Ask your mobile device management provider if they support HoloLens 2.
+1. **Local Accounts:** This account is local to the device (like a local admin account on a windows PC). This will allow only 1 user to log into the device.
+2. **MSA:** This is a personal account (like outlook, hotmail, gmail, yahoo, etc.) This will allow only 1 user to log into the device.
+3. **Azure Active Directory (Azure AD) accounts:** This is an account created in Azure AD. This grants your corporation the ability to manage the HoloLens device. This will allow multiple users to log into the HoloLens 1st Gen Commercial Suite/the HoloLens 2 device.
-HoloLens does support a limited set of cloud disconnected experiences.
+For more detailed information about identity types, please visit our [HoloLens Identity](hololens-identity.md) article.
-## Initial set up at scale
+### Type of Features
-The HoloLens out of box experience is great for setting up one or two devices or for experiencing HoloLens for the first time. If you're provisioning many HoloLens devices, however, selecting your language and settings manually for each device gets tedious and limits scale.
+Your feature requirements will determine which HoloLens you need. One popular feature that we see deployed in customer environments frequently is Kiosk Mode. A list of HoloLens key features, and the editions of HoloLens that support them, can be found [here](hololens-commercial-features.md).
-This section:
+**What is Kiosk Mode?**
-- Introduces Windows provisioning using provisioning packages
-- Walks through applying a provisioning package during first setup
+Kiosk mode is a way to restrict the apps that a user has access to. This means that users will only be allowed to access certain apps.
-### Create and apply a provisioning package
+**What Kiosk Mode do I require?**
-The best way to configure many new HoloLens device is with Windows provisioning. You can use it to specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in minutes.
+There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk mode allows user to only access one app while multi-app kiosk mode allows users to access multiple, specified apps. To determine which kiosk mode is right for your corporation, the following two questions need to be answered:
-A [provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) (.ppkg) is a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device.
+1. **Do different users require different experiences/restrictions?** Consider the following example: User A is a field service engineer who only needs access to Remote Assist. User B is a trainee who only needs access to Guides.
+ 1. If yes, you will require the following:
+ 1. Azure AD Accounts as the method of signing into the device.
+ 1. **Multi-app** kiosk mode.
+ 1. If no, continue to question two
+1. **Do you require a multi-app experience?**
+ 1. If yes, **Multi-app** kiosk is mode is needed
+ 1. If your answer to question 1 and 2 are both no, **single-app** kiosk mode can be used
-### Upgrade to Windows Holographic for Business
+**How to Configure Kiosk Mode:**
-- HoloLens Enterprise license XML file
+There are two main ways ([provisioning packages](hololens-kiosk.md#use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk) and [MDM](hololens-kiosk.md#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc.
+
+### Apps and App Specific Scenarios
+
+The majority of the steps found in this document will also apply to the following apps:
+
+| App | App Specific Scenarios |
+| --- | --- |
+| Remote Assist | [Cross Tenant Communication](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/cross-tenant-overview)|
+| Guides | *Coming Soon* |
+|Custom Apps | *Coming Soon* |
+
+### Determine your enrollment method
+
+1. Bulk enrollment with a security token in a provisioning package.
+ Pros: this is the most automated approach\
+ Cons: takes initial server-side setup
+1. Auto-enroll on user sign in.
+ Pros: easiest approach
+ Cons: users will need to complete set up after the provisioning package has been applied
+1. _not recommended_ - Manually enroll post-setup.
+ Pros: possible to enroll after set up
+ Cons: most manual approach and devices aren't centrally manageable until they're manually enrolled.
+
+ More information can be found [here](hololens-enroll-mdm.md)
+
+### Determine if you need to create a provisioning package
+
+There are two methods to configure a HoloLens device (Provisioning packages and MDMs). We suggest using your MDM to configure you HoloLens device. However, there are some scenarios where using a provisioning package is the better choice:
+
+1. You want to configure the HoloLens to skip the Out of Box Experience (OOBE)
+1. You are having trouble deploying certificate in a complex network. The majority of the time you can deploy certificates using MDM (even in complex environments). However, some scenarios require certificates to be deployed through the provisioning package.
Some of the HoloLens configurations you can apply in a provisioning package:
@@ -64,82 +107,12 @@ Some of the HoloLens configurations you can apply in a provisioning package:
- (HoloLens 2) bulk enroll in mobile device management
- (HoloLens v1) Apply key to enable Windows Holographic for Business
-Follow [this guide](https://docs.microsoft.com/hololens/hololens-provisioning) to create and apply a provisioning package to HoloLens.
+If you decide to use provisioning packages, follow [this guide](hololens-provisioning.md).
-### Set up user identity and enroll in device management
-
-The last step in setting up HoloLens for management at scale is to enroll devices with mobile device management infrastructure. There are several ways to enroll:
-
-1. Bulk enrollment with a security token in a provisioning package.
- Pros: this is the most automated approach
- Cons: takes initial server-side setup
-1. Auto-enroll on user sign in.
- Pros: easiest approach
- Cons: users will need to complete set up after the provisioning package has been applied
-1. _not recommended_ - Manually enroll post-setup.
- Pros: possible to enroll after set up
- Cons: most manual approach and devices aren't centrally manageable until they're manually enrolled.
-
-Learn more about MDM enrollment [here](hololens-enroll-mdm.md).
-
-## Ongoing device management
-
-Ongoing device management will depend on your mobile device management infrastructure. Most have the same general functionality but the user interface may vary widely.
-
-This article outlines [policies and capabilities HoloLens supports](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#hololens).
-
-[This article](https://docs.microsoft.com/intune/windows-holographic-for-business) talks about Intune's management tools for HoloLens.
-
-### Push compliance policy via Intune
-
-[Compliance policies](https://docs.microsoft.com/intune/device-compliance-get-started) are rules and settings that devices must meet to be compliant in your corporate infrastructure. Use these policies with Conditional Access to block access to company resources for devices that are non-compliant.
-
-For example, you can create a policy that requires Bitlocker be enabled.
-
-[Create compliance policies with Intune](https://docs.microsoft.com/intune/compliance-policy-create-windows).
-
-### Manage updates
-
-Intune includes a feature called Update rings for Windows 10 devices, including HoloLens 2 and HoloLens v1 (with Holographic for Business). Update rings include a group of settings that determine how and when updates are installed.
-
-For example, you can create a maintenance window to install updates, or choose to restart after updates are installed. You can also choose to pause updates indefinitely until you're ready to update.
-
-Read more about [configuring update rings with Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
-
-## Application management
-
-Manage HoloLens applications through:
-
-1. Microsoft Store
- The Microsoft Store is the best way to distribute and consume applications on HoloLens. There is a great set of core HoloLens applications already available in the store or you can [publish your own](https://docs.microsoft.com/windows/uwp/publish/).
- All applications in the store are available publicly to everyone, but if it isn't acceptable, checkout the Microsoft Store for Business.
-
-1. [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/)
- Microsoft Store for Business and Education is a custom store for your corporate environment. It lets you use the Microsoft Store built into Windows 10 and HoloLens to find, acquire, distribute, and manage apps for your organization. It also lets you deploy apps that are specific to your commercial environment but not to the world.
-
-1. Application deployment and management via Intune or another mobile device management solution
- Most mobile device management solutions, including Intune, provide a way to deploy line of business applications directly to a set of enrolled devices. See this article for [Intune app install](https://docs.microsoft.com/intune/apps-deploy).
-
-1. _not recommended_ Device Portal
- Applications can also be installed on HoloLens directly using the Windows Device Portal. This isn't recommended since Developer Mode has to be enabled to use the device portal.
-
-Read more about [installing apps on HoloLens](https://docs.microsoft.com/hololens/hololens-install-apps).
+## Next Step: [Determine what licenses you need](hololens-licenses-requirements.md)
## Get support
Get support through the Microsoft support site.
-[File a support request](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f).
-
-## Technical Reference
-
-### Wireless network EAP support
-
-- PEAP-MS-CHAPv2
-- PEAP-TLS
-- TLS
-- TTLS-CHAP
-- TTLS-CHAPv2
-- TTLS-MS-CHAPv2
-- TTLS-PAP
-- TTLS-TLS
+[File a support request](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f)
diff --git a/devices/hololens/hololens-spaces.md b/devices/hololens/hololens-spaces.md
index 26790eacca..485e56773e 100644
--- a/devices/hololens/hololens-spaces.md
+++ b/devices/hololens/hololens-spaces.md
@@ -1,9 +1,12 @@
---
-title: Mapping physical spaces with HoloLens
+title: Map physical spaces with HoloLens
description: HoloLens learns what a space looks like over time. Users can facilitate this process by moving the HoloLens in certain ways through the space.
ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b
author: dorreneb
ms.author: dobrown
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
ms.date: 09/16/2019
keywords: hololens, Windows Mixed Reality, design, spatial mapping, HoloLens, surface reconstruction, mesh, head tracking, mapping
ms.prod: hololens
@@ -15,14 +18,14 @@ appliesto:
- HoloLens 2
---
-# Mapping physical spaces with HoloLens
+# Map physical spaces with HoloLens
HoloLens blends holograms with your physical world. To do that, HoloLens has to learn about the physical world around you and remember where you place holograms within that space.
Over time, the HoloLens builds up a *spatial map* of the environment that it has seen. HoloLens updates the map as the environment changes. As long as you are logged in and the device is turned on, HoloLens creates and updates your spatial maps. If you hold or wear the device with the cameras pointed at a space, the HoloLens tries to map the area. While the HoloLens learns a space naturally over time, there are ways in which you can help HoloLens map your space more quickly and efficiently.
> [!NOTE]
-> If your HoloLens can’t map your space or is out of calibration, HoloLens may enter Limited mode. In Limited mode, you won’t be able to place holograms in your surroundings.
+> If your HoloLens can't map your space or is out of calibration, HoloLens may enter Limited mode. In Limited mode, you won't be able to place holograms in your surroundings.
This article explains how HoloLens maps spaces, how to improve spatial mapping, and how to manage the spatial data that HoloLens collects.
diff --git a/devices/hololens/hololens-status.md b/devices/hololens/hololens-status.md
index e6ccdbd207..a1209dd3c8 100644
--- a/devices/hololens/hololens-status.md
+++ b/devices/hololens/hololens-status.md
@@ -1,18 +1,21 @@
---
-title: HoloLens status
+title: Status of the HoloLens services
description: Shows the status of HoloLens online services.
-author: todmccoy
-ms.author: v-todmc
+author: Teresa-Motiv
+ms.author: v-tea
ms.reviewer: luoreill
manager: jarrettr
audience: Admin
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
ms.topic: article
ms.prod: hololens
ms.localizationpriority: high
ms.sitesec: library
---
-# HoloLens status
+# Status of the HoloLens services
✔️ **All services are active**
diff --git a/devices/hololens/hololens-troubleshooting.md b/devices/hololens/hololens-troubleshooting.md
index 7102984f4c..b4d107902a 100644
--- a/devices/hololens/hololens-troubleshooting.md
+++ b/devices/hololens/hololens-troubleshooting.md
@@ -1,5 +1,5 @@
---
-title: HoloLens troubleshooting
+title: Troubleshoot HoloLens issues
description: Solutions for common HoloLens issues.
author: mattzmsft
ms.author: mazeller
@@ -11,16 +11,19 @@ audience: ITPro
ms.localizationpriority: medium
keywords: issues, bug, troubleshoot, fix, help, support, HoloLens
manager: jarrettr
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
-# Troubleshooting HoloLens issues
+# Troubleshoot HoloLens issues
This article describes how to resolve several common HoloLens issues.
-## My HoloLens is unresponsive or won’t start
+## My HoloLens is unresponsive or won't start
If your HoloLens won't start:
@@ -35,59 +38,59 @@ If these steps don't work, you can try [recovering your device](hololens-recover
## Holograms don't look good
-If your holograms are unstable, jumpy, or don’t look right, try:
+If your holograms are unstable, jumpy, or don't look right, try:
- Cleaning your device visor and sensor bar on the front of your HoloLens.
- Increasing the light in your room.
- Walking around and looking at your surroundings so that HoloLens can scan them more completely.
- Calibrating your HoloLens for your eyes. Go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**.
-## HoloLens doesn’t respond to gestures
+## HoloLens doesn't respond to gestures
To make sure that HoloLens can see your gestures. Keep your hand in the gesture frame - when HoloLens can see your hand, the cursor changes from a dot to a ring.
Learn more about using gestures on [HoloLens (1st gen)](hololens1-basic-usage.md#use-hololens-with-your-hands) or [HoloLens 2](hololens2-basic-usage.md#the-hand-tracking-frame).
-If your environment is too dark, HoloLens might not see your hand, so make sure that there’s enough light.
+If your environment is too dark, HoloLens might not see your hand, so make sure that there's enough light.
If your visor has fingerprints or smudges, use the microfiber cleaning cloth that came with the HoloLens to clean your visor gently.
-## HoloLens doesn’t respond to my voice commands
+## HoloLens doesn't respond to my voice commands
-If Cortana isn’t responding to your voice commands, make sure Cortana is turned on. On the All apps list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md).
+If Cortana isn't responding to your voice commands, make sure Cortana is turned on. On the All apps list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md).
-## I can’t place holograms or see holograms that I previously placed
+## I can't place holograms or see holograms that I previously placed
-If HoloLens can’t map or load your space, it enters Limited mode and you won’t be able to place holograms or see holograms that you’ve placed. Here are some things to try:
+If HoloLens can't map or load your space, it enters Limited mode and you won't be able to place holograms or see holograms that you've placed. Here are some things to try:
-- Make sure that there’s enough light in your environment so HoloLens can see and map the space.
-- Make sure that you’re connected to a Wi-Fi network. If you’re not connected to Wi-Fi, HoloLens can’t identify and load a known space.
+- Make sure that there's enough light in your environment so HoloLens can see and map the space.
+- Make sure that you're connected to a Wi-Fi network. If you're not connected to Wi-Fi, HoloLens can't identify and load a known space.
- If you need to create a new space, connect to Wi-Fi, then restart your HoloLens.
- To see if the correct space is active, or to manually load a space, go to **Settings** > **System** > **Spaces**.
-- If the correct space is loaded and you’re still having problems, the space may be corrupt. To fix this issue, select the space, then select **Remove**. After you remove the space, HoloLens starts to map your surroundings and create a new space.
+- If the correct space is loaded and you're still having problems, the space may be corrupt. To fix this issue, select the space, then select **Remove**. After you remove the space, HoloLens starts to map your surroundings and create a new space.
-## My HoloLens can’t tell what space I’m in
+## My HoloLens can't tell what space I'm in
-If your HoloLens can’t identify and load the space you’re in automatically, check the following factors:
+If your HoloLens can't identify and load the space you're in automatically, check the following factors:
-- Make sure that you’re connected to Wi-Fi
-- Make sure that there’s plenty of light in the room
-- Make sure that there haven’t been any major changes to the surroundings.
+- Make sure that you're connected to Wi-Fi
+- Make sure that there's plenty of light in the room
+- Make sure that there haven't been any major changes to the surroundings.
You can also load a space manually or manage your spaces by going to **Settings** > **System** > **Spaces**.
-## I’m getting a “low disk space” error
+## I'm getting a "low disk space" error
-You’ll need to free up some storage space by doing one or more of the following:
+You'll need to free up some storage space by doing one or more of the following:
- Delete some unused spaces. Go to **Settings** > **System** > **Spaces**, select a space that you no longer need, and then select **Remove**.
-- Remove some of the holograms that you’ve placed.
+- Remove some of the holograms that you've placed.
- Delete some pictures and videos from the Photos app.
- Uninstall some apps from your HoloLens. In the **All apps** list, tap and hold the app you want to uninstall, and then select **Uninstall**.
-## My HoloLens can’t create a new space
+## My HoloLens can't create a new space
-The most likely problem is that you’re running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space.
+The most likely problem is that you're running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space.
## The HoloLens emulators isn't working
diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md
index e0b662bd3d..2b4e28a971 100644
--- a/devices/hololens/hololens-updates.md
+++ b/devices/hololens/hololens-updates.md
@@ -1,5 +1,5 @@
---
-title: Managing updates to HoloLens
+title: Manage HoloLens updates
description: Administrators can use mobile device management to manage updates to HoloLens devices.
ms.prod: hololens
ms.sitesec: library
@@ -8,90 +8,209 @@ ms.author: v-tea
audience: ITPro
ms.topic: article
ms.localizationpriority: high
-ms.date: 11/7/2019
+ms.date: 03/24/2020
ms.reviewer: jarrettr
manager: jarrettr
+ms.custom:
+- CI 115825
+- CI 111456
+- CSSTroubleshooting
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
-# Managing HoloLens updates
+# Manage HoloLens updates
-HoloLens uses Windows Update, just like other Windows 10 devices. When an update is available, it will be automatically downloaded and installed the next time your device is plugged in and connected to the Internet.
+HoloLens uses Windows Update in the same manner as other Windows 10 devices. When an update is available, it is automatically downloaded and installed the next time that your device is plugged in and connected to the internet. This article describes how to manage updates in an enterprise or other managed environment. For information about managing updates to individual HoloLens devices, see [Update HoloLens](hololens-update-hololens.md).
-This article will walk through all of the way to manage updates on HoloLens.
+## Manage updates automatically
-## Manually check for updates
+Windows Holographic for Business can use [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) to manage updates. All HoloLens 2 devices can use Windows Holographic for Business. Make sure that they use Windows Holographic for Business build 10.0.18362.1042 or a later build. If you have HoloLens (1st gen) devices, you have to [upgrade them to Windows Holographic for Business](hololens1-upgrade-enterprise.md) to manage their updates.
-While HoloLens periodically checks for system updates so you don't have to, there may be circumstances in which you want to manually check.
+Windows Update for Business connects HoloLens devices directly to the Windows Update service. By using Windows Update for Business, you can control multiple aspects of the update process—that is, which devices get which updates at what time. For example, you can roll out updates to a subset of devices for testing, then roll out updates to the remaining devices at a later date. Or, you can define different update schedules for different types of updates.
-To manually check for updates, go to **Settings** > **Update & Security** > **Check for updates**. If the Settings app says your device is up to date, you have all the updates that are currently available.
+> [!NOTE]
+> For HoloLens devices, you can automatically manage feature updates (released twice a year) and quality updates (released monthly or as required, including critical security updates). For more information about update types, see [Types of updates managed by Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb#types-of-updates-managed-by-windows-update-for-business).
-## Go back to a previous version (HoloLens 2)
+You can configure Windows Update for Business settings for HoloLens by using policies in a Mobile Device Management (MDM) solution such as Microsoft Intune.
-In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Advanced Recovery Companion to reset your HoloLens to the earlier version.
+For a detailed discussion about how to use Intune to configure Windows Update for Business, see [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/intune/protect/windows-update-for-business-configure).
-> [!NOTE]
-> Going back to an earlier version deletes your personal files and settings.
+> [!IMPORTANT]
+> Intune provides two policy types for managing updates: *Windows 10 update ring* and *Windows 10 feature updates*. The Windows 10 feature update policy type is in public preview at this time and is not supported for HoloLens.
+>
+> You can use Windows 10 update ring policies to manage HoloLens 2 updates.
-To go back to a previous version of HoloLens 2, follow these steps:
+### Configure update policies for HoloLens 2 or HoloLens (1st gen)
-1. Make sure that you don't have any phones or Windows devices plugged in to your PC.
-1. On your PC, download the [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from the Microsoft Store.
-1. Download the [most recent HoloLens 2 release](https://aka.ms/hololens2download).
-1. When you have finished these downloads, open **File explorer** > **Downloads**. Right-click the zipped folder that you just downloaded, and select **Extract all** > **Extract** to unzip it.
-1. Connect your HoloLens to your PC using a USB-A to USB-C cable . (Even if you've been using other cables to connect your HoloLens, this one works best.)
-1. The Advanced Recovery Companion automatically detects your HoloLens. Select the **Microsoft HoloLens** tile.
-1. On the next screen, select **Manual package selection** and then select the installation file contained in the folder that you unzipped in step 4. (Look for a file with the .ffu extension.)
-1. Select **Install software**, and follow the instructions.
+This section describes the policies that you can use to manage updates for either HoloLens 2 or HoloLens (1st gen). For information about additional functionality that is available for HoloLens 2, see [Plan and configure update rollouts for HoloLens 2](#plan-and-configure-update-rollouts-for-hololens-2).
-## Go back to a previous version (HoloLens (1st gen))
+The [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update) defines the policies that configure Windows Update for Business.
-In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Windows Device Recovery Tool to reset your HoloLens to the earlier version.
+> [!NOTE]
+> For details about specific policies that are supported by specific editions of HoloLens, see [Policies supported by HoloLens devices](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-hololens-devices).
-> [!NOTE]
-> Going back to an earlier version deletes your personal files and settings.
+#### Configure automatic checks for updates
-To go back to a previous version of HoloLens (1st gen), follow these steps:
+You can use the **Update/AllowAutoUpdate** policy to manage automatic update behavior, such as scanning, downloading, and installing updates.
-1. Make sure that you don't have any phones or Windows devices plugged in to your PC.
-1. On your PC, download the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379).
-1. Download the [HoloLens Anniversary Update recovery package](https://aka.ms/hololensrecovery).
-1. When the downloads finish, open **File explorer** > **Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all** > **Extract** to unzip it.
-1. Connect your HoloLens to your PC using the micro-USB cable that it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)
-1. The WDRT will automatically detect your HoloLens. Select the **Microsoft HoloLens** tile.
-1. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the .ffu extension.)
-1. Select **Install software**, and follow the instructions.
+This policy supports the following values:
-> [!NOTE]
-> If the WDRT doesn't detect your HoloLens, try restarting your PC. If that doesn't work, select **My device was not detected**, select **Microsoft HoloLens**, and then follow the instructions.
+- **0** - Notify the user when there is an update that is ready to download that applies to the device.
+- **1** - Automatically install the update, and then notify the user to schedule a device restart.
+- **2** - Automatically install the update, and then restart the device. This is the recommended value, and it is the default value for this policy.
-# Use policies to manage updates to HoloLens
+- **3** - Automatically install the update, and then restart at a specified time. Specify the installation day and time. If no day and time are specified, the default is daily at 3 A.M.
->[!NOTE]
->HoloLens (1st gen) devices must be [upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md) to manage updates.
+- **4** - Automatically install the update, and then restart the device. This option also sets the Settings page to read-only.
+
+- **5** - Turn off automatic updates.
+
+For more details about the available settings for this policy, see [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate).
+
+> [!NOTE]
+> In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. For more information, see [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
+
+#### Configure an update schedule
To configure how and when updates are applied, use the following policies:
-- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
-- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
-- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
+- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday).
+ - Values: **0**–**7** (0 = every day, 1 = Sunday, 7 = Saturday)
+ - Default value: **0** (every day)
+- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime).
+ - Values: 0–23 (0 = midnight, 23 = 11 P.M.)
+ - Default value: 3 P.M.
-To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates:
+#### For devices that run Windows 10, version 1607 only
-- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
-
-In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. (See [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure))
-
-For devices on Windows 10, version 1607 only: You can use the following update policies to configure devices and get updates from the Windows Server Update Service (WSUS), instead of Windows Update:
+You can use the following update policies to configure devices to get updates from the Windows Server Update Service (WSUS), instead of Windows Update:
- [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice)
- [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval)
- [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl)
-For more information about using policies to manage HoloLens, see the following articles:
+### Plan and configure update rollouts for HoloLens 2
-- [Policies supported by HoloLens 2](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-hololens-2)
-- [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business)
-- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+HoloLens 2 supports more update automation features than HoloLens (1st gen). this is especially true if you use Microsoft Intune to manage Windows Update for Business policy. These features make it easier for you to plan and implement update rollouts across your organization.
+
+#### Plan the update strategy
+
+Windows Updates for Business supports deferral policies. After Microsoft releases an update, you can use a deferral policy to define how long to wait before installing that update on devices. By associating subsets of your devices (referred to as *update rings*) with different deferral policies, you can coordinate an update rollout strategy for your organization.
+
+For example, consider an organization that has 1,000 devices and has to update them in five ways. The organization can create five update rings, as shown in the following table.
+
+|Group |Number of devices |Deferral (days) |
+| ---| :---: | :---: |
+|Grp 1 (IT staff) |5 |0 |
+|Grp 2 (early adopters) |50 |60 |
+|Grp 3 (main 1) |250 |120 |
+|Grp 4 (main 2) |300 |150 |
+|Grp 5 (main 3) |395 |180 |
+
+Here's how the rollout progresses over time to the entire organization.
+
+
+
+#### Configure an update deferral policy
+
+A deferral policy specifies the number of days between the date that an update becomes available and the date that the update is offered to a device.
+
+You can configure different deferrals for feature updates and quality updates. The following table lists the specific policies to use for each type, as well as the maximum deferral for each.
+
+|Category |Policy |Maximum deferral |
+| --- | --- | --- |
+|Feature updates |DeferFeatureUpdatesPeriodInDays |365 days |
+|Quality updates |DeferQualityUpdatesPeriodInDays |30 days |
+
+#### Examples: Using Intune to manage updates
+
+**Example 1: Create and assign an update ring**
+
+For a more detailed version of this example, see [Create and assign update rings](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure#create-and-assign-update-rings).
+
+1. Sign in to the [Microsoft Endpoint Manager Admin Center](https://go.microsoft.com/fwlink/?linkid=2109431), and navigate to your Intune profiles.
+1. Select **Software Updates** > **Windows 10 update rings** > **Create**.
+1. Under **Basics**, specify a name and a description (optional), and then select **Next**.
+1. Under **Update ring settings**, for **Servicing channel**, select **Semi-Annual Channel**, and then change **Feature update deferral period** to **120**. Then, select **Next**.
+1. Under **Assignments**, select **+ Select groups to include**, and then assign the update ring to one or more groups. Use **+ Select groups to exclude** to fine-tune the assignments. Then, select **Next**.
+1. Under **Review + create**, review the settings. When you're ready to save the update ring configuration, select **Create**.
+
+The list of update rings now includes the new Windows 10 update ring.
+
+**Example 2: Pause an update ring**
+
+If you encounter a problem when you deploy a feature or quality update, you can pause the update for 35 days (starting from a specified date). This pause prevents other devices from installing the update until you resolve or mitigate the issue. If you pause a feature update, quality updates are still offered to devices to make sure that they stay secure. After the specified time has passed, the pause automatically expires. At that point, the update process resumes.
+
+To pause an update ring in Intune, follow these steps:
+
+1. On the overview page for the update ring, select **Pause**.
+1. Select the type of update (**Feature** or **Quality**) to pause, and then select **OK**.
+
+When an update type is paused, the Overview pane for that ring displays how many days remain before that update type resumes.
+
+While the update ring is paused, you can select either of the following options:
+
+- To extend the pause period for an update type for 35 days, select **Extend**.
+- To restore updates for that ring to active operation, select **Resume**. You can pause the update ring again if it is necessary.
+
+> [!NOTE]
+> The **Uninstall** operation for update rings is not supported for HoloLens 2 devices.
+
+## Manually check for updates
+
+Although HoloLens periodically checks for system updates so that you don't have to, there may be circumstances in which you want to manually check.
+
+To manually check for updates, go to **Settings** > **Update & Security** > **Check for updates**. If the Settings app indicates that your device is up to date, you have all the updates that are currently available.
+
+## Manually revert an update
+
+In some cases, you might want to go back to a previous version of the HoloLens software. The process for doing this depends on whether you are using HoloLens 2 or HoloLens (1st gen).
+
+### Go back to a previous version (HoloLens 2)
+
+You can roll back updates and return to a previous version of HoloLens 2 by using the Advanced Recovery Companion to reset your HoloLens to the earlier version.
+
+> [!NOTE]
+> Reverting to an earlier version deletes your personal files and settings.
+
+To go back to a previous version of HoloLens 2, follow these steps:
+
+1. Make sure that you don't have any phones or Windows devices plugged in to your computer.
+1. On your computer, download the [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from the Microsoft Store.
+1. Download the [most recent HoloLens 2 release](https://aka.ms/hololens2download).
+1. When you have finished these downloads, open **File explorer** > **Downloads**, right-click the compressed (zipped) folder that you just downloaded, and then select **Extract all** > **Extract** to expand the file.
+1. Use a USB-A to USB-C cable to connect your HoloLens device to your computer. Even if you've been using other cables to connect your HoloLens, this kind of cable works best.
+1. The Advanced Recovery Companion automatically detects your HoloLens device. Select the **Microsoft HoloLens** tile.
+1. On the next screen, select **Manual package selection**, and then open the folder that you previously expanded.
+1. Select the installation file (the file that has an .ffu extension).
+1. Select **Install software**, and then follow the instructions.
+
+### Go back to a previous version (HoloLens (1st gen))
+
+You can roll back updates and return to a previous version of HoloLens (1st gen) by using the Windows Device Recovery Tool to reset your HoloLens to the earlier version.
+
+> [!NOTE]
+> Reverting to an earlier version deletes your personal files and settings.
+
+To go back to a previous version of HoloLens (1st gen), follow these steps:
+
+1. Make sure that you don't have any phones or Windows devices plugged in to your computer.
+1. On your computer, download the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379).
+1. Download the [HoloLens Anniversary Update recovery package](https://aka.ms/hololensrecovery).
+1. After the downloads finish, open **File explorer** > **Downloads**, right-click the compressed (zipped) folder that you just downloaded, and then select **Extract all** > **Extract** to expand the file.
+1. Use the micro-USB cable that was provided together with your HoloLens device to connect your HoloLens device to your computer. Even if you've been using other cables to connect your HoloLens device, this one works best.
+1. The WDRT automatically detects your HoloLens device. Select the **Microsoft HoloLens** tile.
+1. On the next screen, select **Manual package selection**, and then open the folder that you previously expanded.
+1. Select the installation file (the file that has an .ffu extension).
+1. Select **Install software**, and then follow the instructions.
+
+> [!NOTE]
+> If the WDRT doesn't detect your HoloLens device, try restarting your computer. If that doesn't work, select **My device was not detected**, select **Microsoft HoloLens**, and then follow the instructions.
+
+## Related articles
+
+- [Deploy updates using Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb)
+- [Assign devices to servicing channels for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-servicing-channels-windows-10-updates)
+- [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure)
diff --git a/devices/hololens/hololens-whats-new.md b/devices/hololens/hololens-whats-new.md
deleted file mode 100644
index 59c777fdec..0000000000
--- a/devices/hololens/hololens-whats-new.md
+++ /dev/null
@@ -1,87 +0,0 @@
----
-title: What's new in Microsoft HoloLens (HoloLens)
-description: Windows Holographic for Business gets new features in Windows 10, version 1809.
-ms.prod: hololens
-ms.sitesec: library
-author: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 11/13/2018
-ms.reviewer:
-manager: dansimp
----
-
-# What's new in Microsoft HoloLens
-
-## Windows 10, version 1809 for Microsoft HoloLens
-
-> **Applies to:** Hololens (1st gen)
-
-### For everyone
-
-| Feature | Details |
-|---|---|
-| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app.
See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.
 |
-| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) |
-| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. |
-| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). |
-| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. |
-| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. |
-| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. |
-| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. |
-| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. |
-
-### For administrators
-
-| Feature | Details |
-|---|----|
-| [Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. |
-| Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. |
-| PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. |
-| Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in. |
-| Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. |
-| Set HoloLens device name through MDM (rename) | IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. |
-
-### For international customers
-
-
-Feature | Details
---- | ---
-Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.
-Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English.
-
-[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md)
-
-
-## Windows 10, version 1803 for Microsoft HoloLens
-
-> **Applies to:** Hololens (1st gen)
-
-Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes:
-
-- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md).
-
-- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq).
-
-- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#wizard).
-
- 
-
-- When you create a local account in a provisioning package, the password no longer expires every 42 days.
-
-- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes.
-
-- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens.
-
-- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically.
-
-- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business.
-
-- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts.
-
-- When setup or sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting.
-
-- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly.
-
-- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report.
diff --git a/devices/hololens/hololens2-autopilot.md b/devices/hololens/hololens2-autopilot.md
new file mode 100644
index 0000000000..5589ec096d
--- /dev/null
+++ b/devices/hololens/hololens2-autopilot.md
@@ -0,0 +1,248 @@
+---
+title: Windows Autopilot for HoloLens 2 evaluation guide
+description:
+author: Teresa-Motiv
+ms.author: v-tea
+ms.date: 4/10/2020
+ms.prod: hololens
+ms.topic: article
+ms.custom:
+- CI 116283
+- CSSTroubleshooting
+audience: ITPro
+ms.localizationpriority: high
+keywords: autopilot
+manager: jarrettr
+appliesto:
+- HoloLens 2
+---
+
+# Windows Autopilot for HoloLens 2 evaluation guide
+
+When you set up HoloLens 2 devices for the Windows Autopilot program, your users can follow a simple process to provision the devices from the cloud.
+
+This Autopilot program supports Autopilot self-deploying mode to provision HoloLens 2 devices as shared devices under your tenant. Self-deploying mode leverages the device's preinstalled OEM image and drivers during the provisioning process. A user can provision the device without putting the device on and going through the Out-of-the-box Experience (OOBE).
+
+
+
+When a user starts the Autopilot self-deploying process, the process completes the following steps:
+
+1. Join the device to Azure Active Directory (Azure AD).
+ > [!NOTE]
+ > Autopilot for HoloLens does not support Active Directory join or Hybrid Azure AD join.
+1. Use Azure AD to enroll the device in Microsoft Intune (or another MDM service).
+1. Download the device-targeted policies, user-targeted apps, certificates, and networking profiles.
+1. Provision the device.
+1. Present the sign-in screen to the user.
+
+## Windows Autopilot for HoloLens 2: Get started
+
+The following steps summarize the process of setting up your environment for the Windows Autopilot for HoloLens 2. The rest of this section provides the details of these steps.
+
+1. Make sure that you meet the requirements for Windows Autopilot for HoloLens.
+1. Enroll in the Windows Autopilot for HoloLens 2 program.
+1. Verify that your tenant is flighted (enrolled to participate in the program).
+1. Register devices in Windows Autopilot.
+1. Create a device group.
+1. Create a deployment profile.
+1. Verify the ESP configuration.
+1. Configure a custom configuration profile for HoloLens devices (known issue).
+1. Verify the profile status of the HoloLens devices.
+
+### 1. Make sure that you meet the requirements for Windows Autopilot for HoloLens
+For the latest information about how to participate in the program, review [Windows Insider Release Notes](hololens-insider.md#windows-insider-release-notes).
+
+Review the following sections of the Windows Autopilot requirements article:
+
+- [Network requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#networking-requirements)
+- [Licensing requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#licensing-requirements)
+- [Configuration requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#configuration-requirements)
+> [!IMPORTANT]
+> Unlike other Windows Autopilot programs, Windows Autopilot for HoloLens 2 has specific operating system requirements.
+
+Review the "[Requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying#requirements)" section of the Windows Autopilot Self-Deploying mode article. Your environment has to meet these requirements as well as the standard Windows Autopilot requirements.
+
+> [!NOTE]
+> You do not have to review the "Step by step" and "Validation" sections of the article. The procedures later in this article provide corresponding steps that are specific to HoloLens.
+
+> [!IMPORTANT]
+> For information about how to register devices and configure profiles, see [4. Register devices in Windows Autopilot](#4-register-devices-in-windows-autopilot) and [6. Create a deployment profile](#6-create-a-deployment-profile) in this article. These sections provide steps that are specific to HoloLens.
+
+Before you start the OOBE and provisioning process, make sure that the HoloLens devices meet the following requirements:
+
+- The devices are not already members of Azure AD, and are not enrolled in Intune (or another MDM system). The Autopilot self-deploying process completes these steps. To make sure that all the device-related information is cleaned up, check the **Devices** pages in both Azure AD and Intune.
+- Every device can connect to the internet. You can use a wired or wireless connection.
+- Every device can connect to a computer by using a USB-C cable, and that computer has the following available:
+ - Advanced Recovery Companion (ARC)
+ - The latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version)
+
+To configure and manage the Autopilot self-deploying mode profiles, make sure that you have access to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
+
+### 2. Enroll in the Windows Autopilot for HoloLens 2 program
+
+To participate in the program, you have to use a tenant that is flighted for HoloLens. To do this, go to [Windows Autopilot for HoloLens Private Preview request](https://aka.ms/APHoloLensTAP) or use the following QR code to submit a request.
+
+
+
+In this request, provide the following information:
+
+- Tenant domain
+- Tenant ID
+- Number of HoloLens 2 devices that are participating in this evaluation
+- Number of HoloLens 2 devices that you plan to deploy by using Autopilot self-deploying mode
+
+### 3. Verify that your tenant is flighted
+
+To verify that your tenant is flighted for the Autopilot program after you submit your request, follow these steps:
+
+1. Sign in to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
+1. Select **Devices** > **Windows** > **Windows enrollment** > **Windows Autopilot deployment profiles** > **Create profile**.
+
+ 
+ You should see a list that includes **HoloLens**. If this option is not present, use one of the [Feedback](#feedback) options to contact us.
+
+### 4. Register devices in Windows Autopilot
+
+To register a HoloLens device in the Windows Autopilot program, you have to obtain the hardware hash of the device (also known as the hardware ID). The device can record its hardware hash in a CSV file during the OOBE process, or later when a device owner starts the diagnostic log collection process (described in the following procedure). Typically, the device owner is the first user to sign in to the device.
+
+**Retrieve a device hardware hash**
+
+1. Start the HoloLens 2 device.
+1. On the device, press the Power and Volume Down buttons at the same time and then release them. The device collects diagnostic logs and the hardware hash, and stores them in a set of .zip files.
+1. Use a USB-C cable to connect the device to a computer.
+1. On the computer, open File Explorer. Open **This PC\\\<*HoloLens device name*>\\Internal Storage\\Documents**, and locate the AutopilotDiagnostics.zip file.
+
+ > [!NOTE]
+ > The .zip file may not immediately be available. If the file is not ready yet you may see a HoloLensDiagnostics.temp file in the Documents folder. To update the list of files, refresh the window.
+
+1. Extract the contents of the AutopilotDiagnostics.zip file.
+1. In the extracted files, locate the CSV file that has a file name prefix of "DeviceHash." Copy that file to a drive on the computer where you can access it later.
+ > [!IMPORTANT]
+ > The data in the CSV file should use the following header and line format:
+ > ```
+ > Device Serial Number,Windows Product ID,Hardware Hash,Group Tag,Assigned User ,,,,
+ >```
+
+**Register the device in Windows Autopilot**
+
+1. In Microsoft Endpoint Manager Admin Center, select **Devices** > **Windows** > **Windows enrollment**, and then select **Devices** > **Import** under **Windows Autopilot Deployment Program**.
+
+1. Under **Add Windows Autopilot devices**, select the DeviceHash CSV file, select **Open**, and then select **Import**.
+
+ 
+1. After the import finishes, select **Devices** > **Windows** > **Windows enrollment** > **Devices** > **Sync**. The process might take a few minutes to complete, depending on how many devices are being synchronized. To see the registered device, select **Refresh**.
+
+ 
+
+### 5. Create a device group
+
+1. In Microsoft Endpoint Manager admin center, select **Groups** > **New group**.
+1. For **Group type**, select **Security**, and then enter a group name and description.
+1. For **Membership type**, select either **Assigned** or **Dynamic Device**.
+1. Do one of the following:
+
+ - If you selected **Assigned** for **Membership type** in the previous step, select **Members**, and then add Autopilot devices to the group. Autopilot devices that aren't yet enrolled are listed by using the device serial number as the device name.
+ - If you selected **Dynamic Devices** for **Membership type** in the previous step, select **Dynamic device members**, and then enter code in **Advanced rule** that resembles the following:
+ - If you want to create a group that includes all of your Autopilot devices, type: `(device.devicePhysicalIDs -any _ -contains "[ZTDId]")`
+ - Intune's group tag field maps to the **OrderID** attribute on Azure AD devices. If you want to create a group that includes all of your Autopilot devices that have a specific group tag (the Azure AD device OrderID), you must type: `(device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")`
+ - If you want to create a group that includes all your Autopilot devices that have a specific Purchase Order ID, type: `(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")`
+
+ > [!NOTE]
+ > These rules target attributes that are unique to Autopilot devices.
+1. Select **Save**, and then select **Create**.
+
+### 6. Create a deployment profile
+
+1. In Microsoft Endpoint Manager admin center, select **Devices** > **Windows** > **Windows enrollment** > **Windows Autopilot deployment profiles** > **Create profile** > **HoloLens**.
+1. Enter a profile name and description, and then select **Next**.
+
+ 
+1. On the **Out-of-box experience (OOBE)** page, most of the settings are pre-configured to streamline OOBE for this evaluation. Optionally, you can configure the following settings:
+
+ - **Language (Region)**: Select the language for OOBE. We recommend that you select a language from the list of [supported languages for HoloLens 2](hololens2-language-support.md).
+ - **Automatically configure keyboard**: To make sure that the keyboard matches the selected language, select **Yes**.
+ - **Apply device name template**: To automatically set the device name during OOBE, select **Yes** and then enter the template phrase and placeholders in **Enter a name** For example, enter a prefix and `%RAND:4%`—a placeholder for a four-digit random number.
+ > [!NOTE]
+ > If you use a device name template, the OOBE process restarts the device one additional time after it applies the device name and before it joins the device to Azure AD. This restart enables the new name to take effect.
+
+ 
+1. After you configure the settings, select **Next**.
+1. On the **Scope tags** page, optionally add the scope tags that you want to apply to this profile. For more information about scope tags, see [Use role-based access control and scope tags for distributed IT](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags.md). When finished, select **Next**.
+1. On the **Assignments** page, select **Selected groups** for **Assign to**.
+1. Under **SELECTED GROUPS**, select **+ Select groups to include**.
+1. In the **Select groups to include** list, select the device group that you created for the Autopilot HoloLens devices, and then select **Next**.
+
+ If you want to exclude any groups, select **Select groups to exclude**, and select the groups that you want to exclude.
+
+ 
+1. On the **Review + Create** page, review the settings and then select **Create** to create the profile.
+
+ 
+
+### 7. Verify the ESP configuration
+
+The Enrollment Status Page (ESP) displays the status of the complete device configuration process that runs when an MDM managed user signs into a device for the first time. Make sure that your ESP configuration resembles the following, and verify that the assignments are correct.
+
+
+
+### 8. Configure a custom configuration profile for HoloLens devices (known issue)
+
+1. In [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com), select **Devices** > **Configuration profiles** > **Create profile**.
+1. For **Platform**, specify **Windows 10 and later**, and for **Profile**, select **Custom**.
+1. Select **Create**.
+1. Enter a name for the profile, and then select **Settings** > **Configure**.
+
+ 
+1. Select **Add**, and then specify the following information:
+
+ - **Name**: SidecarPath
+ - **OMA-URI**: ./images/Device/Vendor/MSFT/EnrollmentStatusTracking/DevicePreparation/PolicyProviders/Sidecar/InstallationState
+ - **Data type**: Integer
+ - **Value**: 2
+1. Select **OK** two times, and then select **Create** to create the profile.
+1. After Intune creates the configuration profile, assign the configuration profile to the device group for the HoloLens devices.
+
+### 9. Verify the profile status of the HoloLens devices
+
+1. In Microsoft Endpoint Manager Admin Center, select **Devices** > **Windows** > **Windows enrollment** > **Devices**.
+1. Verify that the HoloLens devices are listed, and that their profile status is **Assigned**.
+ > [!NOTE]
+ > It may take a few minutes for the profile to be assigned to the device.
+
+ 
+
+## Windows Autopilot for HoloLens 2 User Experience
+
+Your HoloLens users can follow these steps to provision HoloLens devices.
+
+1. Use the USB-C cable to connect the HoloLens device to a computer that has Advanced Recovery Companion (ARC) installed and has the appropriate Windows update downloaded.
+1. Use ARC to flash the appropriate version of Windows on to the device.
+1. Connect the device to the network, and then restart the device.
+ > [!IMPORTANT]
+ > You must connect the device to the network before the Out-of-the-Box-Experience (OOBE) starts. The device determines whether it is provisioning as an Autopilot device while on the first OOBE screen. If the device cannot connect to the network, or if you choose not to provision the device as an Autopilot device, you cannot change to Autopilot provisioning at a later time. Instead, you would have to start this procedure over in order to provision the device as an Autopilot device.
+
+ The device should automatically start OOBE. Do not interact with OOBE. Instead sit, back and relax! Let HoloLens 2 detect network connectivity and allow it complete OOBE automatically. The device may restart during OOBE. The OOBE screens should resemble the following.
+
+ 
+ 
+ 
+ 
+
+At the end of OOBE, you can sign in to the device by using your user name and password.
+
+ 
+
+## Known Issues
+
+- The list of supported languages for Autopilot deployment profiles includes languages that HoloLens does not support. Select a language that [HoloLens supports](hololens2-language-support.md).
+
+## Feedback
+
+To provide feedback or report issues, use one of the following methods:
+
+- Use the Feedback Hub app. You can find this app on a HoloLens-connected computer. In Feedback Hub, select the **Enterprise Management** > **Device** category.
+
+ When you provide feedback or report an issue, provide a detailed description. If applicable, include screenshots and logs.
+- Send an email message to [hlappreview@microsoft.com](mailto:hlappreview@microsoft.com). For the email subject, enter **\<*Tenant*> Autopilot for HoloLens 2 evaluation feedback** (where \<*Tenant*> is the name of your Intune tenant).
+
+ Provide a detailed description in your message. However, unless Support personnel specifically request it, do not include data such as screenshots or logs. Such data might include private or personally identifiable information (PII).
diff --git a/devices/hololens/hololens2-hardware.md b/devices/hololens/hololens2-hardware.md
index ca62dbf852..6b8175e59d 100644
--- a/devices/hololens/hololens2-hardware.md
+++ b/devices/hololens/hololens2-hardware.md
@@ -123,7 +123,6 @@ In order to maintain/advance Internal Battery Charge Percentage while the device
- Windows Holographic Operating System
- Microsoft Edge
- Dynamics 365 Remote Assist
-- Dynamics 365 Layout
- Dynamics 365 Guides
- 3D Viewer
- OneDrive for Business
@@ -136,26 +135,6 @@ In order to maintain/advance Internal Battery Charge Percentage while the device
HoloLens 2 has been tested and conforms to the basic impact protection requirements of ANSI Z87.1, CSA Z94.3 and EN 166.
-## Care and cleaning
-
-Handle your HoloLens carefully. Use the headband to lift and carry the HoloLens 2.
-
-As you would for eyeglasses or protective eye-wear, try to keep the HoloLens visor free of dust and fingerprints. When possible, avoid touching the visor. Repeated cleaning could damage the visor, so keep your device clean!
-
-Don't use any cleaners or solvents on your HoloLens, and don't submerge it in water or apply water directly to it.
-
-To clean the visor, remove any dust by using a camel or goat hair lens brush or a bulb-style lens blower. Lightly moisten the microfiber cloth with a small amount of distilled water, then use it to wipe the visor gently in a circular motion.
-
-Clean the rest of the device, including the headband and device arms, with a lint-free microfiber cloth moistened with mild soap and water. Let your HoloLens dry completely before reuse.
-
-
-
-### Replace the brow pad
-
-The brow pad is magnetically attached to the device. To detach it, pull gently away. To replace it, snap it back into place.
-
-
-
## Next step
> [!div class="nextstepaction"]
diff --git a/devices/hololens/hololens2-language-support.md b/devices/hololens/hololens2-language-support.md
index 9c56ec9d8c..955eec82e6 100644
--- a/devices/hololens/hololens2-language-support.md
+++ b/devices/hololens/hololens2-language-support.md
@@ -7,7 +7,11 @@ author: Teresa-Motiv
ms.author: v-tea
ms.topic: article
ms.localizationpriority: medium
-ms.date: 9/12/2019
+ms.custom:
+- CI 115225
+- CSSTroubleshooting
+keywords: localize, language support, display language, keyboard language, IME, keyboard layout
+ms.date: 03/12/2020
audience: ITPro
ms.reviewer: jarrettr
manager: jarrettr
@@ -17,7 +21,7 @@ appliesto:
# Supported languages for HoloLens 2
-HoloLens 2 supports the following languages, including voice commands and dictation features, keyboard layouts, and OCR recognition within apps.
+HoloLens 2 is localized into the following languages. The localization features include speech commands and dictation, keyboard layouts, and OCR recognition within apps.
- Chinese Simplified (China)
- English (Australia)
@@ -31,43 +35,43 @@ HoloLens 2 supports the following languages, including voice commands and dictat
- Japanese (Japan)
- Spanish (Spain)
-HoloLens 2 is also available in the following languages. However, this support does not include speech commands or dictation features.
+HoloLens 2 also supports the following languages. However, this support does not include speech commands or dictation features.
- Chinese Traditional (Taiwan and Hong Kong)
- Dutch (Netherlands)
- Korean (Korea)
-## Changing language or keyboard
-
-The setup process configures your HoloLens for a region and language. You can change this configuration by using the **Time & language** section of **Settings**.
-
-> [!NOTE]
-> Your speech and dictation language depends on the Windows display language.
-
-## To change the Windows display language
-
-1. Go to the **Start** menu, and then select **Settings** > **Time and language** > **Language**.
-2. Select **Windows display language**, and then select a language.
-
-If the supported language you’re looking for is not in the menu, follow these steps:
-
-1. Under **Preferred languages** select **Add a language**.
-2. Search for and add the language.
-3. Select the **Windows display language** menu again and choose the language you added.
-
-The Windows display language affects the following settings for Windows and for apps that support localization:
+Some features of HoloLens 2 use the Windows display language. The Windows display language affects the following settings for Windows and for apps that support localization:
- The user interface text language.
- The speech language.
- The default layout of the on-screen keyboard.
-## To change the keyboard layout
+## Change the language or keyboard layout
-To add or remove a keyboard layout, open the **Start** menu and then select **Settings** > **Time & language** > **Keyboard**.
+The setup process configures your HoloLens for a specific region and language. You can change this configuration by using the **Time & language** section of **Settings**.
+
+> [!NOTE]
+> Your speech and dictation language depends on (and is the same as) the Windows display language.
+
+### To change the Windows display language
+
+1. Open the **Start** menu, and then select **Settings** > **Time and language** > **Language**.
+2. Select **Windows display language**, and then select a language.
+
+If the supported language that you're looking for is not in the menu, follow these steps:
+
+1. Under **Preferred languages**, select **Add a language**.
+2. Locater and add the language.
+3. Select the **Windows display language** menu again, and then select the language that you added in the previous step.
+
+### To change the keyboard layout
+
+To add or remove a keyboard layout, open the **Start** menu, and then select **Settings** > **Time & language** > **Keyboard**.
If your HoloLens has more than one keyboard layout, use the **Layout** key to switch between them. The **Layout** key is in the lower right corner of the on-screen keyboard.
-> [!NOTE]
+> [!NOTE]
> The on-screen keyboard can use Input Method Editor (IME) to enter characters in languages such as Chinese. However, HoloLens does not support external Bluetooth keyboards that use IME.
->
-> While you use IME with the on-screen keyboard, you can continue to use a Bluetooth keyboard to type in English. To switch between keyboards, press ~.
+>
+> While you use IME together with the on-screen keyboard, you can continue to use a Bluetooth keyboard to type in English. To switch between keyboards, press the tilde character button (**~**).
diff --git a/devices/hololens/hololens2-maintenance.md b/devices/hololens/hololens2-maintenance.md
new file mode 100644
index 0000000000..88617eea68
--- /dev/null
+++ b/devices/hololens/hololens2-maintenance.md
@@ -0,0 +1,84 @@
+---
+title: HoloLens 2 cleaning FAQ
+description:
+author: Teresa-Motiv
+ms.author: v-tea
+ms.date: 4/14/2020
+ms.prod: hololens
+ms.topic: article
+ms.custom:
+- CI 115560
+- CSSTroubleshooting
+audience: ITPro
+ms.localizationpriority: medium
+keywords:
+manager: jarrettr
+appliesto:
+- HoloLens 2
+---
+
+# HoloLens 2 cleaning FAQ
+
+> [!IMPORTANT]
+> Microsoft cannot make a determination of the effectiveness of any given disinfectant product in fighting pathogens such as COVID-19. Please refer to your local public health authority's guidance about how to stay safe from potential infection.
+
+## What are the general cleaning instructions for HoloLens 2 devices?
+
+**To clean the device**
+
+1. Remove any dust by using a dry, lint-free microfiber cloth to gently wipe the surface of the device.
+1. Lightly moisten the cloth by using medical "70%" isopropyl alcohol, and then use the moistened cloth to gently wipe the surface of the device.
+
+ 
+
+1. Let the device dry completely.
+
+**To clean the brow pad**
+
+1. Use water and a mild, antibiotic soap to moisten a cloth, and then use the moistened cloth to wipe the brow pad.
+1. Let the brow pad dry completely.
+
+## Can I use any lens cleaner for cleaning the HoloLens visor?
+
+No. Lens cleaners can be abrasive to the coatings on the visor. To clean the visor, follow these steps:
+
+1. Remove any dust by using a dry lint-free microfiber cloth to gently wipe the visor.
+1. Lightly moisten a cloth by using medical "70%" isopropyl alcohol, and then gently wipe the visor.
+1. Let the visor dry completely.
+
+## Can I use disinfecting wipes to clean the device?
+
+Yes, if the wipes do not contain bleach. You can use non-bleach disinfecting wipes to [gently wipe the HoloLens surfaces](#what-are-the-general-cleaning-instructions-for-hololens-2-devices).
+
+> [!CAUTION]
+> Avoid using disinfecting wipes that contains bleach to clean the HoloLens surfaces. It is acceptable to use bleach wipes in critical situations, when nothing else is available. However, bleach may damage the HoloLens visor or other surfaces.
+
+## Can I use alcohol to clean the device?
+
+Yes. You can use a solution of "70%" isopropyl alcohol and water to clean the hard surfaces of the device, including the visor. Lightly moisten the cloth by using a mix of isopropyl alcohol and water, and then gently wipe the surface of the device
+
+## Is the brow pad replaceable?
+
+Yes. The brow pad is magnetically attached to the device. To detach it, pull it gently away from the headband. To replace it, snap it back into place.
+
+
+
+## How can I clean the brow pad?
+
+To clean the brow pad, wipe it by using a cloth that's moistened by using water and a mild antibiotic soap. Let the brow pad dry completely before you use it again.
+
+## Can I use ultraviolet (UV) light to sanitize the device?
+
+UV-C germicidal irradiation has not been tested on HoloLens 2.
+
+> [!CAUTION]
+> High levels of UV-A and UV-B exposure can degrade the display quality of the device and damage the visor coating. Over-exposure to UV-A and UV-B radiation has the following effects, in order of the duration and intensity of exposure:
+>
+> 1. The brow pad and device closures become discolored.
+> 1. Defects appear in the anti-reflective (AR) coating on the visor and on the sensor windows.
+> 1. Defects appear in the base materials of the visor and on the sensor windows.
+> 1. SRG performance degrades.
+
+## Is the rear pad replaceable?
+
+No.
diff --git a/devices/hololens/images/hololens-ap-devices-assignments.png b/devices/hololens/images/hololens-ap-devices-assignments.png
new file mode 100644
index 0000000000..f99eaa367d
Binary files /dev/null and b/devices/hololens/images/hololens-ap-devices-assignments.png differ
diff --git a/devices/hololens/images/hololens-ap-devices-sync.png b/devices/hololens/images/hololens-ap-devices-sync.png
new file mode 100644
index 0000000000..fe970f7983
Binary files /dev/null and b/devices/hololens/images/hololens-ap-devices-sync.png differ
diff --git a/devices/hololens/images/hololens-ap-enrollment-profiles.png b/devices/hololens/images/hololens-ap-enrollment-profiles.png
new file mode 100644
index 0000000000..1e3e8dfaa4
Binary files /dev/null and b/devices/hololens/images/hololens-ap-enrollment-profiles.png differ
diff --git a/devices/hololens/images/hololens-ap-hash-import.png b/devices/hololens/images/hololens-ap-hash-import.png
new file mode 100644
index 0000000000..078e73d78c
Binary files /dev/null and b/devices/hololens/images/hololens-ap-hash-import.png differ
diff --git a/devices/hololens/images/hololens-ap-intro.png b/devices/hololens/images/hololens-ap-intro.png
new file mode 100644
index 0000000000..8095114167
Binary files /dev/null and b/devices/hololens/images/hololens-ap-intro.png differ
diff --git a/devices/hololens/images/hololens-ap-profile-assign-devicegroup.png b/devices/hololens/images/hololens-ap-profile-assign-devicegroup.png
new file mode 100644
index 0000000000..9e6dc92a3c
Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-assign-devicegroup.png differ
diff --git a/devices/hololens/images/hololens-ap-profile-name.png b/devices/hololens/images/hololens-ap-profile-name.png
new file mode 100644
index 0000000000..a427b437b8
Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-name.png differ
diff --git a/devices/hololens/images/hololens-ap-profile-oobe.png b/devices/hololens/images/hololens-ap-profile-oobe.png
new file mode 100644
index 0000000000..e14226d7ad
Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-oobe.png differ
diff --git a/devices/hololens/images/hololens-ap-profile-settings-oma.png b/devices/hololens/images/hololens-ap-profile-settings-oma.png
new file mode 100644
index 0000000000..7528f55292
Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-settings-oma.png differ
diff --git a/devices/hololens/images/hololens-ap-profile-settings.png b/devices/hololens/images/hololens-ap-profile-settings.png
new file mode 100644
index 0000000000..5753814e1b
Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-settings.png differ
diff --git a/devices/hololens/images/hololens-ap-profile-summ.png b/devices/hololens/images/hololens-ap-profile-summ.png
new file mode 100644
index 0000000000..4fb955bbdf
Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-summ.png differ
diff --git a/devices/hololens/images/hololens-ap-qrcode.png b/devices/hololens/images/hololens-ap-qrcode.png
new file mode 100644
index 0000000000..c5296e3e91
Binary files /dev/null and b/devices/hololens/images/hololens-ap-qrcode.png differ
diff --git a/devices/hololens/images/hololens-ap-uex-1.png b/devices/hololens/images/hololens-ap-uex-1.png
new file mode 100644
index 0000000000..f89faa366a
Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-1.png differ
diff --git a/devices/hololens/images/hololens-ap-uex-2.png b/devices/hololens/images/hololens-ap-uex-2.png
new file mode 100644
index 0000000000..5bf1beb3f0
Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-2.png differ
diff --git a/devices/hololens/images/hololens-ap-uex-3.png b/devices/hololens/images/hololens-ap-uex-3.png
new file mode 100644
index 0000000000..59a7362269
Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-3.png differ
diff --git a/devices/hololens/images/hololens-ap-uex-4.png b/devices/hololens/images/hololens-ap-uex-4.png
new file mode 100644
index 0000000000..f17557b5c4
Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-4.png differ
diff --git a/devices/hololens/images/hololens-ap-uex-5.png b/devices/hololens/images/hololens-ap-uex-5.png
new file mode 100644
index 0000000000..0bd23da48e
Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-5.png differ
diff --git a/devices/hololens/images/hololens-updates-timeline.png b/devices/hololens/images/hololens-updates-timeline.png
new file mode 100644
index 0000000000..4b1e986948
Binary files /dev/null and b/devices/hololens/images/hololens-updates-timeline.png differ
diff --git a/devices/hololens/images/mdm-enrollment-error.png b/devices/hololens/images/mdm-enrollment-error.png
new file mode 100644
index 0000000000..77b695d1cf
Binary files /dev/null and b/devices/hololens/images/mdm-enrollment-error.png differ
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index 98835e4ce5..47862d7138 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -1,6 +1,6 @@
---
title: Microsoft HoloLens
-description: Landing page Microsoft HoloLens.
+description: Landing page for Microsoft HoloLens.
ms.prod: hololens
ms.sitesec: library
ms.assetid: 0947f5b3-8f0f-42f0-aa27-6d2cad51d040
@@ -10,8 +10,11 @@ ms.topic: article
ms.localizationpriority: medium
ms.date: 10/14/2019
audience: ITPro
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
appliesto:
-- HoloLens 1
+- HoloLens (1st gen)
- HoloLens 2
---
@@ -45,12 +48,13 @@ appliesto:
| Topic | Description |
| --- | --- |
| [What's new in HoloLens](hololens-whats-new.md) | Discover new features in the latest updates via HoloLens release notes. |
-| [Install and manage applications on HoloLens](hololens-install-apps.md) | Install and manage important applications on HoloLens at scale. |
+| [Install and manage applications on HoloLens](hololens-install-apps.md) | Install and manage important applications on HoloLens at scale. |
| [HoloLens update management](hololens-updates.md) | Use mobile device management (MDM) policies to configure settings for updates. |
-| [HoloLens user management](hololens-multiple-users.md) | Multiple users can shared a HoloLens device by using their Azure Active Directory accounts. |
+| [HoloLens user management](hololens-multiple-users.md) | Multiple users can share a HoloLens device by using their Azure Active Directory accounts. |
| [HoloLens application access management](hololens-kiosk.md) | Manage application access for different user groups. |
-| [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) | Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary. |
-| [Get support](https://support.microsoft.com/products/hololens) | Connect with Microsoft support resources for HoloLens in enterprise. |
+| [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) | Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary. |
+| [Contact Support](https://support.microsoft.com/supportforbusiness/productselection) | Create a new support request for the business support team. |
+| [More support options](https://support.microsoft.com/products/hololens) | Connect with Microsoft support resources for HoloLens in the enterprise. |
## Related resources
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index 59d2d76a0d..67516c9773 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -1,4 +1,4 @@
-# [Microsoft Surface Hub](index.md)
+# [Microsoft Surface Hub](index.yml)
# Surface Hub 2S
@@ -42,8 +42,10 @@
### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)
### [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)
+### [Update pen firmware on Surface Hub 2S](surface-hub-2s-pen-firmware.md)
## Secure
+### [Surface Hub security overview](surface-hub-security.md)
### [Secure and manage Surface Hub 2S with SEMM and UEFI](surface-hub-2s-secure-with-uefi-semm.md)
### [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
@@ -57,8 +59,8 @@
## Overview
### [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md)
### [Operating system essentials (Surface Hub)](differences-between-surface-hub-and-windows-10-enterprise.md)
-### [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md)
-### [Technical information for 84” Microsoft Surface Hub](surface-hub-technical-84.md)
+### [Technical information for 55" Microsoft Surface Hub](surface-hub-technical-55.md)
+### [Technical information for 84" Microsoft Surface Hub](surface-hub-technical-84.md)
### [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d)
## Plan
diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md
index 031501c2b4..8237e61a08 100644
--- a/devices/surface-hub/accessibility-surface-hub.md
+++ b/devices/surface-hub/accessibility-surface-hub.md
@@ -3,7 +3,7 @@ title: Accessibility (Surface Hub)
description: Accessibility settings for the Microsoft Surface Hub can be changed by using the Settings app. You'll find them under Ease of Access. Your Surface Hub has the same accessibility options as Windows 10.
ms.assetid: 1D44723B-1162-4DF6-99A2-8A3F24443442
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Accessibility settings, Settings app, Ease of Access
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md
index 8125113887..81c03b484c 100644
--- a/devices/surface-hub/admin-group-management-for-surface-hub.md
+++ b/devices/surface-hub/admin-group-management-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Admin group management (Surface Hub)
description: Every Microsoft Surface Hub can be configured individually by opening the Settings app on the device.
ms.assetid: FA67209E-B355-4333-B903-482C4A3BDCCE
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: admin group management, Settings app, configure Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
index 7b44ff3d38..f74f2297fa 100644
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@@ -3,7 +3,7 @@ title: PowerShell for Surface Hub (Surface Hub)
description: PowerShell scripts to help set up and manage your Microsoft Surface Hub.
ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: PowerShell, set up Surface Hub, manage Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
index 7ea2bc584c..66dd43f75c 100644
--- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: Applying ActiveSync policies to device accounts (Surface Hub)
description: The Microsoft Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting.
ms.assetid: FAABBA74-3088-4275-B58E-EC1070F4D110
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Surface Hub, ActiveSync policies
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index 2d55222b1b..77ce204725 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -1,7 +1,7 @@
---
title: Change history for Surface Hub
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: This topic lists new and updated topics for Surface Hub.
keywords: change history
ms.prod: surface-hub
diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md
index 142af6e80e..d20e57a184 100644
--- a/devices/surface-hub/change-surface-hub-device-account.md
+++ b/devices/surface-hub/change-surface-hub-device-account.md
@@ -3,7 +3,7 @@ title: Change the Microsoft Surface Hub device account
description: You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned.
ms.assetid: AFC43043-3319-44BC-9310-29B1F375E672
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: change device account, change properties, Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md
index 5fd13d7b95..d5f39c55db 100644
--- a/devices/surface-hub/connect-and-display-with-surface-hub.md
+++ b/devices/surface-hub/connect-and-display-with-surface-hub.md
@@ -3,7 +3,7 @@ title: Connect other devices and display with Surface Hub
description: You can connect other device to your Surface Hub to display content.
ms.assetid: 8BB80FA3-D364-4A90-B72B-65F0F0FC1F0D
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.prod: surface-hub
ms.sitesec: library
author: dansimp
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index ff76987746..29f9557045 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -3,7 +3,7 @@ title: Create a device account using UI (Surface Hub)
description: If you prefer to use a graphical user interface, you can create a device account for your Microsoft Surface Hub with either the Office 365 UI or the Exchange Admin Center.
ms.assetid: D11BCDC4-DABA-4B9A-9ECB-58E02CC8218C
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: create device account, Office 365 UI, Exchange Admin center, Microsoft 365 admin center, Skype for Business, mobile device mailbox policy
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index dc72c7463a..8985f70c9d 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -3,7 +3,7 @@ title: Create and test a device account (Surface Hub)
description: This topic introduces how to create and test the device account that Microsoft Surface Hub uses to communicate with Microsoft Exchange and Skype.
ms.assetid: C8605B5F-2178-4C3A-B4E0-CE32C70ECF67
ms.reviewer: rikot
-manager: dansimp
+manager: laurawi
keywords: create and test device account, device account, Surface Hub and Microsoft Exchange, Surface Hub and Skype
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index 6d7d33415f..8eb3486d7d 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -3,7 +3,7 @@ title: Reset or recover a Surface Hub
description: Describes the reset and recovery processes for the Surface Hub, and provides instructions.
ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: reset Surface Hub, recover
ms.prod: surface-hub
ms.sitesec: library
@@ -90,7 +90,7 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a
1. Use the power switch to turn the Surface Hub back on. The device starts and displays the Surface Hub Logo screen. When you see spinning dots under the Surface Hub Logo, use the power switch to turn the Surface Hub off again.
-1. Repeat step 3 three times, or until the Surface Hub displays the “Preparing Automatic Repair” message. After it displays this message, the Surface Hub displays the Windows RE screen.
+1. Repeat step 3 three times, or until the Surface Hub displays the "Preparing Automatic Repair" message. After it displays this message, the Surface Hub displays the Windows RE screen.
1. Select **Advanced Options**.
@@ -115,6 +115,12 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a
When the download finishes, the recovery process restores the Surface Hub according to the options that you selected.
+
+
+## Contact Support
+
+If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).
+
## Related topics
diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
index 73a50f66c9..9309e9b2a3 100644
--- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
+++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 06/20/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/enable-8021x-wired-authentication.md b/devices/surface-hub/enable-8021x-wired-authentication.md
index bf91e2e42c..8ac2baccb6 100644
--- a/devices/surface-hub/enable-8021x-wired-authentication.md
+++ b/devices/surface-hub/enable-8021x-wired-authentication.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 11/15/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
index b6fca3a49e..9a100d4a60 100644
--- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: Microsoft Exchange properties (Surface Hub)
description: Some Microsoft Exchange properties of the device account must be set to particular values to have the best meeting experience on Microsoft Surface Hub.
ms.assetid: 3E84393B-C425-45BF-95A6-D6502BA1BF29
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Microsoft Exchange properties, device account, Surface Hub, Windows PowerShell cmdlet
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/finishing-your-surface-hub-meeting.md b/devices/surface-hub/finishing-your-surface-hub-meeting.md
index 8776870779..3e02c9bb0a 100644
--- a/devices/surface-hub/finishing-your-surface-hub-meeting.md
+++ b/devices/surface-hub/finishing-your-surface-hub-meeting.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index 3d38a356f5..8a3bfc6e91 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -3,7 +3,7 @@ title: First-run program (Surface Hub)
description: The term \ 0034;first run \ 0034; refers to the series of steps you'll go through the first time you power up your Microsoft Surface Hub, and means the same thing as \ 0034;out-of-box experience \ 0034; (OOBE). This section will walk you through the process.
ms.assetid: 07C9E84C-1245-4511-B3B3-75939AD57C49
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: first run, Surface Hub, out-of-box experience, OOBE
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
index ea543e69f2..329f00f931 100644
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: Hybrid deployment (Surface Hub)
description: A hybrid deployment requires special processing to set up a device account for your Microsoft Surface Hub.
ms.assetid: 7BFBB7BE-F587-422E-9CE4-C9DDF829E4F1
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: hybrid deployment, device account for Surface Hub, Exchange hosted on-prem, Exchange hosted online
ms.prod: surface-hub
ms.sitesec: library
@@ -144,7 +144,7 @@ Next, you enable the device account with [Skype for Business Online](#skype-for-
To enable Skype for Business online, your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required). The following table explains which plans or additional services you need.
-| Skype room system scenario | If you have Office 365 Premium, Office 365 ProPlus, or Skype for Business Standalone Plan 2, you need: | If you have an Enterprise-based plan, you need: | If you have Skype for Business Server 2015 (on-premises or hybrid), you need: |
+| Skype room system scenario | If you have Office 365 Premium, Microsoft 365 Apps for enterprise, or Skype for Business Standalone Plan 2, you need: | If you have an Enterprise-based plan, you need: | If you have Skype for Business Server 2015 (on-premises or hybrid), you need: |
| --- | --- | --- | --- |
| Join a scheduled meeting | Skype for Business Standalone Plan 1 | E1, 3, 4, or 5 | Skype for Business Server Standard CAL |
| Initiate an ad-hoc meeting | Skype for Business Standalone Plan 2 | E 1, 3, 4, or 5 | Skype for Business Server Standard CAL or Enterprise CAL |
diff --git a/devices/surface-hub/images/sccm-additional.png b/devices/surface-hub/images/configmgr-additional.png
similarity index 100%
rename from devices/surface-hub/images/sccm-additional.png
rename to devices/surface-hub/images/configmgr-additional.png
diff --git a/devices/surface-hub/images/sccm-create.png b/devices/surface-hub/images/configmgr-create.png
similarity index 100%
rename from devices/surface-hub/images/sccm-create.png
rename to devices/surface-hub/images/configmgr-create.png
diff --git a/devices/surface-hub/images/sccm-oma-uri.png b/devices/surface-hub/images/configmgr-oma-uri.png
similarity index 100%
rename from devices/surface-hub/images/sccm-oma-uri.png
rename to devices/surface-hub/images/configmgr-oma-uri.png
diff --git a/devices/surface-hub/images/sccm-platform.png b/devices/surface-hub/images/configmgr-platform.png
similarity index 100%
rename from devices/surface-hub/images/sccm-platform.png
rename to devices/surface-hub/images/configmgr-platform.png
diff --git a/devices/surface-hub/images/sccm-team.png b/devices/surface-hub/images/configmgr-team.png
similarity index 100%
rename from devices/surface-hub/images/sccm-team.png
rename to devices/surface-hub/images/configmgr-team.png
diff --git a/devices/surface-hub/images/hub-sec-1.png b/devices/surface-hub/images/hub-sec-1.png
new file mode 100644
index 0000000000..fe4e25d084
Binary files /dev/null and b/devices/surface-hub/images/hub-sec-1.png differ
diff --git a/devices/surface-hub/images/hub-sec-2.png b/devices/surface-hub/images/hub-sec-2.png
new file mode 100644
index 0000000000..fdf7af7ca6
Binary files /dev/null and b/devices/surface-hub/images/hub-sec-2.png differ
diff --git a/devices/surface-hub/images/sh2-pen-1.png b/devices/surface-hub/images/sh2-pen-1.png
new file mode 100644
index 0000000000..71693c021e
Binary files /dev/null and b/devices/surface-hub/images/sh2-pen-1.png differ
diff --git a/devices/surface-hub/images/sh2-pen.png b/devices/surface-hub/images/sh2-pen.png
index 1a95b9581e..06b344d8c5 100644
Binary files a/devices/surface-hub/images/sh2-pen.png and b/devices/surface-hub/images/sh2-pen.png differ
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
deleted file mode 100644
index f60588a000..0000000000
--- a/devices/surface-hub/index.md
+++ /dev/null
@@ -1,182 +0,0 @@
----
-title: Surface Hub
-author: greg-lindsay
-ms.author: greglin
-manager: laurawi
-layout: LandingPage
-ms.prod: surface-hub
-ms.tgt_pltfrm: na
-ms.devlang: na
-ms.topic: landing-page
-description: "Get started with Microsoft Surface Hub."
-ms.localizationpriority: High
----
-# Get started with Surface Hub
-
-Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device that brings the power of Windows 10 to team collaboration. Use the links below to learn how to plan, deploy, manage, and support your Surface Hub devices.
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
----
-
-
\ No newline at end of file
diff --git a/devices/surface-hub/index.yml b/devices/surface-hub/index.yml
new file mode 100644
index 0000000000..249deba5a0
--- /dev/null
+++ b/devices/surface-hub/index.yml
@@ -0,0 +1,127 @@
+### YamlMime:Hub
+
+title: Surface Hub documentation # < 60 chars
+summary: Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device. # < 160 chars
+# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-bi | power-platform | sql | sql-server | vs | visual-studio | windows | xamarin
+brand: windows
+
+metadata:
+ title: Surface Hub documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Get started with Microsoft Surface Hub. # Required; article description that is displayed in search results. < 160 chars.
+ services: product-insights
+ ms.service: product-insights #Required; service per approved list. service slug assigned to your service by ACOM.
+ ms.topic: hub-page # Required
+ ms.prod: surface-hub
+ ms.technology: windows
+ audience: ITPro
+ ms.localizationpriority: medium
+ author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
+ ms.author: greglin #Required; microsoft alias of author; optional team alias.
+ manager: laurawi
+
+# highlightedContent section (optional)
+# Maximum of 8 items
+highlightedContent:
+# itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
+ items:
+ # Card
+ - title: What's new in Surface Hub 2S?
+ itemType: whats-new
+ url: surface-hub-2s-whats-new.md
+ # Card
+ - title: Surface Hub security overview
+ itemType: learn
+ url: surface-hub-security.md
+ # Card
+ - title: Manage Surface Hub 2S with Intune
+ itemType: how-to-guide
+ url: surface-hub-2s-manage-intune.md
+ # Card
+ - title: Operating system essentials
+ itemType: learn
+ url: differences-between-surface-hub-and-windows-10-enterprise.md
+ # Card
+ - title: Surface Hub 2S Site Readiness Guide
+ itemType: learn
+ url: surface-hub-2s-site-readiness-guide.md
+ # Card
+ - title: Customize Surface Hub 2S installation
+ itemType: how-to-guide
+ url: surface-hub-2s-custom-install.md
+
+# productDirectory section (optional)
+productDirectory:
+ title: Deploy, manage, and support your Surface Hub devices # < 60 chars (optional)
+ summary: Find related links to deploy, manage and support your Surface Hub devices. # < 160 chars (optional)
+ items:
+ # Card
+ - title: Deploy
+ # imageSrc should be square in ratio with no whitespace
+ imageSrc: https://docs.microsoft.com/office/media/icons/deploy-blue.svg
+ links:
+ - url: surface-hub-2s-adoption-kit.md
+ text: Surface Hub 2S adoption and training
+ - url: surface-hub-2s-deploy-checklist.md
+ text: Surface Hub 2S deployment checklist
+ - url: surface-hub-2s-account.md
+ text: Create device account
+ # Card
+ - title: Manage
+ imageSrc: https://docs.microsoft.com/office/media/icons/process-flow-blue.svg
+ links:
+ - url: surface-hub-2s-manage-intune.md
+ text: Manage with Intune
+ - url: local-management-surface-hub-settings.md
+ text: Manage local settings
+ # Card
+ - title: Secure
+ imageSrc: https://docs.microsoft.com/office/media/icons/security-blue.svg
+ links:
+ - url: surface-hub-2s-secure-with-uefi-semm.md
+ text: Secure with UEFI and SEMM
+ - url: surface-hub-wifi-direct.md
+ text: Wi-Fi security considerations
+ # Card
+ - title: Troubleshoot
+ imageSrc: https://docs.microsoft.com/office/media/icons/connector-blue.svg
+ links:
+ - url: https://support.microsoft.com/help/4493926
+ text: Service and warranty
+ - url: surface-hub-2s-recover-reset.md
+ text: Recover & reset Surface Hub 2S
+ - url: support-solutions-surface-hub.md
+ text: Surface Hub support solutions
+ - url: https://support.office.com/article/Enable-Microsoft-Whiteboard-on-Surface-Hub-b5df4539-f735-42ff-b22a-0f5e21be7627
+ text: Enable Microsoft Whiteboard on Surface Hub
+
+# additionalContent section (optional)
+# Card with links style
+additionalContent:
+ # Supports up to 3 sections
+ sections:
+ - title: Other content # < 60 chars (optional)
+ summary: Find related links for videos, community and support. # < 160 chars (optional)
+ items:
+ # Card
+ - title: Get ready for Surface Hub 2S
+ links:
+ - text: Ordering Surface Hub 2S
+ url: https://www.microsoft.com/p/surface-hub-2S/8P62MW6BN9G4?activetab=pivot:overviewtab
+ - text: Prepare your environment for Surface Hub 2S
+ url: surface-hub-2s-prepare-environment.md
+ # Card
+ - title: Surface Hub 2S Videos
+ links:
+ - text: Adoption and training videos
+ url: surface-hub-2s-adoption-videos.md
+ - text: Surface Hub 2S with Teams
+ url: https://www.youtube.com/watch?v=CH2seLS5Wb0
+ - text: Surface Hub 2S with Microsoft 365
+ url: https://www.youtube.com/watch?v=I4N2lQX4WyI&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ&index=7
+ # Card
+ - title: Community
+ links:
+ - text: Join the Surface Hub Technical Community
+ url: https://techcommunity.microsoft.com/t5/Surface-Hub/bd-p/SurfaceHub
+ - text: Join the Surface Devices Technical Community
+ url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index 74505ca6ff..9e1c8767f5 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -3,7 +3,7 @@ title: Install apps on your Microsoft Surface Hub
description: Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business.
ms.assetid: 3885CB45-D496-4424-8533-C9E3D0EDFD94
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: install apps, Microsoft Store, Microsoft Store for Business
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md
index 810691dfe8..886e4b79f3 100644
--- a/devices/surface-hub/local-management-surface-hub-settings.md
+++ b/devices/surface-hub/local-management-surface-hub-settings.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/08/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index b3a74fc47d..3762de36a4 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Manage settings with an MDM provider (Surface Hub)
description: Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.
ms.assetid: 18EB8464-6E22-479D-B0C3-21C4ADD168FE
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: mobile device management, MDM, manage policies
ms.prod: surface-hub
ms.sitesec: library
@@ -18,7 +18,7 @@ ms.localizationpriority: medium
Surface Hub and other Windows 10 devices allow IT administrators to manage settings and policies using a mobile device management (MDM) provider. A built-in management component communicates with the management server, so there is no need to install additional clients on the device. For more information, see [Windows 10 mobile device management](https://msdn.microsoft.com/library/windows/hardware/dn914769.aspx).
-Surface Hub has been validated with Microsoft’s first-party MDM providers:
+Surface Hub has been validated with Microsoft's first-party MDM providers:
- Microsoft Intune standalone
- On-premises MDM with Microsoft Endpoint Configuration Manager
@@ -65,25 +65,25 @@ For more information, see [SurfaceHub configuration service provider](https://ms
| Maintenance hours | MaintenanceHoursSimple/Hours/StartTime
MaintenanceHoursSimple/Hours/Duration | Yes | Yes | Yes |
| Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
| Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
-| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID
MOMAgent/WorkspaceKey | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Friendly name for wireless projection | Properties/FriendlyName | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID
MOMAgent/WorkspaceKey | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager | Yes |
+| Friendly name for wireless projection | Properties/FriendlyName | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Device account, including password rotation | DeviceAccount/*``*
See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
-| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set default volume | Properties/DefaultVolume | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set screen timeout | Properties/ScreenTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set session timeout | Properties/SessionTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set sleep timeout | Properties/SleepTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Set default volume | Properties/DefaultVolume | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Set screen timeout | Properties/ScreenTimeout | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Set session timeout | Properties/SessionTimeout | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Set sleep timeout | Properties/SleepTimeout | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -97,12 +97,12 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|--------------------|------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -110,15 +110,15 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -126,13 +126,13 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|---------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Defer feature updates | See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Defer feature updates | See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -140,7 +140,7 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|-------------------|----------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Defender status | Use to initiate a Defender scan, force a Security intelligence update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | Yes | Yes | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -150,8 +150,8 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes | No | Yes |
-| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -180,7 +180,7 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|------------------------|--------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -188,7 +188,7 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|-------------------|---------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -196,12 +196,12 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
### Generate OMA URIs for settings
-You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager.
+You need to use a setting's OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager.
**To generate the OMA URI for any setting in the CSP documentation**
1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/`
@@ -217,15 +217,13 @@ The data type is also stated in the CSP documentation. The most common data type
- bool (Boolean)
-
## Example: Manage Surface Hub settings with Microsoft Intune
You can use Microsoft Intune to manage Surface Hub settings. For custom settings, follow the instructions in [How to configure custom device settings in Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-configure). For **Platform**, select **Windows 10 and later**, and in **Profile type**, select **Device restrictions (Windows 10 Team)**.
-
-## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager
+## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager
Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs.
> [!NOTE]
@@ -238,26 +236,26 @@ Configuration Manager supports managing modern devices that do not require the C
3. On the **General** page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item.
4. Under **Settings for devices managed without the Configuration Manager client**, select **Windows 8.1 and Windows 10**, and then click **Next**.
- 
+ 
5. On the **Supported Platforms** page, expand **Windows 10** and select **All Windows 10 Team and higher**. Unselect the other Windows platforms, and then click **Next**.
- 
+ 
7. On the **Device Settings** page, under **Device settings groups**, select **Windows 10 Team**.
8. On the **Windows 10 Team** page, configure the settings you require.
- 
+ 
9. You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the **Device Settings** page, select the check box **Configure additional settings that are not in the default setting groups**.
- 
+ 
10. On the **Additional Settings** page, click **Add**.
11. In the **Browse Settings** dialog, click **Create Setting**.
12. In the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting.
13. Under **Setting type**, select **OMA URI**.
14. Complete the form to create a new setting, and then click **OK**.
- 
+ 
15. On the **Browse Settings** dialog, under **Available settings**, select the new setting you created, and then click **Select**.
16. On the **Create Rule** dialog, complete the form to specify a rule for the setting, and then click **OK**.
17. Repeat steps 9 to 15 for each custom setting you want to add to the configuration item.
diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md
index a5d76ff156..b217ccee4d 100644
--- a/devices/surface-hub/manage-surface-hub-settings.md
+++ b/devices/surface-hub/manage-surface-hub-settings.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index 4ad681ff5f..10240a192f 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -3,7 +3,7 @@ title: Manage Microsoft Surface Hub
description: How to manage your Surface Hub after finishing the first-run program.
ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: manage Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 961a12fcd0..9dee3e2a4b 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -1,9 +1,9 @@
---
-title: Windows updates (Surface Hub)
-description: You can manage Windows updates on your Microsoft Surface Hub by setting the maintenance window, deferring updates, or using Windows Server Update Services (WSUS).
+title: Manage Windows updates on Surface Hub
+description: You can manage Windows updates on your Microsoft Surface Hub or Surface Hub 2S by setting the maintenance window, deferring updates, or using Windows Server Update Services (WSUS).
ms.assetid: A737BD50-2D36-4DE5-A604-55053D549045
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: manage Windows updates, Surface Hub, Windows Server Update Services, WSUS
ms.prod: surface-hub
ms.sitesec: library
@@ -13,7 +13,7 @@ ms.topic: article
ms.localizationpriority: medium
---
-# Windows updates (Surface Hub)
+# Manage Windows updates on Surface Hub
New releases of the Surface Hub operating system are published through Windows Update, just like releases of Windows 10. There are a couple of ways you can manage which updates are installed on your Surface Hubs, and the timing for when updates are applied.
- **Windows Update for Business** - New in Windows 10, Windows Update for Business is a set of features designed to provide enterprises additional control over how and when Windows Update installs releases, while reducing device management costs. Using this method, Surface Hubs are directly connected to Microsoft’s Windows Update service.
diff --git a/devices/surface-hub/miracast-over-infrastructure.md b/devices/surface-hub/miracast-over-infrastructure.md
index 1b09f33999..5ef43af85c 100644
--- a/devices/surface-hub/miracast-over-infrastructure.md
+++ b/devices/surface-hub/miracast-over-infrastructure.md
@@ -6,13 +6,13 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
-ms.date: 06/20/2019
+ms.date: 04/24/2020
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
-# Miracast on existing wireless network or LAN
+# Miracast over infrastructure
In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx).
@@ -28,7 +28,12 @@ Miracast over Infrastructure offers a number of benefits:
## How it works
-Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
+Users attempt to connect to a Miracast receiver through their Wi-Fi adapter as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
+
+> [!NOTE]
+> For more information on the connection negotiation sequence, see [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx)
+
+
## Enabling Miracast over Infrastructure
@@ -36,14 +41,19 @@ Users attempt to connect to a Miracast receiver as they did previously. When the
If you have a Surface Hub or other Windows 10 device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
- The Surface Hub or device (Windows PC or phone) needs to be running Windows 10, version 1703.
+- Open TCP port: **7250**.
- A Surface Hub or Windows PC can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
- As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Surface Hub or device is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
- As a Miracast source, the Windows PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
- The DNS Hostname (device name) of the Surface Hub or device needs to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname.
- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-- On Windows 10 PCs, the **Projecting to this PC** feature must be enabled within System Settings, and the device must have a Wi-Fi interface enabled in order to respond to discovery requests.
+- On Windows 10 PCs, the **Projecting to this PC** feature must be enabled in System Settings, and the device must have a Wi-Fi interface enabled in order to respond to discovery requests that only occur through the Wi-Fi adapter.
It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
The **InBoxApps/WirelessProjection/PinRequired** setting in the [SurfaceHub configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp) is not required for Miracast over Infrastructure. This is because Miracast over Infrastructure only works when both devices are connected to the same enterprise network. This removes the security restriction that was previously missing from Miracast. We recommend that you continue using this setting (if you used it previously) as Miracast will fall back to regular Miracast if the infrastructure connection does not work.
+
+## FAQ
+**Why do I still need Wi-Fi to use Miracast over infrastructure?**
+Discovery requests to identify Miracast receivers can only occur through the Wi-Fi adapter. Once the receivers have been identified, Windows 10 can then attempt the connection to the network.
diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md
index 9517857676..c4e2ff5b3e 100644
--- a/devices/surface-hub/miracast-troubleshooting.md
+++ b/devices/surface-hub/miracast-troubleshooting.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 06/20/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
@@ -21,13 +21,13 @@ In traditional Miracast, the projecting device will connect the access point set
- The first step is an initial connection using 2.4GHz.
- After that initial handshake, the projecting device sends traffic to the monitor using the wireless channel settings on the monitor. If Surface Hub is connected to a Wi-Fi network, the access point, it will use the same channel as the connected network, otherwise it will use the Miracast channel from Settings.
-There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hub’s location. Running a network scanning tool will show you the available networks and channel usage in the environment.
+There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hub's location. Running a network scanning tool will show you the available networks and channel usage in the environment.
## Connect issues
Ensure both Wi-Fi and Miracast are both enabled in Settings on Surface Hub.
-If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hub’s Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub.
+If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hub's Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub.
When Surface Hub is connected to a Wi-Fi network it will use the same channel settings as the Wi-Fi access point for its Miracast access point. For troubleshooting purposes, disconnect Surface Hub from any Wi-Fi networks (but keep Wi-Fi enabled), so you can control the channel used for Miracast. You can manually select the Miracast channel in Settings. You will need to restart Surface Hub after each change. Generally speaking, you will want to use channels that do not show heavy utilization from the network scan.
@@ -42,7 +42,7 @@ It is also a good idea to ensure the latest drivers and updates are installed on
Next, ensure Miracast is supported on the device.
1. Press Windows Key + R and type `dxdiag`.
-2. Click “Save all information”.
+2. Click "Save all information".
3. Open the saved dxdiag.txt and find **Miracast**. It should say **Available, with HDCP**.
### Check firewall
@@ -63,7 +63,7 @@ On domain-joined devices, Group Policy can also block Miracast.
### Check event logs
-The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hub’s Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails.
+The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hub's Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails.
## Performance issues
@@ -75,7 +75,10 @@ Channel switching is caused when the Wi-Fi adapter needs to send traffic to mult
If Surface Hub and the projecting device are both connected to Wi-Fi but using different access points with different channels, this will force Surface Hub and the projecting device to channel switch while Miracast is connected. This will result in both poor wireless project and poor network performance over Wi-Fi. The channel switching will affect the performance of all wireless traffic, not just wireless projection.
-Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hub’s Miracast channel to the same channel as the most commonly used access point.
+Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hub's Miracast channel to the same channel as the most commonly used access point.
If there are multiple Wi-Fi networks or access points in the environment, some channel switching is unavoidable. This is best addressed by ensuring all Wi-Fi drivers are up to date.
+## Contact Support
+
+If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).
diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index 262c565327..9828a8a268 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -3,7 +3,7 @@ title: Monitor your Microsoft Surface Hub
description: Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).
ms.assetid: 1D2ED317-DFD9-423D-B525-B16C2B9D6942
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: monitor Surface Hub, Microsoft Operations Management Suite, OMS
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index 88b0653b00..d35f03b804 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: On-premises deployment single forest (Surface Hub)
description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: single forest deployment, on prem deployment, device account, Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
index f643e4cfe6..170dd03968 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
@@ -8,7 +8,7 @@ author: dansimp
ms.author: dansimp
ms.date: 08/28/2018
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 0cd6fc5219..30f0e34b1f 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: Online deployment with Office 365 (Surface Hub)
description: This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment.
ms.assetid: D325CA68-A03F-43DF-8520-EACF7C3EDEC1
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: device account for Surface Hub, online deployment
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
index 22e7e1284c..1ef2fcaa46 100644
--- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: Password management (Surface Hub)
description: Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device.
ms.assetid: 0FBFB546-05F0-430E-905E-87111046E4B8
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: password, password management, password rotation, device account
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md
index 6d06a9ac69..aeadcb900a 100644
--- a/devices/surface-hub/physically-install-your-surface-hub-device.md
+++ b/devices/surface-hub/physically-install-your-surface-hub-device.md
@@ -3,7 +3,7 @@ title: Physically install Microsoft Surface Hub
description: The Microsoft Surface Hub Readiness Guide will help make sure that your site is ready for the installation.
ms.assetid: C764DBFB-429B-4B29-B4E8-D7F0073BC554
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Surface Hub, readiness guide, installation location, mounting options
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index 198dba4f74..69ca8e6c3e 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Prepare your environment for Microsoft Surface Hub
description: This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Microsoft Surface Hub.
ms.assetid: 336A206C-5893-413E-A270-61BFF3DF7DA9
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: prepare environment, features of Surface Hub, create and test device account, check network availability
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md
index 607c66829e..305403b9dc 100644
--- a/devices/surface-hub/provisioning-packages-for-surface-hub.md
+++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Create provisioning packages (Surface Hub)
description: For Windows 10, settings that use the registry or a configuration service provider (CSP) can be configured using provisioning packages.
ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: add certificate, provisioning package
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md
index 7a9acbe0fd..1794a9bcac 100644
--- a/devices/surface-hub/remote-surface-hub-management.md
+++ b/devices/surface-hub/remote-surface-hub-management.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md
index 6bbfd1532a..12e59349d6 100644
--- a/devices/surface-hub/save-bitlocker-key-surface-hub.md
+++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md
@@ -3,7 +3,7 @@ title: Save your BitLocker key (Surface Hub)
description: Every Microsoft Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.
ms.assetid: E11E4AB6-B13E-4ACA-BCE1-4EDC9987E4F2
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Surface Hub, BitLocker, Bitlocker recovery keys
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md
index 96f42c3df1..08ca875984 100644
--- a/devices/surface-hub/set-up-your-surface-hub.md
+++ b/devices/surface-hub/set-up-your-surface-hub.md
@@ -3,7 +3,7 @@ title: Set up Microsoft Surface Hub
description: Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program.
ms.assetid: 4D1722BC-704D-4471-BBBE-D0500B006221
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: set up instructions, Surface Hub, setup worksheet, first-run program
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md
index 6043d88f1d..e7352a5dbe 100644
--- a/devices/surface-hub/setup-worksheet-surface-hub.md
+++ b/devices/surface-hub/setup-worksheet-surface-hub.md
@@ -3,7 +3,7 @@ title: Setup worksheet (Surface Hub)
description: When you've finished pre-setup and are ready to start first-time setup for your Microsoft Surface Hub, make sure you have all the information listed in this section.
ms.assetid: AC6F925B-BADE-48F5-8D53-8B6FFF6EE3EB
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Setup worksheet, pre-setup, first-time setup
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/skype-hybrid-voice.md b/devices/surface-hub/skype-hybrid-voice.md
index c805fb9005..910f2d0129 100644
--- a/devices/surface-hub/skype-hybrid-voice.md
+++ b/devices/surface-hub/skype-hybrid-voice.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/support-solutions-surface-hub.md b/devices/surface-hub/support-solutions-surface-hub.md
index b683f85daf..9de0b753f9 100644
--- a/devices/surface-hub/support-solutions-surface-hub.md
+++ b/devices/surface-hub/support-solutions-surface-hub.md
@@ -3,7 +3,7 @@ title: Top support solutions for Microsoft Surface Hub
description: Find top solutions for common issues using Surface Hub.
ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Troubleshoot common problems, setup issues
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-2s-connect.md b/devices/surface-hub/surface-hub-2s-connect.md
index a32df68734..a09044e60d 100644
--- a/devices/surface-hub/surface-hub-2s-connect.md
+++ b/devices/surface-hub/surface-hub-2s-connect.md
@@ -9,7 +9,7 @@ ms.author: greglin
manager: laurawi
audience: Admin
ms.topic: article
-ms.date: 11/13/2019
+ms.date: 02/24/2020
ms.localizationpriority: Medium
---
@@ -129,6 +129,7 @@ You can connect the following accessories to Surface Hub-2S using Bluetooth:
- Keyboards
- Headsets
- Speakers
+- Surface Hub 2 pens
> [!NOTE]
> After you connect a Bluetooth headset or speaker, you might need to change the default microphone and speaker settings. For more information, see [**Local management for Surface Hub settings**](https://docs.microsoft.com/surface-hub/local-management-surface-hub-settings).
diff --git a/devices/surface-hub/surface-hub-2s-manage-intune.md b/devices/surface-hub/surface-hub-2s-manage-intune.md
index be1df464ef..c36d53f1f6 100644
--- a/devices/surface-hub/surface-hub-2s-manage-intune.md
+++ b/devices/surface-hub/surface-hub-2s-manage-intune.md
@@ -9,7 +9,7 @@ ms.author: greglin
manager: laurawi
audience: Admin
ms.topic: article
-ms.date: 06/20/2019
+ms.date: 02/28/2020
ms.localizationpriority: Medium
---
@@ -24,7 +24,7 @@ Surface Hub 2S allows IT administrators to manage settings and policies using a
1. Sign in as a local administrator on Surface Hub 2S and open the **Settings** app. Select **Surface Hub** > **Device management** and then select **+** to add.
2. After authenticating, the device will automatically register with Intune.
- 
+ 
### Auto registration — Azure Active Directory Affiliated
@@ -44,17 +44,35 @@ For additional supported CSPs, see [Surface Hub CSPs in Windows 10](https://docs
## Quality of Service (QoS) settings
-To ensure optimal video and audio quality on Surface Hub 2S, add the following QoS settings to the device. The settings are identical for Skype for Business and Teams.
+To ensure optimal video and audio quality on Surface Hub 2S, add the following QoS settings to the device.
+
+### Microsoft Teams QoS settings
|**Name**|**Description**|**OMA-URI**|**Type**|**Value**|
|:------ |:------------- |:--------- |:------ |:------- |
-|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition | String | 50000-50019 |
-|**Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction | Integer | 46 |
-|**Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/SourcePortMatchCondition | String | 50020-50039 |
-|**Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction | Integer | 34 |
+|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsAudio/DestinationPortMatchCondition | String | 3478-3479 |
+|**Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsAudio/DSCPAction | Integer | 46 |
+|**Video Port**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsVideo/DestinationPortMatchCondition | String | 3480 |
+|**Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsVideo/DSCPAction | Integer | 34 |
+|**P2P Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PAudio/DestinationPortMatchCondition | String | 50000-50019 |
+|**P2P Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PAudio/DSCPAction | Integer | 46 |
+|**P2P Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PVideo/DestinationPortMatchCondition | String | 50020-50039 |
+|**P2P Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PVideo/DSCPAction | Integer | 34 |
+
+
+### Skype for Business QoS settings
+
+| Name | Description | OMA-URI | Type | Value |
+| ------------------ | ------------------- | ------------------------------------------------------------------------ | ------- | ------------------------------ |
+| Audio Ports | Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBAudio/SourcePortMatchCondition | String | 50000-50019 |
+| Audio DSCP | Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBAudio/DSCPAction | Integer | 46 |
+| Audio Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBAudio/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe |
+| Video Ports | Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBVideo/SourcePortMatchCondition | String | 50020-50039 |
+| Video DSCP | Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBVideo/DSCPAction | Integer | 34 |
+| Video Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBVideo/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe |
> [!NOTE]
-> These are the default port ranges. Administrators may change the port ranges in the Skype for Business and Teams control panel.
+> Both tables show default port ranges. Administrators may change the port ranges in the Skype for Business and Teams control panel.
## Microsoft Teams Mode settings
diff --git a/devices/surface-hub/surface-hub-2s-onprem-powershell.md b/devices/surface-hub/surface-hub-2s-onprem-powershell.md
index fb2c98dcbd..6a0553f72e 100644
--- a/devices/surface-hub/surface-hub-2s-onprem-powershell.md
+++ b/devices/surface-hub/surface-hub-2s-onprem-powershell.md
@@ -26,12 +26,6 @@ $ExchSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUr
Import-PSSession $ExchSession
```
-```PowerShell
-$ExchServer = Read-Host "Please Enter the FQDN of your Exchange Server"
-$ExchSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$ExchServer/PowerShell/ -Authentication Kerberos -Credential (Get-Credential)
-Import-PSSession $ExchSession
-```
-
## Create the device account
```PowerShell
diff --git a/devices/surface-hub/surface-hub-2s-pack-components.md b/devices/surface-hub/surface-hub-2s-pack-components.md
index ff8dbd07ad..2c713a0a21 100644
--- a/devices/surface-hub/surface-hub-2s-pack-components.md
+++ b/devices/surface-hub/surface-hub-2s-pack-components.md
@@ -36,7 +36,7 @@ Use the following steps to pack your Surface Hub 2S 50" for shipment.
| **7.** | Replace the cover and slide the Compute Cartridge back into the unit. | |
| **8.** | Re-fasten the locking screw and slide the cover into place. | |
| **9.** | Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container. | |
-| **10.** | Replace the cover of the shipping container, and insert the four clips. | |
| **11.** | Close the four clips. | |
diff --git a/devices/surface-hub/surface-hub-2s-pen-firmware.md b/devices/surface-hub/surface-hub-2s-pen-firmware.md
new file mode 100644
index 0000000000..ce16a5cad3
--- /dev/null
+++ b/devices/surface-hub/surface-hub-2s-pen-firmware.md
@@ -0,0 +1,67 @@
+---
+title: "Update pen firmware on Surface Hub 2S"
+description: "This page describes how to update firmware for the Surface Hub 2 pen."
+keywords: separate values with commas
+ms.prod: surface-hub
+ms.sitesec: library
+author: greg-lindsay
+ms.author: greglin
+manager: laurawi
+audience: Admin
+ms.topic: article
+ms.date: 02/26/2020
+ms.localizationpriority: Medium
+---
+
+# Update pen firmware on Surface Hub 2S
+
+You can update firmware on Surface Hub 2 pen from Windows Update for Business or by downloading the firmware update to a separate PC. Updated firmware is available from Windows Update beginning February 26, 2020.
+
+## Update pen firmware using Windows Update for Business
+
+This section describes how to update pen firmware via the automated maintenance cycles for Windows Update, configured by default to occur nightly at 3 a.m. You will need to plan for two maintenance cycles to complete before applying the update to the Surface Hub 2 pen. Alternately, like any other update, you can use Windows Server Update Services (WSUS) to apply the pen firmware. For more information, see [Managing Windows updates on Surface Hub](manage-windows-updates-for-surface-hub.md).
+
+1. Ensure the Surface Hub 2 pen is paired to Surface Hub 2S: Press and hold the **top** button until the white indicator LED light begins to blink.
+
+2. On Surface Hub, login as an Admin, open **Settings**, and then scan for new Bluetooth devices.
+3. Select the pen to complete the pairing process.
+4. Press the **top** button on the pen to apply the update. It may take up to two hours to complete.
+
+## Update pen firmware by downloading to separate PC
+
+You can update the firmware on Surface Hub 2 pen from a separate PC running Windows 10. This method also enables you to verify that the pen firmware has successfully updated to the latest version.
+
+1. Pair the Surface Hub 2 pen to your Bluetooth-capable PC: Press and hold the **top** button until the white indicator LED light begins to blink.
+
+2. On the PC, scan for new Bluetooth devices.
+3. Select the pen to complete the pairing process.
+4. Disconnect all other Surface Hub 2s pens before starting a new update.
+3. Download the [Surface Hub 2 Pen Firmware Update Tool](https://download.microsoft.com/download/8/3/F/83FD5089-D14E-42E3-AF7C-6FC36F80D347/Pen_Firmware_Tool.zip) to your PC.
+4. Run **PenCfu.exe.** The install progress is displayed in the tool. It may take several minutes to finish updating.
+
+
+## Check firmware version of Surface Hub 2 pen
+
+1. Run **get_version.bat** and press the **top** button on the pen.
+2. The tool will report the firmware version of the pen. Example:
+ - Old firmware is 468.2727.368
+ - New firmware is 468.2863.369
+
+## Command line options
+
+You can run Surface Hub 2 Pen Firmware Update Tool (PenCfu.exe) from the command line.
+
+1. Pair the pen to your PC and click the **top** button on the pen.
+2. Double click **PenCfu.exe** to initiate the firmware update. Note that the configuration file and the firmware image files must be stored in the same folder as the tool.
+3. For additional options, run **PenCfu.exe -h** to display the available parameters, as listed in the following table.
+ - Example: PenCfu.exe -h
+4. Enter **Ctrl+C** to safely shut down the tool.
+
+
+
+| **Command** | **Description** |
+| -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| -h help | Display tool command line interface help and exit. |
+| -v version | Display tool version and exit. |
+| -l log-filter | Set a filter level for the log file. Log messages have 4 possible levels: DEBUG (lowest), INFO, WARNING and ERROR (highest). Setting a log filter level filters log messages to only message with the same level or higher. For example, if the filter level is set to WARNING, only WARNING and ERROR messages will be logged. By default, this option is set to OFF, which disables logging. |
+| -g get-version | If specified, the tool will only get the FW version of the connected pen that matches the configuration file that is stored in the same folder as the tool.
\ No newline at end of file
diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md
index af763b9e26..7493e10c3c 100644
--- a/devices/surface-hub/surface-hub-2s-recover-reset.md
+++ b/devices/surface-hub/surface-hub-2s-recover-reset.md
@@ -23,8 +23,10 @@ To begin, sign in to Surface Hub 2S with admin credentials, open the **Settings*
1. To reset the device, select **Get Started**.
2. When the **Ready to reset this device** window appears, select **Reset**.
+
>[!NOTE]
>Surface Hub 2S reinstalls the operating system from the recovery partition. This may take up to one hour to complete.
+
3. To reconfigure the device, run the first-time Setup program.
4. If you manage the device using Microsoft Intune or another mobile device management solution, retire and delete the previous record, and then re-enroll the new device. For more information, see [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe).
@@ -67,3 +69,7 @@ At the end of a session, Surface Hub 2S may occasionally encounter an error duri
> [!NOTE]
> To enter recovery mode, unplug the power cord and plug it in again three times.
+
+## Contact Support
+
+If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).
diff --git a/devices/surface-hub/surface-hub-2s-whats-new.md b/devices/surface-hub/surface-hub-2s-whats-new.md
index 13d7eb06ce..82589b360e 100644
--- a/devices/surface-hub/surface-hub-2s-whats-new.md
+++ b/devices/surface-hub/surface-hub-2s-whats-new.md
@@ -22,7 +22,7 @@ Surface Hub 2S is an all-in-one collaboration canvas that’s built for teamwork
|**Mobile Device Management and UEFI manageability**| Manage settings and policies using a mobile device management (MDM) provider.
Full integration with Surface Enterprise Management Mode (SEMM) lets you manage hardware components and firmware. | [Managing Surface Hub 2S with Microsoft Intune](surface-hub-2s-manage-intune.md)
[Surface Enterprise Management Mode](https://docs.microsoft.com/surface/surface-enterprise-management-mode) |
|**Cloud and on-premises coexistence**| Supports on-premises, hybrid, or online. | [Prepare your environment for Microsoft Surface Hub 2S](surface-hub-2s-prepare-environment.md) |
|**Reset and recovery**| Restore from the cloud or USB drive. | [Recover and reset Surface Hub 2S](surface-hub-2s-recover-reset.md) |
-|**Microsoft Whiteboard**| Ofice 365 integration, intelligent ink, and Bing search bring powerful new capabilities, enabling a persistent digital canvas shareable across most browsers, Windows and iOS devices. | [Announcing a new whiteboard for your Surface Hub](https://techcommunity.microsoft.com/t5/Office-365-Blog/Announcing-a-new-Whiteboard-for-your-Surface-Hub/ba-p/637050) |
+|**Microsoft Whiteboard**| Office 365 integration, intelligent ink, and Bing search bring powerful new capabilities, enabling a persistent digital canvas shareable across most browsers, Windows and iOS devices. | [Announcing a new whiteboard for your Surface Hub](https://techcommunity.microsoft.com/t5/Office-365-Blog/Announcing-a-new-Whiteboard-for-your-Surface-Hub/ba-p/637050) |
|**Microsoft Teams Meeting Room License**| Extends Office 365 licensing options across Skype for Business, Microsoft Teams, and Intune. | [Teams Meeting Room Licensing Update](https://docs.microsoft.com/MicrosoftTeams/room-systems/skype-room-systems-v2-0) |
|**On-screen display**| Adjust volume, brightness, and input control directly on the display. | |
|**Sensor-activated Connected Standby**| Doppler sensor activates Connected Standby after 1 minute of inactivity.
Manage this setting remotely using Intune or directly on the device from the Settings app. | [Surface Hub 2S tech specs](surface-hub-2s-techspecs.md) |
diff --git a/devices/surface-hub/surface-hub-authenticator-app.md b/devices/surface-hub/surface-hub-authenticator-app.md
index 9ad0606641..80c7dbefd1 100644
--- a/devices/surface-hub/surface-hub-authenticator-app.md
+++ b/devices/surface-hub/surface-hub-authenticator-app.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 08/28/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
localizationpriority: medium
---
diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md
index 5e5073588a..79ff342ba9 100644
--- a/devices/surface-hub/surface-hub-downloads.md
+++ b/devices/surface-hub/surface-hub-downloads.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 08/22/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/surface-hub-qos.md b/devices/surface-hub/surface-hub-qos.md
index 105a188ae1..aa1b746b8d 100644
--- a/devices/surface-hub/surface-hub-qos.md
+++ b/devices/surface-hub/surface-hub-qos.md
@@ -1,7 +1,7 @@
---
title: Implement Quality of Service on Surface Hub
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Learn how to configure QoS on Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md
index 75feb89fc2..2db5f9706e 100644
--- a/devices/surface-hub/surface-hub-recovery-tool.md
+++ b/devices/surface-hub/surface-hub-recovery-tool.md
@@ -3,7 +3,7 @@ title: Using the Surface Hub Recovery Tool
description: How to use the Surface Hub Recovery Tool to re-image the SSD.
ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: manage Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-security.md b/devices/surface-hub/surface-hub-security.md
new file mode 100644
index 0000000000..4dc2b7518e
--- /dev/null
+++ b/devices/surface-hub/surface-hub-security.md
@@ -0,0 +1,158 @@
+---
+title: "Surface Hub security overview"
+description: "This page explains the Defense in Depth design of Surface Hub and describes security enhancements in Surface Hub 2S, wireless security protections, and related features."
+keywords: separate values with commas
+ms.prod: surface-hub
+ms.sitesec: library
+author: coveminer
+ms.author: v-jokai
+manager: laurawi
+audience: Admin
+ms.topic: article
+ms.date: 03/27/2020
+ms.localizationpriority: High
+---
+# Surface Hub security overview
+
+Surface Hub provides a locked-down computing appliance with custom platform firmware running the Windows 10 Team Edition operating system. The resulting device takes the traditional, "single use" secure kiosk, "only run what you need" philosophy and delivers a modern take on it. Built to support a rich collaborative user experience, Surface Hub is protected against continually evolving security threats.
+
+Built on Windows 10, Surface Hub delivers enterprise-grade modern security enabling IT admins to enforce data protection with BitLocker, Trusted Platform Module 2.0 (TPM), plus cloud-powered security with Windows Defender (also known as Microsoft Defender).
+
+## Defense in Depth security
+
+Security protocols begin as soon as Surface Hub is turned on. Starting at the firmware level, Surface Hub will only load the operating system and its components in response to multiple security checks. Surface Hub employs a strategy called Defense in Depth that involves layering independent defensive sub-components to protect the whole of the system in the event of partial failure. This industry practice has proven to be highly effective in mitigating against potential unilateral exploits and weakness in sub-components.
+
+The modern Unified Extensible Firmware Interface (UEFI) is statically and securely configured by Microsoft to only boot an authenticated Windows 10 Team Edition operating system from internal storage. Every line of code that runs on Surface Hub has its signature verified prior to execution. Only applications signed by Microsoft, either as part of the operating system or installed via the Microsoft Store, can run on the Surface Hub. Code or apps not meeting these requirements are blocked.
+
+Surface Hub security systems include the following:
+
+- **Boot-time defenses.** Loads only trusted Surface Hub operating system components.
+- **Operating system defenses.** Protects against execution of unintended or malicious software or code.
+- **User interface defenses.** Provides a user interface that's safe for end users, preventing access to potentially risky activities such as running executables from the command line.
+
+### Boot-time defenses
+
+The SoC has a security processor that's separate from every other core. When you first start Surface Hub, only the security processor starts before anything else can be loaded.
+
+
+
+#### Secure Boot
+
+Secure Boot is used to verify that the components of the boot process, including drivers and the operating system, are validated against a database of valid and known signatures. On Surface Hub, a platform-specific signature must first be validated before the authorized Windows Team operating system can be loaded. This helps prevent attacks from a cloned or modified system running malicious code hidden in what appears to be an otherwise normal user experience. For more information, see [Secure Boot overview](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-secure-boot).
+
+### Operating system defenses
+
+Once the operating system is verified as originating from Microsoft and Surface Hub successfully completes the boot process, the device scrutinizes the executable code. Our approach to securing the operating system involves identifying the code signature of all executables, allowing only those that pass our restrictions to be loaded into the runtime. This code signing method enables the operating system to verify the author and confirm that code was not altered prior to running on the device.
+
+Surface Hub uses a code signing feature known as User Mode Code Integrity (UMCI) in Windows Application Control (formerly known as Device Guard). Policy settings are configured to only allow apps that meet one of these requirements:
+
+- Universal Windows Platform (Microsoft Store) apps that are [officially certified](https://docs.microsoft.com/windows/uwp/publish/the-app-certification-process).
+- Apps signed with the unique Microsoft Production Root Certification Authority (CA), which can only be signed by Microsoft employees with authorized access to those certificates.
+- Apps signed with the unique Surface Hub Production Root C.
+
+The configuration file is signed using the Microsoft Production Root CA designed to prevent restrictions from being removed or modified by a third party. All other executables at this point are simply blocked at the operating system runtime level and prevented from accessing processing power. This attack surface reduction provides the following protections:
+
+- No legacy document modes
+- No legacy script engines
+- No Vector Markup Language
+- No Browser Helper Objects
+- No ActiveX controls
+
+In addition to blocking unsigned or incorrectly signed code via UMCI, Surface Hub uses Windows Application Control to block Windows components, such as the Command Prompt, PowerShell, and Task Manager. These safeguards reflect a key design feature of Surface Hub as a secure computing appliance. For more information, see the following:
+
+- [Application Control overview](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)
+
+- [Windows Defender Application Control and virtualization-based protection of code integrity](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
+
+### User interface defenses
+
+While boot-time defenses and operating system lockdown safeguards deliver foundational security, the user interface provides an additional layer designed to further reduce risk. To prevent malicious code from reaching the device through drivers, Surface Hub does not download advanced drivers for plug and play (PnP) devices. Devices that leverage basic drivers, such as USB flash drives or certified Surface Hub peripherals (speakers, microphones, cameras) work as expected, but advanced systems, such as printers, will not.
+
+User interface defenses also simplify the UI, further preventing the execution of malicious software or code. The following Surface Hub UI elements layer the core security provided by code signing:
+
+- **File Explorer.** Surface Hub has a custom File Explorer that enables quick access to Music, Videos, Documents, Pictures, and Downloads folders — without exposing users to system or program files. Other locations on the local hard drive are not available through File Explorer. In addition, many file types running such as .exe, and .msi installation files cannot run providing another layer of safety against potentially malicious executables.
+
+- **Start & All Apps.** The Start and All Apps components of Surface Hub do not expose access to Command Prompt, PowerShell, or other Windows components blocked via Application Control. In addition, Windows run functionality typically accessed on PCs from the Search box is turned off for Surface Hub.
+
+## Security enhancements in Surface Hub 2S
+
+Although Surface Hub and Surface Hub 2S both run the same operating system software, some features unique to Surface Hub 2S provide additional management and security capabilities enabling IT admins to perform the following tasks:
+
+- Manage UEFI settings with SEMM
+- Recover Hub with bootable USB
+- Harden device account with password rotation
+
+### Manage UEFI settings with SEMM
+
+UEFI is an interface between the underlying hardware platform pieces and the operating system. On Surface Hub, a custom UEFI implementation allows granular control over these settings and prevents any non-Microsoft entity from changing the UEFI settings of the device — or booting to a removable drive to modify or change the operating system.
+
+At a high level, during the factory provisioning process, Surface Hub UEFI is preconfigured to enable Secure Boot and is set to only boot from the internal solid-state drive (SSD), with access to UEFI menus locked down and shortcuts removed. This seals UEFI access and ensures the device can only boot into the Windows Team operating system installed on Surface Hub.
+
+When managed via Microsoft Surface Enterprise Management Mode (SEMM), IT admins can deploy UEFI settings on Hub devices across an organization. This includes the ability to enable or disable built-in hardware components, protect UEFI settings from being changed by unauthorized users, and adjust boot settings.
+
+
+
+Admins can implement SEMM and enrolled Surface Hub 2S devices using the downloadable [Microsoft Surface UEFI Configurator](https://www.microsoft.com/download/details.aspx?id=46703). For more information, see [Secure and manage Surface Hub 2S with SEMM and UEFI](https://docs.microsoft.com/surface-hub/surface-hub-2s-secure-with-uefi-semm).
+Secured using a certificate to protect the configuration from unauthorized tampering or removal, SEMM enables management of the following components:
+
+- Wired LAN
+- Camera
+- Bluetooth
+- Wi-Fi
+- Occupancy sensor
+- IPv6 for PXE Boot
+- Alternate Boot
+- Boot Order Lock
+- USB Boot
+- UEFI front page interface
+ - Devices
+ - Boot
+ - Date/Time
+
+
+### Recover Hub with bootable USB
+
+Surface Hub 2S enables admins to reinstall the device to factory settings using a recovery image in as little as 20 minutes. Typically, you would only need to do this if your Surface Hub is no longer functioning. Recovery is also useful if you have lost the Bitlocker key or no longer have admin credentials to the Settings app.
+
+### Harden device account with password rotation
+
+Surface Hub uses a device account, also known as a "room account" to authenticate with Exchange, Microsoft Teams, and other services. When you enable password rotation, Hub 2S automatically generates a new password every 7 days, consisting of 15-32 characters with a combination of uppercase and lowercase letters, numbers, and special characters. Because no one knows the password, the device account password rotation effectively mitigates associated risk from human error and potential social engineering security attacks.
+
+## Windows 10 enterprise-grade security
+
+In addition to Surface Hub-specific configurations and features addressed in this document, Surface Hub also uses the standard security features of Windows 10. These include:
+
+- **BitLocker**. The Surface Hub SSD is equipped with BitLocker to protect the data on the device. Its configuration follows industry standards. For more information, see [BitLocker overview](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-secure-boot).
+- **Windows Defender.** The Windows Defender anti-malware engine runs continuously on Surface Hub and works to automatically remediate threats found on Surface Hub. The Windows Defender engine receives updates automatically and is manageable via remote management tools for IT admins. The Windows Defender engine is a perfect example of our Defense in Depth approach: If malware can find a way around our core code-signage-based security solution, it will be caught here. For more information, see [Windows Defender Application Control and virtualization-based protection of code integrity](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).
+- **Plug and play drivers.** To prevent malicious code from reaching the device through drivers, Surface Hub does not download advanced drivers for PnP devices. This allows devices that leverage basic drivers such as USB flash drives to work as expected while blocking more advanced systems such as printers.
+- **Trusted Platform Module 2.0.** Surface Hub has an industry standard discrete Trusted Platform Module (dTPM) for generating and storing cryptographic keys and hashes. The dTPM protects keys used for the verification of boot phases, the BitLocker master key, password-less sign-on key, and more. The dTPM meets [FIPS 140-2 Level 2](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation) certification, the U.S. government computer security standard, and is compliant with [Common Criteria](https://docs.microsoft.com/windows/security/threat-protection/windows-platform-common-criteria) certification used worldwide.
+
+## Wireless security for Surface Hub
+
+Surface Hub uses Wi-Fi Direct / Miracast technology and the associated 802.11, Wi-Fi Protected Access (WPA2), and Wireless Protected Setup (WPS) standards. Since the device only supports WPS (as opposed to WPA2 Pre-Shared Key (PSK) or WPA2 Enterprise), issues traditionally associated with 802.11 encryption are simplified by design.
+
+Miracast is part of the Wi-Fi Display standard, which itself is supported by the Wi-Fi Direct protocol. These standards are supported in modern mobile devices for screen sharing and collaboration.
+
+Wi-Fi Direct or Wi-Fi "peer to peer" (P2P) is a standard released by the Wi-Fi Alliance for "Ad-Hoc" networks. This allows supported devices to communicate directly and create groups of networks without requiring a traditional Wi-Fi Access Point or an Internet connection.
+
+Security for Wi-Fi Direct is provided by WPA2 using the WPS standard. Devices can be authenticated using a numerical pin, a physical or virtual push button, or an out-of-band message using near-field communication. Surface Hub supports both push button by default as well PIN methods. For more information, see [How Surface Hub addresses Wi-Fi Direct security issues](https://docs.microsoft.com/surface-hub/surface-hub-wifi-direct).
+
+## Learn more
+
+- [Secure Boot overview](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-secure-boot)
+
+- [BitLocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
+
+- [Application Control overview](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)
+
+- [Secure and manage Surface Hub 2S with SEMM and UEFI](https://docs.microsoft.com/surface-hub/surface-hub-2s-secure-with-uefi-semm)
+
+- [How Surface Hub addresses Wi-Fi Direct security issues](https://docs.microsoft.com/surface-hub/surface-hub-wifi-direct)
+
+- [Windows Defender Application Control and virtualization-based protection of code integrity](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
+
+- [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703)
+
+- [FIPS 140-2 Level 2](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation)
+
+- [Common Criteria certification](https://docs.microsoft.com/windows/security/threat-protection/windows-platform-common-criteria)
diff --git a/devices/surface-hub/surface-hub-ssd-replacement.md b/devices/surface-hub/surface-hub-ssd-replacement.md
index 7896a7d634..12f256388d 100644
--- a/devices/surface-hub/surface-hub-ssd-replacement.md
+++ b/devices/surface-hub/surface-hub-ssd-replacement.md
@@ -1,7 +1,7 @@
---
title: Surface Hub SSD replacement
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Learn how to replace the solid state drive in a Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-technical-55.md b/devices/surface-hub/surface-hub-technical-55.md
index 6abc46e411..209e77df4c 100644
--- a/devices/surface-hub/surface-hub-technical-55.md
+++ b/devices/surface-hub/surface-hub-technical-55.md
@@ -1,7 +1,7 @@
---
title: Technical information for 55" Surface Hub
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Specifications for the 55" Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-technical-84.md b/devices/surface-hub/surface-hub-technical-84.md
index 0ba7d45aa1..837883da14 100644
--- a/devices/surface-hub/surface-hub-technical-84.md
+++ b/devices/surface-hub/surface-hub-technical-84.md
@@ -1,7 +1,7 @@
---
title: Technical information for 84" Surface Hub
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Specifications for the 84" Surface Hub
ms.prod: surface-hub
ms.sitesec: library
@@ -134,7 +134,7 @@ RJ11, bottom I/O |  | Connects to room control systems.
---
-***Removable lifting handles on 84” Surface Hub ***
+***Removable lifting handles on 84” Surface Hub***
@@ -142,7 +142,7 @@ RJ11, bottom I/O |  | Connects to room control systems.
---
-***Wall mount threads on back of 84” Surface Hub ***
+***Wall mount threads on back of 84” Surface Hub***
diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md
index 5d6989d80b..8e584f17b3 100644
--- a/devices/surface-hub/surface-hub-update-history.md
+++ b/devices/surface-hub/surface-hub-update-history.md
@@ -24,6 +24,33 @@ Please refer to the “[Surface Hub Important Information](https://support.micro
## Windows 10 Team Creators Update 1703
+
+February 28, 2020—update for Surface Hub 2S
+
+This update is specific to the Surface Hub 2S and provides the driver and firmware updates outlined below:
+
+* Surface Integration driver - 13.46.139.0
+ * Improves display brightness scenarios.
+* Intel(R) Management Engine Interface driver - 1914.12.0.1256
+ * Improves system stability.
+* Surface SMC Firmware update - 1.161.139.0
+ * Improves pen battery performance.
+* Surface UEFI update - 694.2938.768.0
+ * Improves system stability.
+
+
+
+February 11, 2020—update for Team edition based on KB4537765* (OS Build 15063.2284)
+
+This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
+
+* Resolves an issue where the Hub 2S cannot be heard well by other participants during Skype for Business calls.
+* Improves reliability for some Arabic, Hebrew, and other RTL language usage scenarios on Surface Hub.
+
+Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services.
+*[KB4537765](https://support.microsoft.com/help/4537765)
+
+
January 14, 2020—update for Team edition based on KB4534296* (OS Build 15063.2254)
@@ -530,7 +557,6 @@ This update to the Surface Hub includes quality improvements and security fixes.
## Related topics
-* [Windows 10 feature roadmap](https://go.microsoft.com/fwlink/p/?LinkId=785967)
* [Windows 10 release information](https://go.microsoft.com/fwlink/p/?LinkId=724328)
* [Windows 10 November update: FAQ](https://windows.microsoft.com/windows-10/windows-update-faq)
* [Microsoft Surface update history](https://go.microsoft.com/fwlink/p/?LinkId=724327)
diff --git a/devices/surface-hub/surface-hub-wifi-direct.md b/devices/surface-hub/surface-hub-wifi-direct.md
index 8d94858bfa..fc1ada3230 100644
--- a/devices/surface-hub/surface-hub-wifi-direct.md
+++ b/devices/surface-hub/surface-hub-wifi-direct.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 11/27/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md
index 0626c4a0d7..4c324d33ce 100644
--- a/devices/surface-hub/surfacehub-whats-new-1703.md
+++ b/devices/surface-hub/surfacehub-whats-new-1703.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 01/18/2018
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index af6809a477..4a30281eff 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -3,7 +3,7 @@ title: Troubleshoot Microsoft Surface Hub
description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.
ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Troubleshoot common problems, setup issues, Exchange ActiveSync errors
ms.prod: surface-hub
ms.sitesec: library
@@ -456,15 +456,15 @@ This section lists status codes, mapping, user messages, and actions an admin ca
0x80072EFD |
WININET_E_CANNOT_CONNECT |
-Can’t connect to the server right now. Wait a while and try again, or check the account settings. |
+Can't connect to the server right now. Wait a while and try again, or check the account settings. |
Verify that the server name is correct and reachable. Verify that the device is connected to the network. |
0x86000C29 |
-E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies don’t match) |
+E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies don't match) |
The account is configured with policies not compatible with Surface Hub. |
Disable the PasswordEnabled policy for this account.
-We have a bug were we may surface policy errors if the account doesn’t receive any server notifications within the policy refresh interval. |
+We have a bug were we may surface policy errors if the account doesn't receive any server notifications within the policy refresh interval.
0x86000C4C |
@@ -475,7 +475,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
0x86000C0A |
E_NEXUS_STATUS_SERVERERROR_RETRYLATER |
-Can’t connect to the server right now. |
+Can't connect to the server right now. |
Wait until the server comes back online. If the issue persists, re-provision the account. |
@@ -487,7 +487,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
0x8505000D |
E_AIRSYNC_RESET_RETRY |
-Can’t connect to the server right now. Wait a while or check the account’s settings. |
+Can't connect to the server right now. Wait a while or check the account's settings. |
This is normally a transient error but if the issue persists check the number of devices associated with the account and delete some of them if the number is large. |
@@ -499,13 +499,13 @@ This section lists status codes, mapping, user messages, and actions an admin ca
0x85010004 |
E_HTTP_FORBIDDEN |
-Can’t connect to the server right now. Wait a while and try again, or check the account’s settings. |
+Can't connect to the server right now. Wait a while and try again, or check the account's settings. |
Verify the server name to make sure it is correct. If the account is using cert based authentication make sure the certificate is still valid and update it if not. |
0x85030028 |
E_ACTIVESYNC_PASSWORD_OR_GETCERT |
-The account’s password or client certificate are missing or invalid. |
+The account's password or client certificate are missing or invalid. |
Update the password and/or deploy the client certificate. |
@@ -523,7 +523,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
0x80072EE2 |
WININET_E_TIMEOUT |
-The network doesn’t support the minimum idle timeout required to receive server notification, or the server is offline. |
+The network doesn't support the minimum idle timeout required to receive server notification, or the server is offline. |
Verify that the server is running. Verify the NAT settings. |
@@ -535,13 +535,13 @@ This section lists status codes, mapping, user messages, and actions an admin ca
0x85010017 |
E_HTTP_SERVICE_UNAVAIL |
-Can’t connect to the server right now. Wait a while or check the account’s settings. |
+Can't connect to the server right now. Wait a while or check the account's settings. |
Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account. |
0x86000C0D |
E_NEXUS_STATUS_MAILBOX_SERVEROFFLINE |
-Can’t connect to the server right now. Wait a while or check the account’s settings. |
+Can't connect to the server right now. Wait a while or check the account's settings. |
Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account. |
@@ -555,7 +555,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
E_NEXUS_STATUS_INVALID_POLICYKEY |
The account is configured with policies not compatible with Surface Hub. |
Disable the PasswordEnabled policy for this account.
-We have a bug were we may surface policy errors if the account doesn’t receive any server notifications within the policy refresh interval. |
+We have a bug were we may surface policy errors if the account doesn't receive any server notifications within the policy refresh interval.
0x85010005 |
@@ -566,7 +566,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
0x85010014 |
E_HTTP_SERVER_ERROR |
-Can’t connect to the server. |
+Can't connect to the server. |
Verify the server name to make sure it is correct. Trigger a sync and, if the issue persists, re-provision the account. |
@@ -602,7 +602,10 @@ This section lists status codes, mapping, user messages, and actions an admin ca
-
+## Contact Support
+
+If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).
+
## Related content
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
index 33233a023b..cf9f2b6339 100644
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -7,7 +7,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index cbc437e783..1ec1e19ab5 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -3,7 +3,7 @@ title: Using a room control system (Surface Hub)
description: Room control systems can be used with your Microsoft Surface Hub.
ms.assetid: DC365002-6B35-45C5-A2B8-3E1EB0CB8B50
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: room control system, Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md
index a6e9524cd2..a1e05d92b5 100644
--- a/devices/surface-hub/whiteboard-collaboration.md
+++ b/devices/surface-hub/whiteboard-collaboration.md
@@ -1,6 +1,6 @@
---
title: Set up and use Microsoft Whiteboard
-description: Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board.
+description: Microsoft Whiteboard's latest update includes the capability for two Surface Hubs to collaborate in real time on the same board.
ms.prod: surface-hub
ms.sitesec: library
author: dansimp
@@ -8,13 +8,13 @@ ms.author: dansimp
ms.topic: article
ms.date: 03/18/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
# Set up and use Microsoft Whiteboard
-The Microsoft Whiteboard app includes the capability for Surface Hubs and other devices to collaborate in real time on the same board.
+The Microsoft Whiteboard app includes the capability for Surface Hubs and other devices with the Microsoft Whiteboard app installed to collaborate in real time on the same board.
## Prerequisites
@@ -48,14 +48,16 @@ On the other device, such as a Surface Hub, when you are signed in, the shared b
- You can also change the background color and design from solid to grid or dots. Pick the background, then choose the color from the wheel around it.
- You can export a copy of the Whiteboard collaboration for yourself through the Share charm and leave the board for others to continue working.
+For more information, see [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d).
+
> [!NOTE]
-> If you are using Whiteboard and cannot sign in, you can collaborate by joining a Teams or Skype for Business meeting, and then sharing your screen. After you’re done, tap **Settings** > **Export to email** or save a copy of the board. The SVG export provides higher resolution than PNG and can be opened in a web browser.
+> If you are using Whiteboard and cannot sign in, you can collaborate by joining a Teams or Skype for Business meeting, and then sharing your screen. After you're done, tap **Settings** > **Export to email** or save a copy of the board. If you choose to export to SVG, it exports vector graphics and provides higher resolution than PNG and can be opened in a web browser.
## New features in Whiteboard
The Microsoft Whiteboard app, updated for Surface Hub on July 1, 2019 includes a host of new features including:
-- **Automatic Saving** - Boards are saved to the cloud automatically when you sign in, and can be found in the board gallery.
+- **Automatic Saving** - Boards are saved to the cloud automatically when you sign in, and can be found in the board gallery. There is no local folder name or directory.
- **Extended collaboration across devices** - You can collaborate using new apps for Windows 10 PC and iOS, and a web version for other devices.
- **Richer canvas** - In addition to ink and images, Whiteboard now includes sticky notes, text and GIFs, with more objects coming soon.
- **Intelligence** – In addition to ink to shape and table, Whiteboard now includes ink beautification to improve handwriting and ink grab to convert images to ink.
@@ -68,3 +70,5 @@ The Microsoft Whiteboard app, updated for Surface Hub on July 1, 2019 includes a
- [Windows 10 Creators Update for Surface Hub](https://www.microsoft.com/surface/support/surface-hub/windows-10-creators-update-surface-hub)
- [Support documentation for Microsoft Whiteboard](https://support.office.com/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01)
+
+- [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d)
diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md
index 0a314fe596..96162edafe 100644
--- a/devices/surface-hub/wireless-network-management-for-surface-hub.md
+++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Wireless network management (Surface Hub)
description: Microsoft Surface Hub offers two options for network connectivity to your corporate network and Internet wireless, and wired. While both provide network access, we recommend you use a wired connection.
ms.assetid: D2CFB90B-FBAA-4532-B658-9AA33CAEA31D
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: network connectivity, wired connection
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index 53918a7ad5..5adf5c3ca4 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -1,9 +1,12 @@
-# [Surface](index.md)
+# [Surface](index.yml)
-## [Get started](get-started.md)
+## [Surface devices documentation](get-started.yml)
## Overview
+### [What's new in Surface Dock 2](surface-dock-whats-new.md)
+### [Surface Book 3 GPU technical overview](surface-book-GPU-overview.md)
+### [Surface Book 3 Quadro RTX 3000 technical overview](surface-book-quadro.md)
### [Surface Pro 7 for Business](https://www.microsoft.com/surface/business/surface-pro-7)
### [Surface Pro X for Business](https://www.microsoft.com/surface/business/surface-pro-x)
### [Surface Laptop 3 for Business](https://www.microsoft.com/surface/business/surface-laptop-3)
diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
index c677b56488..017f34559f 100644
--- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
+++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
@@ -3,17 +3,16 @@ title: Advanced UEFI security features for Surface Pro 3 (Surface)
description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.
ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: security, features, configure, hardware, device, custom, script, update
ms.localizationpriority: medium
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 07/27/2017
---
# Advanced UEFI security features for Surface Pro 3
diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md
index db6a63ad69..296a57b10e 100644
--- a/devices/surface/assettag.md
+++ b/devices/surface/assettag.md
@@ -5,12 +5,11 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.localizationpriority: medium
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 10/21/2019
ms.reviewer: hachidan
-manager: dansimp
+manager: laurawi
---
# Surface Asset Tag Tool
diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md
index c5d75cda00..0da0c326e7 100644
--- a/devices/surface/battery-limit.md
+++ b/devices/surface/battery-limit.md
@@ -5,14 +5,14 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.date: 10/31/2019
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
+author: coveminer
+ms.reviewer: jesko
+ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.audience: itpro
+manager: laurawi
+audience: itpro
+ms.date: 5/06/2020
---
# Battery Limit setting
@@ -33,6 +33,11 @@ The Surface UEFI Battery Limit setting can be configured by booting into Surface
+## Enabling battery limit on Surface Go and Surface Go 2
+The Surface Battery Limit setting can be configured by booting into Surface UEFI (**Power + Vol Up** when turning on the device). Choose **boot configuration**, and then, under **Kiosk Mode**, move the slider to the right to set Battery Limit to **Enabled**.
+
+
+
## Enabling Battery Limit in Surface UEFI (Surface Pro 3)
The Surface UEFI Battery Limit setting can be configured by booting into Surface UEFI (**Power + Vol Up** when turning on the device). Choose **Kiosk Mode**, select **Battery Limit**, and then choose **Enabled**.
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index 18fc041b85..35be5e736d 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -1,17 +1,16 @@
---
title: Change history for Surface documentation (Windows 10)
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: This topic lists new and updated topics in the Surface documentation library.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 10/21/2019
---
# Change history for Surface documentation
diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
index 0b9915c4b0..f68989b045 100644
--- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
+++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
@@ -6,14 +6,13 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 11/25/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
---
# Considerations for Surface and Microsoft Endpoint Configuration Manager
diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md
index 46c321367b..70d53dae71 100644
--- a/devices/surface/customize-the-oobe-for-surface-deployments.md
+++ b/devices/surface/customize-the-oobe-for-surface-deployments.md
@@ -3,18 +3,17 @@ title: Customize the OOBE for Surface deployments (Surface)
description: This article will walk you through the process of customizing the Surface out-of-box experience for end users in your organization.
ms.assetid: F6910315-9FA9-4297-8FA8-2C284A4B1D87
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: deploy, customize, automate, network, Pen, pair, boot
ms.localizationpriority: medium
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.audience: itpro
-ms.date: 10/21/2019
---
# Customize the OOBE for Surface deployments
diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
index a03f6e46fa..121be61007 100644
--- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md
+++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
@@ -6,14 +6,13 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, store
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 10/21/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
---
# Deploy Surface app with Microsoft Store for Business and Education
diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
index 61fc8352df..47f14939db 100644
--- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
+++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
@@ -6,14 +6,14 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 01/15/2020
ms.reviewer:
-manager: dansimp
+manager: laurawi
+ms.date: 04/24/2020
---
# Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit
@@ -28,779 +28,8 @@ manager: dansimp
- Surface 3
- Windows 10
-This article walks you through the recommended process to deploy Windows 10 to Surface devices with Microsoft deployment technologies. The process described in this article yields a complete Windows 10 environment including updated firmware and drivers for your Surface device along with applications like Microsoft Office 365 and the Surface app.
-
> [!NOTE]
-> MDT is not currently supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
-
-When the process is complete, the Surface device will be ready for use by the end user. You can customize this process to include your own applications and configuration to meet the needs of your organization. You can also follow the guidance provided in this article to integrate deployment to Surface devices into existing deployment strategies.
-
-By following the procedures in this article, you can create an up-to-date reference image and deploy this image to your Surface devices, a process known as *reimaging*. Reimaging will erase and overwrite the existing environment on your Surface devices. This process allows you to rapidly configure your Surface devices with identical environments that can be configured to precisely fit your organization’s requirements.
-
-An alternative to the reimaging process is an upgrade process. The upgrade process is non-destructive and instead of erasing the existing environment on your Surface device, it allows you to install Windows 10 while retaining your user data, applications, and settings. You can read about how to manage and automate the upgrade process of Surface devices to Windows 10 at [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md).
-
-The goal of the deployment process presented in this article is automation. By leveraging the many technologies and tools available from Microsoft, you can create a process that requires only a single touch on the devices being deployed. The automation can load the deployment environment; format the device; prepare an updated Windows image with the drivers required for the device; apply that image to the device; configure the Windows environment with licensing, membership in a domain, and user accounts; install applications; apply any Windows updates that were not included in the reference image; and log out.
-
-By automating each aspect of the deployment process, you not only greatly decrease the effort involved, but you create a process that can be easily repeated and where human error becomes less of a factor. Take for example a scenario where you create a reference image for the device manually, but you accidentally install conflicting applications and cause the image to become unstable. In this scenario you have no choice but to begin again the manual process of creating your image. If in this same scenario you had automated the reference image creation process, you could repair the conflict by simply editing a step in the task sequence and then re-running the task sequence.
-
-## Deployment tools
-
-The deployment process described in this article leverages a number of Microsoft deployment tools and technologies. Some of these tools and technologies are included in Windows client and Windows Server, such as Hyper-V and Windows Deployment Services (WDS), while others are available as free downloads from the [Microsoft Download Center](https://www.microsoft.com/download/windows.aspx).
-
-#### Microsoft Deployment Toolkit
-
-The Microsoft Deployment Toolkit (MDT) is the primary component of a Windows deployment. It serves as a unified interface for most of the Microsoft deployment tools and technologies, such as the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), User State Migration Tool (USMT), and many other tools and technologies. Each of these is discussed throughout this article. The unified interface, called the *Deployment Workbench*, facilitates automation of the deployment process through a series of stored deployment procedures, known as a *task sequence*. Along with these task sequences and the many scripts and tools that MDT provides, the resources for a Windows deployment (driver files, application installation files, and image files) are stored in a network share known as the *deployment share*.
-
-You can download and find out more about MDT at [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741).
-
-#### Windows Assessment and Deployment Kit
-
-Although MDT is the tool you will interact with most during the deployment process, the deployment tools found in the Windows ADK perform most of the deployment tasks during the deployment process. The resources for deployment are held within the MDT deployment share, but it is the collection of tools included in Windows ADK that access the image files, stage drivers and Windows updates, run the deployment experience, provide instructions to Windows Setup, and back up and restore user data.
-
-You can download and find out more about the Windows ADK at [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#windowsadk).
-
-#### Windows 10 installation media
-
-Before you can perform a deployment with MDT, you must first supply a set of operating system installation files and an operating system image. These files and image can be found on the physical installation media (DVD) for Windows 10. You can also find these files in the disk image (ISO file) for Windows 10, which you can download from the [Volume Licensing Service Center (VLSC)](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
-
-
->[!NOTE]
->The installation media generated from the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT.
-
-
-#### Windows Server
-
-Although MDT can be installed on a Windows client, to take full advantage of Windows Deployment Services’ ability to network boot, a full Windows Server environment is recommended. To provide network boot for UEFI devices like Surface with WDS, you will need Windows Server 2008 R2 or later.
-
-
->[!NOTE]
->To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter).
-
-
-#### Windows Deployment Services
-
-Windows Deployment Services (WDS) is leveraged to facilitate network boot capabilities provided by the Preboot Execution Environment (PXE) server. The boot media generated by MDT is loaded onto the Surface device simply by pressing Enter at the prompt when the device attempts to boot from the attached network adapter or Surface Dock.
-
-#### Hyper-V virtualization platform
-
-The process of creating a reference image should always be performed in a virtual environment. When you use a virtual machine as the platform to build your reference image, you eliminate the need for installation of additional drivers. The drivers for a Hyper-V virtual machine are included by default in the factory Windows 10 image. When you avoid the installation of additional drivers – especially complex drivers that include application components like control panel applications – you ensure that the image created by your reference image process will be as universally compatible as possible.
-
->[!NOTE]
->A Generation 1 virtual machine is recommended for the preparation of a reference image in a Hyper-V virtual environment.
-
-Because customizations are performed by MDT at the time of deployment, the goal of reference image creation is not to perform customization but to increase performance during deployment by reducing the number of actions that need to occur on each deployed device. The biggest action that can slow down an MDT deployment is the installation of Windows updates. When MDT performs this step during the deployment process, it downloads the updates on each deployed device and installs them. By installing Windows updates in your reference image, the updates are already installed when the image is deployed to the device and the MDT update process only needs to install updates that are new since the image was created or are applicable to products other than Windows (for example, Microsoft Office updates).
-
-
->[!NOTE]
->Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library. Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center.
-
-
-#### Surface firmware and drivers
-
-For your deployed Windows environment to function correctly on your Surface devices, you will need to install the drivers used by Windows to communicate with the components of your device. These drivers are available for download in the Microsoft Download Center for each Surface device. You can find the correct Microsoft Download Center page for your device at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
-
-When you browse to the specific Microsoft Download Center page for your device, you will find a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. Firmware updates maintain the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. For more information, see [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates).
-
->[!NOTE]
->Beginning in Windows 10, the drivers for Surface devices are included in the Windows Preinstallation Environment (WinPE). In earlier versions of Windows, specific drivers (like network drivers) had to be imported and configured in MDT for use in WinPE to successfully deploy to Surface devices.
-
-#### Application installation files
-
-In addition to the drivers that are used by Windows to communicate with the Surface device’s hardware and components, you will also need to provide the installation files for any applications that you want to install on your deployed Surface devices. To automate the deployment of an application, you will also need to determine the command-line instructions for that application to perform a silent installation. In this article, the Surface app and Microsoft Office 365 will be installed as examples of application installation. The application installation process can be used with any application with installation files that can be launched from command line.
-
->[!NOTE]
->If the application files for your application are stored on your organization’s network and will be accessible from your Surface devices during the deployment process, you can deploy that application directly from that network location. To use installation files from a network location, use the **Install Application Without Source Files or Elsewhere on the Network** option in the MDT New Application Wizard, which is described in the [Import applications](#import-applications) section later in this article.
-
-#### Microsoft Surface Deployment Accelerator
-
-If you want to deploy only to Surface devices or you want an accelerated method to perform deployment to Surface devices, you can use the Microsoft Surface Deployment Accelerator to generate an MDT deployment share complete with Surface device drivers, Surface apps, and pre-configured task sequences to create a reference image and perform deployment to Surface devices. Microsoft Surface Deployment Accelerator can automatically import boot images into WDS and prepare WDS for network boot (PXE). You can download the Microsoft Surface Deployment Accelerator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
-
-### Install the deployment tools
-
-Before you can configure the deployment environment with Windows images, drivers, and applications, you must first install the deployment tools that will be used throughout the deployment process. The three main tools to be installed are WDS, Windows ADK, and MDT. WDS provides the capacity for network boot, Windows ADK provides several deployment tools that perform specific deployment tasks, and MDT provides automation and a central interface from which to manage and control the deployment process.
-
-To boot from the network with either your reference virtual machines or your Surface devices, your deployment environment must include a Windows Server environment. The Windows Server environment is required to install WDS and the WDS PXE server. Without PXE support, you will be required to create physical boot media, such as a USB stick to perform your deployment – MDT and Windows ADK will still be required, but Windows Server is not required. Both MDT and Windows ADK can be installed on a Windows client and perform a Windows deployment.
-
->[!NOTE]
->To download deployment tools directly to Windows Server, you must disable [Internet Explorer Enhanced Security Configuration](https://technet.microsoft.com/library/dd883248). On Windows Server 2012 R2, this can be performed directly through the **Server Manager** option on the **Local Server** tab. In the **Properties** section, **IE Enhanced Security Configuration** can be found on the right side. You may also need to enable the **File Download** option for the **Internet** zone through the **Security** tab of **Internet Options**.
-
-#### Install Windows Deployment Services
-
-Windows Deployment Services (WDS) is a Windows Server role. To add the WDS role to a Windows Server 2012 R2 environment, use the Add Roles and Features Wizard, as shown in Figure 1. Start the Add Roles and Features Wizard from the **Manage** button of **Server Manager**. Install both the Deployment Server and Transport Server role services.
-
-
-
-*Figure 1. Install the Windows Deployment Services server role*
-
-After the WDS role is installed, you need to configure WDS. You can begin the configuration process from the WDS node of Server Manager by right-clicking your server’s name and then clicking **Windows Deployment Services Management Console**. In the **Windows Deployment Services** window, expand the **Servers** node to find your server, right-click your server, and then click **Configure** in the menu to start the Windows Deployment Services Configuration Wizard, as shown in Figure 2.
-
-
-
-*Figure 2. Configure PXE response for Windows Deployment Services*
-
->[!NOTE]
->Before you configure WDS make sure you have a local NTFS volume that is not your system drive (C:) available for use with WDS. This volume is used to store WDS boot images, deployment images, and configuration.
-
-Using the Windows Deployment Services Configuration Wizard, configure WDS to fit the needs of your organization. You can find detailed instructions for the installation and configuration of WDS at [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426). On the **PXE Server Initial Settings** page, be sure to configure WDS so that it will respond to your Surface devices when they attempt to boot from the network. If you have already installed WDS or need to change your PXE server response settings, you can do so on the **PXE Response** tab of the **Properties** of your server in the Windows Deployment Services Management Console.
-
->[!NOTE]
->You will add boot images to WDS when you update your boot images in MDT. You do not need to add boot images or Windows images to WDS when you configure the role.
-
-#### Install Windows Assessment and Deployment Kit
-
-To install Windows ADK, run the Adksetup.exe file that you downloaded from [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#adkwin10). Windows ADK must be installed before MDT. You should always download and use the most recent version of Windows ADK. A new version is usually released corresponding with each new version of Windows.
-
->[!NOTE]
->You can also use the Adksetup.exe file to download the Windows ADK installation files locally for use on other devices.
-
-When you get to the **Select the features you want to install** page, you only need to select the **Deployment Tools** and **Windows Preinstallation Environment (Windows PE)** check boxes to deploy Windows 10 using MDT, as shown in Figure 3.
-
-
-
-*Figure 3. Only Deployment Tools and Windows PE options are required for deployment with MDT*
-
-#### Install Microsoft Deployment Toolkit
-
-After the Windows ADK installation completes successfully, you can install MDT. When you download MDT, ensure that you download the version that matches the architecture of your deployment server environment. For Windows Server the architecture is 64-bit. Download the MDT installation file that ends in **x64**. When MDT is installed you can use the default options during the installation wizard, as shown in Figure 4.
-
-
-
-*Figure 4. Install the Microsoft Deployment Toolkit with default options*
-
-Before you can open the MDT Deployment Workbench, you must enable execution of scripts in PowerShell. If you do not do this, the following error message may be displayed: *"Initialization Error PowerShell is required to use the Deployment Workbench. Please install PowerShell then relaunch Deployment Workbench."*
-
-To enable the execution of scripts, run the following cmdlet in PowerShell as an Administrator:
-
- `Set-ExecutionPolicy RemoteSigned -Scope CurrentUser`
-
-## Create a reference image
-
-Now that you have installed the required tools, you can begin the first step of customizing your deployment environment to your needs – create a reference image. Because the reference image should be created in a virtual machine where there is no need for drivers to be installed, and because the reference image will not include applications, you can use the MDT deployment environment almost entirely with default settings.
-
-### Create a deployment share
-
-Now that you have the tools installed, the next step is to configure MDT for the creation of a reference image. Before you can perform the process of creating a reference image, MDT needs to be set up with a repository for scripts, images, and other deployment resources. This repository is known as the *deployment share*. After the deployment share is created, you must supply MDT with a complete set of Windows 10 installation files, the last set of tools required before MDT can perform reference image creation.
-
-To create the deployment share, follow these steps:
-
-1. Open the Deployment Workbench from your Start menu or Start screen, as shown in Figure 5.
-
- 
-
- *Figure 5. The MDT Deployment Workbench*
-
-2. Right-click the **Deployment Shares** folder, and then click **New Deployment Share** to start the New Deployment Share Wizard, as shown in Figure 6.
-
- 
-
- *Figure 6. The Summary page of the New Deployment Share Wizard*
-
-3. Create a new deployment share with New Deployment Share Wizard with the following steps:
-
- * **Path** – Specify a local folder where the deployment share will reside, and then click **Next**.
-
- >[!NOTE]
- >Like the WDS remote installation folder, it is recommended that you put this folder on an NTFS volume that is not your system volume.
-
- * **Share** – Specify a name for the network share under which the local folder specified on the **Path** page will be shared, and then click **Next**.
-
- >[!NOTE]
- >The share name cannot contain spaces.
-
- >[!NOTE]
- >You can use a Dollar Sign (**$**) to hide your network share so that it will not be displayed when users browse the available network shares on the server in File Explorer.
-
- * **Descriptive Name** – Enter a descriptive name for the network share (this descriptive name can contain spaces), and then click **Next**. The descriptive name will be the name of the folder as it appears in the Deployment Workbench.
- * **Options** – You can accept the default options on this page. Click **Next**.
- * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the deployment share.
- * **Progress** – While the deployment share is being created, a progress bar is displayed on this page to indicate the status of the deployment share creation process.
- * **Confirmation** – When the deployment share creation process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Deployment Share Wizard.
-
-4. When the New Deployment Share Wizard is complete, you can expand the Deployment Shares folder to find your newly created deployment share.
-5. You can expand your deployment share, where you will find several folders for the resources, scripts, and components of your MDT deployment environment are stored.
-
-To secure the deployment share and prevent unauthorized access to the deployment resources, you can create a local user on the deployment share host and configure permissions for that user to have read-only access to the deployment share only. It is especially important to secure access to the deployment share if you intend to automate the logon to the deployment share during the deployment boot process. By automating the logon to the deployment share during the boot of deployment media, the credentials for that logon are stored in plaintext in the bootstrap.ini file on the boot media.
-
->[!NOTE]
->If you intend to capture images (such as the reference image) with this user, the user must also have write permission on the Captures folder in the MDT deployment share.
-
-You now have an empty deployment share that is ready for you to add the resources that will be required for reference image creation and deployment to Surface devices.
-
-### Import Windows installation files
-
-The first resources that are required to perform a deployment of Windows are the installation files from Windows 10 installation media. Even if you have an already prepared reference image, you still need to supply the unaltered installation files from your installation media. The source of these files can be a physical disk, or it can be an ISO file like the download from the Volume Licensing Service Center (VLSC).
-
->[!NOTE]
->A 64-bit operating system is required for compatibility with Surface devices except Surface Pro X which cannot be managed with MDT.
-
-To import Windows 10 installation files, follow these steps:
-
-1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench, and then click **New Folder** to open the **New Folder** page, as shown in Figure 7.
-
- 
-
- *Figure 7. Create a new folder on the New Folder page*
-
-2. On the **New Folder** page a series of steps is displayed, as follows:
- * **General Settings** – Enter a name for the folder in the **Folder Name** field (for example, Windows 10 Enterprise), add any comments you want in the **Comments** field, and then click **Next**.
- * **Summary** – Review the specified configuration of the new folder on this page, and then click **Next**.
- * **Progress** – A progress bar will be displayed on this page while the folder is created. This page will likely pass very quickly.
- * **Confirmation** – When the new folder has been created, a **Confirmation** page displays the success of the operation. Click **Finish** to close the **New Folder** page.
-3. Expand the Operating Systems folder to see the newly created folder.
-4. Right-click the newly created folder, and then click **Import Operating System** to launch the Import Operating System Wizard, as shown in Figure 8.
-
- 
-
- *Figure 8. Import source files with the Import Operating System Wizard*
-
-5. The Import Operating System Wizard walks you through the import of your operating system files, as follows:
- * **OS Type** – Click **Full Set of Source Files** to specify that you are importing the Windows source files from installation media, and then click **Next**.
- * **Source** – Click **Browse**, move to and select the folder or drive where your installation files are found, and then click **Next**.
- * **Destination** – Enter a name for the new folder that will be created to hold the installation files, and then click **Next**.
- * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
- * **Progress** – While the installation files are imported, a progress bar is displayed on this page.
- * **Confirmation** – When the operating system import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Operating System Wizard.
-6. Expand the folder you created in Step 1 to see the entry for your newly imported installation files for Windows 10.
-
-Now that you’ve imported the installation files from the installation media, you have the files that MDT needs to create the reference image and you are ready to instruct MDT how to create the reference image to your specifications.
-
-### Create reference image task sequence
-
-As described in the [Deployment tools](#deployment-tools) section of this article, the goal of creating a reference image is to keep the Windows environment as simple as possible while performing tasks that would be common to all devices being deployed. You should now have a basic MDT deployment share configured with default options and a set of unaltered, factory installation files for Windows 10. This simple configuration is perfect for reference image creation because the deployment share contains no applications or drivers to interfere with the process.
-
->[!NOTE]
->For some organizations keeping a simple deployment share without applications or drivers is the simplest solution for creation of reference images. You can easily connect to more than one deployment share from a single Deployment Workbench and copy images from a simple, reference-image-only deployment share to a production deployment share complete with drivers and applications.
-
-To create the reference image task sequence, follow these steps:
-
-1. Right-click the **Task Sequences** folder under your deployment share in the Deployment Workbench, and then click **New Task Sequence** to start the New Task Sequence Wizard, as shown in Figure 9.
-
- 
-
- *Figure 9. Create a new task sequence to deploy and update a Windows 10 reference environment*
-
-2. The New Task Sequence Wizard presents a series of steps, as follows:
- * **General Settings** – Enter an identifier for the reference image task sequence in the **Task Sequence ID** field, a name for the reference image task sequence in the **Task Sequence Name** field, and any comments for the reference image task sequence in the **Task Sequence Comments** field, and then click **Next**.
- >[!NOTE]
- >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
- * **Select Template** – Select **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
- * **Select OS** – Navigate to and select the Windows 10 image you imported with the Windows 10 installation files, and then click **Next**.
- * **Specify Product Key** – Click **Do Not Specify a Product Key at This Time**, and then click **Next**.
- * **OS Settings** – Enter a name, organization, and home page URL in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
- * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**.
- >[!NOTE]
- >During creation of a reference image, any specified Administrator password will be automatically removed when the image is prepared for capture with Sysprep. During reference image creation, a password is not necessary, but is recommended to remain in line with best practices for production deployment environments.
- * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
- * **Progress** – While the task sequence is created, a progress bar is displayed on this page.
- * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard.
-3. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**.
-4. Select the **Task Sequence** tab to view the steps that are included in the Standard Client Task Sequence template, as shown in Figure 10.
-
- 
-
- *Figure 10. Enable Windows Update in the reference image task sequence*
-
-5. Select the **Windows Update (Pre-Application Installation)** option, located under the **State Restore** folder.
-6. Click the **Options** tab, and then clear the **Disable This Step** check box.
-7. Repeat Step 4 and Step 5 for the **Windows Update (Post-Application Installation)** option.
-8. Click **OK** to apply changes to the task sequence, and then close the task sequence properties window.
-
-### Generate and import MDT boot media
-
-To boot the reference virtual machine from the network, the MDT deployment share first must be updated to generate boot media with the resources that have been added in the previous sections.
-
-To update the MDT boot media, follow these steps:
-
-1. Right-click the deployment share in the Deployment Workbench, and then click **Update Deployment Share** to start the Update Deployment Share Wizard, as shown in Figure 11.
-
- 
-
- *Figure 11. Generate boot images with the Update Deployment Share Wizard*
-
-2. Use the Update Deployment Share Wizard to create boot images with the following process:
- * **Options** – Click **Completely Regenerate the Boot Images**, and then click **Next**.
- >[!NOTE]
- >Because this is the first time the newly created deployment share has been updated, new boot images will be generated regardless of which option you select on the **Options** page.
- * **Summary** – Review the specified options on this page before you click **Next** to begin generation of boot images.
- * **Progress** – While the boot images are being generated, a progress bar is displayed on this page.
- * **Confirmation** – When the boot images have been generated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard.
-3. Confirm that boot images have been generated by navigating to the deployment share in File Explorer and opening the Boot folder. The following files should be displayed, as shown in Figure 12:
- * **LiteTouchPE_x86.iso**
- * **LiteTouchPE_x86.wim**
- * **LiteTouchPE_x64.iso**
- * **LiteTouchPE_x64.wim**
-
-
- 
-
- *Figure 12. Boot images displayed in the Boot folder after completion of the Update Deployment Share Wizard*
-
-To import the MDT boot media into WDS for PXE boot, follow these steps:
-
-1. Open Windows Deployment Services from the Start menu or Start screen.
-2. Expand **Servers** and your deployment server.
-3. Click the **Boot Images** folder, as shown in Figure 13.
-
- 
-
- *Figure 13. Start the Add Image Wizard from the Boot Images folder*
-
-4. Right-click the **Boot Images** folder, and then click **Add Boot Image** to open the Add Image Wizard, as shown in Figure 14.
-
- 
-
- *Figure 14. Import the LiteTouchPE_x86.wim MDT boot image*
-
-5. The Add Image Wizard displays a series of steps, as follows:
- * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, click **Open**, and then click **Next**.
- * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
- * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**.
- * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
-
->[!NOTE]
->Only the 32-bit boot image, LiteTouchPE_x86.wim, is required to boot from BIOS devices, including Generation 1 Hyper-V virtual machines like the reference virtual machine.
-
-If your WDS configuration is properly set up to respond to PXE clients, you should now be able to boot from the network with any device with a network adapter properly configured for network boot (PXE).
-
->[!NOTE]
->If your WDS server resides on the same server as DHCP or in a different subnet than the devices you are attempting to boot, additional configuration may be required. For more information, see [Managing Network Boot Programs](https://technet.microsoft.com/library/cc732351).
-
-### Deploy and capture a reference image
-
-Your deployment environment is now set up to create a reference image for Windows 10 complete with Windows Updates.
-
->[!NOTE]
->You cannot install version updates (such as Windows 10, Version 1511) in a reference image. To create a reference image with a new version of Windows, you must use installation files from that version of Windows. When you install a version update in Windows, it effectively performs an upgrade to a new version of Windows, and upgraded installations of Windows cannot be prepared for deployment with Sysprep.
-By using a fully automated task sequence in an MDT deployment share dedicated to reference image creation, you can greatly reduce the time and effort required to create new reference images and it is the best way to ensure that your organization is ready for feature updates and new versions of Windows 10.
-
-You can now boot from the network with a virtual machine to run the prepared task sequence and generate a reference image. When you prepare your virtual machine in Hyper-V for reference image creation, consider the following:
-
-* Use a Generation 1 virtual machine for the simplicity of drivers and to ensure maximum compatibility with both BIOS and UEFI devices.
-* Ensure your virtual machine has at least 1 GB of system memory at boot. You can ensure that the virtual machine has at least 1 GB of memory at boot but allow the memory to adjust after boot by using Dynamic Memory. You can read more about Dynamic Memory in the [Hyper-V Dynamic Memory Overview](https://technet.microsoft.com/library/hh831766).
-* Ensure your virtual machine uses a legacy network adapter to support network boot (PXE); that network adapter should be connected to the same network as your deployment server, and that network adapter should receive an IP address automatically via DHCP.
-* Configure your boot order such that PXE Boot is the first option.
-
-When your virtual machine (VM) is properly configured and ready, start or boot the VM and be prepared to press the F12 key when prompted to boot via PXE from the WDS server.
-
-Perform the reference image deployment and capture using the following steps:
-
-1. Start your virtual machine and press the F12 key when prompted to boot to the WDS server via PXE, as shown in Figure 15.
-
- 
-
- *Figure 15. Start network boot by pressing the F12 key*
-
-2. Click **Run the Deployment Wizard to Install a New Operating System** to begin the MDT deployment process.
-3. Enter your MDT username and password, a user with rights to access the MDT deployment share over the network and with rights to write to the Captures folder in the deployment share.
-4. After your credentials are validated, the Windows Deployment Wizard will start and process the boot and deployment share rules.
-5. The Windows Deployment Wizard displays a series of steps, as follows:
- * **Task Sequence** – Select the task sequence you created for reference image creation (it should be the only task sequence available), and then click **Next**.
- * **Computer Details** – Leave the default computer name, workgroup name, and the **Join a Workgroup** option selected, and then click **Next**. The computer name and workgroup will be reset when the image is prepared by Sysprep and captured.
- * **Move Data and Settings** – Leave the default option of **Do Not Move User Data and Settings** selected, and then click **Next**.
- * **User Data (Restore)** – Leave the default option of **Do Not Restore User Data and Settings** selected, and then click **Next**.
- * **Locale and Time** – Leave the default options for language and time settings selected. The locale and time settings will be specified during deployment of the image to other devices. Click **Next**.
- * **Capture Image** – Click the **Capture an Image of this Reference Computer** option, as shown in Figure 16. In the **Location** field, keep the default location of the Captures folder. You can keep or change the name of the image file in the **File Name** field. When you are finished, click **Next**.
-
- 
-
- *Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment*
-
- * **Ready** – You can review your selections by expanding **Details** on the **Ready** page. Click **Begin** when you are ready to perform the deployment and capture of your reference image.
-
-6. Your reference task sequence will run with the specified options.
-
-As the task sequence processes the deployment, it will automatically perform the following tasks:
-* Install the Windows 10 image from the installation files you supplied
-* Reboot into Windows 10
-* Run Windows updates until all Windows updates have been installed and the Windows environment is fully up to date
-* Run Sysprep and prepare the Windows 10 environment for deployment
-* Reboot into WinPE
-* Capture an image of the Windows 10 environment and store it in the Captures folder in the MDT deployment share
-
->[!NOTE]
->The Windows Update process can take some time to complete as it searches the Internet for updates, downloads those updates, and then installs them. By performing this process now, in the reference environment, you eliminate the need to perform these tasks on each deployed device and significantly reduce the amount of time and bandwidth required to perform your deployment.
-
-When the task sequence completes, your virtual machine will be off and a new reference image complete with updates will be ready in your MDT deployment share for you to import it and prepare your deployment environment for deployment to Surface devices.
-
-## Deploy Windows 10 to Surface devices
-
-With a freshly prepared reference image, you are now ready to configure the deployment process for deployment to the Surface devices. Use the steps detailed in this section to produce a deployment process that requires minimal effort on each Surface device to produce a complete and ready-to-use Windows 10 environment.
-
-### Import reference image
-
-After the reference image has been created and stored in the Captures folder, you need to add it to your MDT deployment share as an image for deployment. You perform this task by using the same process that you used to import the installation files for Windows 10.
-
-To import the reference image for deployment, use the following steps:
-
-1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench or the folder you created in when you imported Windows 10 installation files, and then click **Import Operating System** to start the Import Operating System Wizard.
-2. Import the custom image with the Import Operating System Wizard by using the following steps:
- * **OS Type** – Select Custom Image File to specify that you are importing the Windows source files from installation media, and then click **Next**.
- * **Image** – Click **Browse**, and then navigate to and select the image file in the **Captures** folder in your deployment share. Select the **Move the Files to the Deployment Share Instead of Copying Them** checkbox if desired. Click **Next**.
- * **Setup** – Click **Setup Files are not Neededf**, and then click **Next**.
- * **Destination** – Enter a name for the new folder that will be created to hold the image file, and then click **Next**.
- * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
- * **Progress** – While the image is imported, a progress bar is displayed on this page.
- * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Operating System Wizard.
-3. Expand the folder in which you imported the image to verify that the import completed successfully.
-
->[!NOTE]
->You can import the reference image into the same deployment share that you used to create your reference image, or you could import the reference image into a new deployment share for deployment to your Surface devices. If you chose to create a new deployment share for deployment of your reference image, remember that you still need to import a full set of installation files from installation media.
-
-Now that your updated reference image is imported, it is time to prepare your deployment environment for deployment to Surface devices complete with drivers, applications, and automation.
-
-### Import Surface drivers
-
-Before you can deploy your updated reference image to Surface devices, or any physical environment, you need to supply MDT with the drivers that Windows will use to communicate with that physical environment. For Surface devices you can download all of the drivers required by Windows in a single archive (.zip) file in a format that is ready for deployment. In addition to the drivers that are used by Windows to communicate with the hardware and components, Surface firmware and driver packs also include updates for the firmware of those components. By installing the Surface firmware and driver pack, you will also bring your device’s firmware up to date. If you have not done so already, download the drivers for your Surface device listed at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
-
-Many devices require that you import drivers specifically for WinPE in order for the MDT boot media to communicate with the deployment share and to boot properly on that device. Even Surface Pro 3 required that network drivers be imported specifically for WinPE for deployment of Windows 8.1. Fortunately, for Windows 10 deployments to Surface devices, all of the required drivers for operation of WinPE are contained within the out-of-box drivers that are built into Windows 10. It is still a good idea to prepare your environment with folder structure and selection profiles that allow you to specify drivers for use in WinPE. You can read more about that folder structure in **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec05).
-
-To import the Surface drivers (in this example, Surface Pro 4) into MDT, follow these steps:
-
-1. Extract the downloaded archive (.zip) file to a folder that you can easily locate. Keep the driver files separate from other drivers or files.
-2. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share.
-3. If you have not already created a folder structure by operating system version, you should do so now and create under the Windows 10 x64 folder a new folder for Surface Pro 4 drivers named Surface Pro 4. Your Out-of-Box Drivers folder should resemble the following structure, as shown in Figure 17:
- * WinPE x86
- * WinPE x64
- * Windows 10 x64
- * Microsoft Corporation
- * Surface Pro 4
-
- 
-
- *Figure 17. The recommended folder structure for drivers*
-
-4. Right-click the **Surface Pro 4** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 18.
-
- 
-
- *Figure 18. The Progress page during drivers import*
-
-5. The Import Driver Wizard displays a series of steps, as follows:
- * **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 4 firmware and drivers in Step 1.
- * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
- * **Progress** – While the drivers are imported, a progress bar is displayed on this page.
- * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard.
-6. Click the **Surface Pro 4** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 19.
-
- 
-
- *Figure 19. Drivers for Surface Pro 4 imported and organized in the MDT deployment share*
-
-### Import applications
-
-You can import any number of applications into MDT for installation on your devices during the deployment process. You can configure your applications and task sequences to prompt you during deployment to pick and choose which applications are installed, or you can use your task sequence to explicitly define which applications are installed. For more information, see **Step 4: Add an application** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec04).
-
-#### Import Microsoft Office 365 Installer
-
-The Office Deployment Tool is a free download available in the Microsoft Download Center that allows IT professionals and system administrators to download and prepare Office installation packages for Office Click-to-Run. You can find the Office Deployment Tool and instructions to download Click-to-Run for Office 365 installation source files at [Download Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/library/jj219424).
-
-Download and install the version of Office Deployment Tool (ODT), for Office 2013 or Office 2016, that fits your organization’s needs and use the steps provided by that page to download the Office installation files for use with MDT.
-
-After you have downloaded the source files for your version of Office Click-to-Run, you need to edit the Configuration.xml file with instructions to install Office Click-to-Run silently. To configure the Office Deployment Tool for silent installation, follow these steps:
-
-1. Right-click the existing **Configuration.xml** file, and then click **Edit**.
-2. This action opens the file in Notepad. Replace the existing text with the following:
- ```
-
-
-
-
-
-
-
- ```
-
-3. Save the file.
-
-The default behavior of Setup.exe is to look for the source files in the path that contains **Setup.exe**. If the installation files are not found in this folder, the Office Deployment Tool will default to online source files from an Internet connection.
-
-For MDT to perform an automated installation of office, it is important to configure the **Display Level** option to a value of **None**. This setting is used to suppress the installation dialog box for silent installation. It is required that the **AcceptEULA** option is set to **True** to accept the license agreement when the **Display Level** option is set to **None**. With both of these options configured, the installation of Office will occur without the display of dialog boxes which could potentially cause the installation to pause until a user can address an open dialog box.
-
-Now that the installation and configuration files are prepared, the application can be imported into the deployment share by following these steps:
-
-1. Open the Deployment Workbench.
-2. Expand the deployment share, right-click the **Applications** folder, and then click **New Application** to start the New Application Wizard, as shown in Figure 20.
-
- 
-
- *Figure 20. Enter the command and directory for Office 2016 Click-to-Run*
-
-3. The New Application Wizard walks you through importing the Office 2016 Click-to-Run files, as follows:
- * **Application Type** – Click **Application with Source Files**, and then click **Next**.
- * **Details** – Enter a name for the application (for example, Office 2016 Click-to-Run) in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**.
- * **Source** – Click **Browse** to navigate to and select the folder where you downloaded the Office installation files with the Office Deployment Tool, and then click **Next**.
- * **Destination** – Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name.
- * **Command Details** – Enter the Office Deployment Tool installation command line:
-
- `Setup.exe /configure configuration.xml`
-
- * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
- * **Progress** – While the installation files are imported, a progress bar is displayed on this page.
- * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard.
-
-4. You should now see the **Office 2016 Click-to-Run** item under the **Applications** folder in the Deployment Workbench.
-
-#### Import Surface app installer
-
-The Surface app is a Microsoft Store app that provides the user with greater control over specific Surface device functions and capabilities (for example, control over the sensitivity of the Surface Pen). It is a highly recommended app for Surface devices to provide end users with the best experience and greatest control over their device. Find out more about the Surface app at [Install and use the Surface app](https://www.microsoft.com/surface/support/apps-and-windows-store/surface-app?os=windows-10).
-
-To perform a deployment of the Surface app, you will need to download the app files through Microsoft Store for Business. You can find detailed instructions on how to download the Surface app through Microsoft Store for Business at [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business).
-
-After you have downloaded the installation files for Surface app, including the AppxBundle and license files, you can import these files into the deployment share through the same process as a desktop application like Microsoft Office. Both the AppxBundle and license files must be together in the same folder for the import process to complete successfully. Use the following command on the **Command Details** page to install the Surface app:
- ```
-DISM.exe /Online /Add-ProvisionedAppxPackage /PackagePath: Microsoft.SurfaceHub_10.0.342.0_neutral_~_8wekyb3d8bbwe.AppxBundle /LicensePath: Microsoft.SurfaceHub_8wekyb3d8bbwe_a53ef8ab-9dbd-dec1-46c5-7b664d4dd003.xml
- ```
-
-### Create deployment task sequence
-
-The next step in the process is to create the deployment task sequence. This task sequence will be configured to completely automate the deployment process and will work along with customized deployment share rules to reduce the need for user interaction down to a single touch. Before you can make customizations to include all of this automation, the new task sequence has to be created from a template.
-
-To create the deployment task sequence, follow these steps:
-1. In the Deployment Workbench, under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard.
-2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard:
- * **General Settings** – Enter an identifier for the deployment task sequence in the **Task Sequence ID** field, a name for the deployment task sequence in the **Task Sequence Name** field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, then click **Next**.
- >[!NOTE]
- >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
- * **Select Template** – Click **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
- * **Select OS** – Navigate to and select the reference image that you imported, and then click **Next**.
- * **Specify Product Key** – Select the product key entry that fits your organization's licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.
- * **OS Settings** – Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
- * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**.
- * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
- * **Progress** – While the task sequence is being created, a progress bar is displayed on this page.
- * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard.
-
-After the task sequence is created it can be modified for increased automation, such as the installation of applications without user interaction, the selection of drivers, and the installation of Windows updates.
-
-1. Click the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**.
-2. Click the **Task Sequence** tab to view the steps that are included in the new task sequence.
-3. Click the **Windows Update (Pre-Application Installation)** step, located under the **State Restore** folder.
-4. Click the **Options** tab, and then clear the **Disable This Step** check box.
-5. Repeat Step 4 and Step 5 for the **Windows Update (Post-Application Installation)** option.
-6. Between the two **Windows Update** steps is the **Install Applications** step. Click the **Install Applications** step, and then click **Add**.
-7. Hover the mouse over **General** under the **Add** menu, and then click **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 21.
-
- 
-
- *Figure 21. A new Install Application step in the deployment task sequence*
-
-8. On the **Properties** tab of the new **Install Application** step, enter **Install Microsoft Office 2016 Click-to-Run** in the **Name** field.
-9. Click **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share.
-10. Select Office 2016 Click-to-Run from the list of applications, and then click **OK**.
-11. Repeat Steps 6 through 10 for the Surface app.
-12. Expand the **Preinstall** folder, and then click the **Enable BitLocker (Offline)** step.
-13. Open the **Add** menu again and choose **Set Task Sequence Variable** from under the **General** menu.
-14. On the **Properties** tab of the new **Set Task Sequence Variable** step (as shown in Figure 22), configure the following options:
- * **Name** – Set DriverGroup001
- * **Task Sequence Variable** – DriverGroup001
- * **Value** – Windows 10 x64\%Make%\%Model%
-
- 
-
- *Figure 22. Configure a new Set Task Sequence Variable step in the deployment task sequence*
-
-15. Select the **Inject Drivers** step, the next step in the task sequence.
-16. On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 23), configure the following options:
- * In the **Choose a selection profile** drop-down menu, select **Nothing**.
- * Click the **Install all drivers from the selection profile** button.
-
- 
-
- *Figure 23. Configure the deployment task sequence not to choose the drivers to inject into Windows*
-
-17. Click **OK** to apply changes to the task sequence and close the task sequence properties window.
-
-### Configure deployment share rules
-
-The experience of users during a Windows deployment is largely governed by a set of rules that control how the MDT and Windows Deployment Wizard experience should proceed. These rules are stored in two configuration files. Boot media rules are stored in the Bootstrap.ini file that is processed when the MDT boot media is first run. Deployment share rules are stored in the Customsettings.ini file and tell the Windows Deployment Wizard how to operate (for example, what screens to show and what questions to ask). By using these the rules stored in these two files, you can completely automate the process of deployment to where you will not be asked to supply the answer to any questions during deployment and the deployment will perform all tasks completely on its own.
-
-#### Configure Bootstrap.ini
-
-Bootstrap.ini is the simpler of the two rule files. The purpose it serves is to provide instructions from when the MDT boot media starts on a device until the Windows Deployment Wizard is started. The primary use of this file is to provide the credentials that will be used to log on to the deployment share and start the Windows Deployment Wizard.
-
-To automate the boot media rules, follow these steps:
-
-1. Right-click your deployment share in the Deployment Workbench, and then click **Properties**.
-2. Click the **Rules** tab, and then click **Edit Bootstrap.ini** to open Bootstrap.ini in Notepad.
-3. Replace the text of the Bootstrap.ini file with the following text:
-
- ```
- [Settings]
- Priority=Model,Default
-
- [Surface Pro 4]
- DeployRoot=\\STNDeployServer\DeploymentShare$
- UserDomain=STNDeployServer
- UserID=MDTUser
- UserPassword=P@ssw0rd
- SkipBDDWelcome=YES
-
- [Surface Pro 4]
- DeployRoot=\\STNDeployServer\DeploymentShare$
- ```
-
-4. Press Ctrl+S to save Bootstrap.ini, and then close Notepad.
-
-You can use a number of variables in both boot media and deployment share rules to apply rules only when certain conditions are met. For example, you can use MAC addresses to identify specific machines where MDT will run fully automated, but will run with required user interaction on all other devices. You can also use the model of the device to instruct the MDT boot media to perform different actions based on computer model, much as the way **[Surface Pro 4]** is listed in Step 3. You can use the following cmdlet in a PowerShell session to see what the Model variable would be on a device:
-
-```wmic csproduct get name```
-
-Rules used in the text shown in Step 3 include:
-
-* **DeployRoot** – Used to specify the deployment share that the MDT boot media will connect to.
-* **UserDomain** – Used to specify the domain or computer where the MDT user account is located.
-* **UserID** – Used to specify the MDT user account for automatic logon to the deployment share.
-* **UserPassword** – Used to specify the MDT user password for automatic logon to the deployment share.
-* **SkipBDDWelcome** – Used to skip the Welcome page and to start the Windows Deployment Wizard immediately using the specified credentials and deployment share.
-
-#### Configure CustomSettings.ini
-
-The bulk of the rules used to automate the MDT deployment process are stored in the deployment share rules, or the Customsettings.ini file. In this file you can answer and hide all of the prompts from the Windows Deployment Wizard, which yields a deployment experience that mostly consists of a progress bar that displays the automated actions occurring on the device. The deployment share rules are shown directly in the **Rules** tab of the deployment share properties, as shown in Figure 24.
-
-
-
-*Figure 24. Deployment share rules configured for automation of the Windows Deployment Wizard*
-
-To configure automation for the production deployment, copy and paste the following text into the text box on the **Rules** tab of your deployment share properties:
-
- ```
-[Settings]
-Priority=Model,Default
-Properties=MyCustomProperty
-
-[Surface Pro 4]
-SkipTaskSequence=YES
-TaskSequenceID=Win10SP4
-
-[Default]
-OSInstall=Y
-SkipCapture=YES
-SkipAdminPassword=YES
-SkipProductKey=YES
-SkipComputerBackup=YES
-SkipBitLocker=YES
-SkipBDDWelcome=YES
-SkipUserData=YES
-UserDataLocation=AUTO
-SkipApplications=YES
-SkipPackageDisplay=YES
-SkipComputerName=YES
-SkipDomainMembership=YES
-JoinDomain=contoso.com
-DomainAdmin=MDT
-DomainAdminDomain=contoso
-DomainAdminPassword=P@ssw0rd
-SkipLocaleSelection=YES
-KeyboardLocale=en-US
-UserLocale=en-US
-UILanguage=en-US
-SkipTimeZone=YES
-TimeZoneName=Pacific Standard Time
-UserID=MDTUser
-UserDomain=STNDeployServer
-UserPassword=P@ssw0rd
-SkipSummary=YES
-SkipFinalSummary=YES
-FinishAction=LOGOFF
- ```
-Rules used in this example include:
-
-* **SkipTaskSequence** – This rule is used to skip the **Task Sequence** page where the user would have to select between available task sequences.
-* **TaskSequenceID** – This rule is used to instruct the Windows Deployment Wizard to run a specific task sequence. In this scenario the task sequence ID should match the deployment task sequence you created in the previous section.
-* **OSInstall** – This rule indicates that the Windows Deployment Wizard will be performing an operating system deployment.
-* **SkipCapture** – This rule prevents the **Capture Image** page from being displayed, prompting the user to create an image of this device after deployment.
-* **SkipAdminPassword** – This rule prevents the **Admin Password** page from being displayed. The Administrator password specified in the task sequence will still be applied.
-* **SkipProductKey** – This rule prevents the **Specify Product Key** page from being displayed. The product key specified in the task sequence will still be applied.
-* **SkipComputerBackup** – This rule prevents the **Move Data and Settings** page from being displayed, where the user is asked if they would like to make a backup of the computer before performing deployment.
-* **SkipBitLocker** – This rule prevents the **BitLocker** page from being displayed, where the user is asked if BitLocker Drive Encryption should be used to encrypt the device.
-* **SkipBDDWelcome** – This rule prevents the **Welcome** page from being displayed, where the user is prompted to begin Windows deployment.
-* **SkipUserData** – This rule prevents the **User Data (Restore)** page from being displayed, where the user is asked to restore previously backed up user data in the new environment.
-* **UserDataLocation** – This rule prevents the user from being prompted to supply a location on the User Data (Restore) page.
-* **SkipApplications** – This rule prevents the **Applications** page from being displayed, where the user is prompted to select from available applications to be installed in the new environment.
-* **SkipPackageDisplay** – This rule prevents the **Packages** page from being displayed, where the user is prompted to select from available packages to be installed in the new environment.
-* **SkipComputerName** – This rule, when combined with the **SkipDomainMembership** rule, prevents the **Computer Details** page from being displayed, where the user is asked to supply computer name and join a domain or workgroup.
-* **SkipDomainMembership** – This rule, when combined with the **SkipComputerName** rule, prevents the **Computer Details** page from being displayed, where the user is asked to supply computer name and join a domain or workgroup.
-* **JoinDomain** – This rule instructs the Windows Deployment Wizard to have the computer join the specified domain using the specified credentials.
-* **DomainAdmin** – This rule specifies the username for the domain join operation.
-* **DomainAdminDomain** – This rule specifies the domain for the username for the domain join operation.
-* **DomainAdminPassword** – This rule specifies the password for the username for the domain join operation.
-* **SkipLocaleSelection** – This rule, along with the **SkipTimeZone** rule, prevents the **Locale and Time** page from being displayed.
-* **KeyboardLocale** – This rule is used to specify the keyboard layout for the deployed Windows environment.
-* **UserLocale** – This rule is used to specify the geographical locale for the deployed Windows environment.
-* **UILanguage** – This rule is used to specify the language to be used in the deployed Windows environment.
-* **SkipTimeZone** – This rule, along with the **SkipLocaleSelection** rule, prevents the **Locale and Time** page from being displayed.
-* **TimeZoneName** – This rule is used to specify the time zone for the deployed Windows environment.
-* **UserID** – This rule is used to supply the username under which the MDT actions and task sequence steps are performed.
-* **UserDomain** – This rule is used to supply the domain for the username under which the MDT actions and task sequence steps are performed.
-* **UserPassword** – This rule is used to supply the password for the username under which the MDT actions and task sequence steps are performed.
-* **SkipSummary** – This rule prevents the **Summary** page from being displayed before the task sequence is run, where the user is prompted to confirm the selections before beginning the task sequence.
-* **SkipFinalSummary** – This rule prevents the **Summary** page from being displayed when the task sequence has completed.
-* **FinishAction** – This rule specifies whether to log out, reboot, or shut down the device after the task sequence has completed.
-
-You can read about all of the possible deployment share and boot media rules in the [Microsoft Deployment Toolkit Reference](https://technet.microsoft.com/library/dn781091).
-
-### Update and import updated MDT boot media
-
-The process to update MDT boot media with these new rules and changes to the deployment share is very similar to the process to generate boot media from scratch.
-
-To update the MDT boot media, follow these steps:
-
-1. Right-click the deployment share in the Deployment Workbench, and then click **Update Deployment Share** to start the Update Deployment Share Wizard.
-2. The Update Deployment Share Wizard displays a series of steps, as follows:
- * **Options** – Choose between the **Completely Regenerate the Boot Images** or **Optimize the Boot Image Updating Process** options. Completely regenerating the boot images will take more time, but produces boot media that is not fragmented and does not contain out of date components. Optimizing the boot image updating process will proceed more quickly, but may result in longer load times when booting via PXE. Click **Next**.
- * **Summary** – Review the specified options on this page before you click **Next** to begin the update of boot images.
- * **Progress** – While the boot images are being updated a progress bar is displayed on this page.
- * **Confirmation** – When the boot images have been updated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard.
-
-To import the updated MDT boot media into WDS for PXE boot, follow these steps:
-
-1. Open Windows Deployment Services from the Start menu or Start screen.
-2. Expand **Servers** and your deployment server.
-3. Click the **Boot Images** folder.
-4. Right-click the existing MDT boot image, and then click **Replace Image** to open the Replace Boot Image Wizard.
-5. Replace the previously imported MDT boot image with the updated version by using these steps in the Replace Boot Image Wizard:
- * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, and then click **Open**. Click **Next**.
- * **Available Images** – Only one image should be listed and selected **LiteTouch Windows PE (x86)**, click **Next**.
- * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
- * **Summary** – Review your selections for importing a boot image into WDS, and then click **Next**.
- * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Replace Boot Image Wizard.
-6. Right-click the **Boot Images** folder, and then click **Add Image** to open the Add Image Wizard.
-7. Add the new 64-bit boot image for 64-bit UEFI device compatibility with the Add Image Wizard , as follows:
- * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, select **LiteTouchPE_x64.wim**, and then click **Open**. Click **Next**.
- * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
- * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**.
- * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
-
->[!NOTE]
->Although it is a best practice to replace and update the boot images in WDS whenever the MDT deployment share is updated, for deployment to Surface devices the 32-bit boot image, LiteTouchPE_x86.wim, is not required. Only the 64-bit boot image is required for 64-bit UEFI devices.
-
-### Deploy Windows to Surface
-
-With all of the automation provided by the deployment share rules and task sequence, performing the deployment on each Surface device becomes as easy as a single touch.
-
->[!NOTE]
->For the deployment to require only a single touch, the Surface devices must be connected to a keyboard, connected to the network with a Microsoft Surface USB Ethernet Adapter or Surface Dock, and configured with PXE boot as the first boot option, as shown in Figure 25.
-
-
-
-*Figure 25. Setting boot priority for PXE boot*
-
-On a properly configured Surface device, simply turn on the device and press Enter when you are prompted to boot from the network. The fully automated MDT deployment process will then take over and perform the following tasks:
-
-* The MDT boot media will be loaded to your Surface device via the network
-* The MDT boot media will use the provided credentials and rules to connect to the MDT deployment share
-* The task sequence and drivers will be automatically selected for your device via make and model information
-* The task sequence will deploy your updated Windows 10 image to the device complete with the selected drivers
-* The task sequence will join your device to the domain
-* The task sequence will install the applications you specified, Microsoft Office and Surface app
-* Windows Update will run, installing any new Windows Updates or updates for installed applications, like Microsoft Office
-* The task sequence will complete silently and log out of the device
-
->[!NOTE]
->For Surface devices not configured to boot to the network as the first boot option, you can hold Volume Down and press Power to boot the system immediately to a USB or network device.
-
-The resulting configuration is a Surface device that is logged out and ready for an end user to enter their credentials, log on, and get right to work. The applications and drivers they need are already installed and up to date.
-
-
+> MDT is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md).
+For the latest information about using MDT, refer to [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt).
diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md
index 68749b654c..a7220315da 100644
--- a/devices/surface/deploy.md
+++ b/devices/surface/deploy.md
@@ -5,11 +5,10 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.date: 10/02/2018
+author: coveminer
ms.reviewer:
-manager: dansimp
-ms.author: dansimp
+manager: laurawi
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
diff --git a/devices/surface/documentation/surface-system-sku-reference.md b/devices/surface/documentation/surface-system-sku-reference.md
index 55a45cdd43..0d49be965e 100644
--- a/devices/surface/documentation/surface-system-sku-reference.md
+++ b/devices/surface/documentation/surface-system-sku-reference.md
@@ -7,7 +7,6 @@ ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.topic: article
-ms.date: 03/12/2019
---
# Surface System SKU Reference
This document provides a reference of System SKU names that you can use to quickly determine the machine state of a specific device using PowerShell, WMI, and related tools.
diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
index 49e1bc555b..d51a90413e 100644
--- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
+++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
@@ -3,17 +3,16 @@ title: Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices (Surface)
description: Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.
ms.assetid: A281EFA3-1552-467D-8A21-EB151E58856D
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: network, wireless, device, deploy, authentication, protocol
ms.localizationpriority: medium
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 07/27/2017
---
# Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices
diff --git a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
index b49b04d13a..18011a1ca5 100644
--- a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
+++ b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
@@ -9,7 +9,6 @@ ms.sitesec: library
author: Teresa-Motiv
ms.author: v-tea
ms.topic: article
-ms.date: 01/30/2020
ms.reviewer: scottmca
ms.localizationpriority: medium
ms.audience: itpro
diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md
index 50ecb3cb35..56282326a4 100644
--- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md
+++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md
@@ -6,14 +6,13 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 10/21/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
---
# Enroll and configure Surface devices with SEMM
@@ -25,7 +24,7 @@ For a more high-level overview of SEMM, see [Microsoft Surface Enterprise Manage
A streamlined method of managing firmware from the cloud on Surface Pro 7,Surface Pro X and Surface Laptop 3 is now available via public preview. For more information,refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md).
> [!NOTE]
-> SEMM is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md).
+> SEMM is supported on Surface Pro X via the UEFI Manager only. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md).
#### Download and install Microsoft Surface UEFI Configurator
The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
@@ -58,8 +57,10 @@ To create a Surface UEFI configuration package, follow these steps:
6. Click **Password Protection** to add a password to Surface UEFI. This password will be required whenever you boot to UEFI. If this password is not entered, only the **PC information**, **About**, **Enterprise management**, and **Exit** pages will be displayed. This step is optional.
7. When you are prompted, enter and confirm your chosen password for Surface UEFI, and then click **OK**. If you want to clear an existing Surface UEFI password, leave the password field blank.
8. If you do not want the Surface UEFI package to apply to a particular device, on the **Choose which Surface type you want to target** page, click the slider beneath the corresponding Surface Book or Surface Pro 4 image so that it is in the **Off** position. (As shown in Figure 3.)
+ > [!NOTE]
+ > You must select a device as none are selected by default.
- 
+ 
*Figure 3. Choose the devices for package compatibility*
@@ -108,11 +109,11 @@ To enroll a Surface device in SEMM with a Surface UEFI configuration package, fo
3. Click **Finish** to complete the Surface UEFI configuration package installation and restart the Surface device when you are prompted to do so.
4. Surface UEFI will load the configuration file and determine that SEMM is not enabled on the device. Surface UEFI will then begin the SEMM enrollment process, as follows:
* Surface UEFI will verify that the SEMM configuration file contains a SEMM certificate.
- * Surface UEFI will prompt you to enter to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8.
+ * Surface UEFI will prompt you to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8.
- 
-
- *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint*
+ 
+
+ *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint*
* Surface UEFI will store the SEMM certificate in firmware and apply the configuration settings that are specified in the Surface UEFI configuration file.
diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
index 3c05a0d165..c35dbe0630 100644
--- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md
+++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
@@ -3,18 +3,17 @@ title: Ethernet adapters and Surface deployment (Surface)
description: This article provides guidance and answers to help you perform a network deployment to Surface devices.
ms.assetid: 5273C59E-6039-4E50-96B3-426BB38A64C0
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: ethernet, deploy, removable, network, connectivity, boot, firmware, device, adapter, PXE boot, USB
ms.localizationpriority: medium
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.audience: itpro
-ms.date: 10/21/2019
---
# Ethernet adapters and Surface deployment
diff --git a/devices/surface/get-started.md b/devices/surface/get-started.md
deleted file mode 100644
index c81e994d70..0000000000
--- a/devices/surface/get-started.md
+++ /dev/null
@@ -1,169 +0,0 @@
----
-title: Get started with Surface devices
-author: greg-lindsay
-ms.author: greglin
-manager: laurawi
-layout: LandingPage
-ms.assetid:
-ms.audience: itpro
-ms.tgt_pltfrm: na
-ms.devlang: na
-ms.topic: landing-page
-description: "Get started with Microsoft Surface devices"
-ms.localizationpriority: High
----
-# Get started with Surface devices
-
-Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface for Business devices in your organization.
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
----
-
-
\ No newline at end of file
diff --git a/devices/surface/get-started.yml b/devices/surface/get-started.yml
new file mode 100644
index 0000000000..9b0bd74d7e
--- /dev/null
+++ b/devices/surface/get-started.yml
@@ -0,0 +1,129 @@
+### YamlMime:Landing
+
+title: Surface devices documentation # < 60 chars
+summary: Harness the power of Surface, Windows, and Office connected together through the cloud. # < 160 chars
+
+metadata:
+ title: Surface devices documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Get started with Microsoft Surface devices # Required; article description that is displayed in search results. < 160 chars.
+ ms.service: product-insights #Required; service per approved list. service slug assigned to your service by ACOM.
+ ms.topic: landing-page # Required
+ manager: laurawi
+ author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
+ ms.author: greglin #Required; microsoft alias of author; optional team alias.
+ audience: itpro
+ ms.localizationpriority: High
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: Surface devices
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Surface Go 2 for Business
+ url: https://www.microsoft.com/surface/business/surface-go-2
+ - text: Surface Book 3 for Business
+ url: https://www.microsoft.com/surface/business/surface-book-3
+ - text: Surface Pro 7 for Business
+ url: https://www.microsoft.com/surface/business/surface-pro-7
+ - text: Surface Pro X for Business
+ url: https://www.microsoft.com/surface/business/surface-pro-x
+ - text: Surface Laptop 3 for Business
+ url: https://www.microsoft.com/surface/business/surface-laptop-3
+ - text: Surface Studio 2 for Business
+ url: https://www.microsoft.com/surface/business/surface-studio-2
+
+ - linkListType: video
+ links:
+ - text: Microsoft Mechanics Surface videos
+ url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ
+
+ # Card (optional)
+ - title: Get started
+ linkLists:
+ - linkListType: get-started
+ links:
+ - text: Surface Book 3 GPU technical overview
+ url: surface-book-gpu-overview.md
+ - text: Surface Book 3 Quadro RTX 3000 technical overview
+ url: surface-book-quadro.md
+ - text: What’s new in Surface Dock 2
+ url: surface-dock-whats-new.md
+ - text: Surface and Endpoint Configuration Manager considerations
+ url: considerations-for-surface-and-system-center-configuration-manager.md
+ - text: Wake On LAN for Surface devices
+ url: wake-on-lan-for-surface-devices.md
+
+ # Card
+ - title: Deploy Surface devices
+ linkLists:
+ - linkListType: deploy
+ links:
+ - text: Manage and deploy Surface driver and firmware updates
+ url: manage-surface-driver-and-firmware-updates.md
+ - text: Autopilot and Surface devices
+ url: windows-autopilot-and-surface-devices.md
+ - text: Deploying, managing, and servicing Surface Pro X
+ url: surface-pro-arm-app-management.md
+
+ # Card
+ - title: Manage Surface devices
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Optimize Wi-Fi connectivity for Surface devices
+ url: surface-wireless-connect.md
+ - text: Best practice power settings for Surface devices
+ url: maintain-optimal-power-settings-on-Surface-devices.md
+ - text: Manage battery limit with UEFI
+ url: battery-limit.md
+
+ # Card
+ - title: Secure Surface devices
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Intune management of Surface UEFI settings
+ url: surface-manage-dfci-guide.md
+ - text: Surface Enterprise Management Mode (SEMM)
+ url: surface-enterprise-management-mode.md
+ - text: Surface Data Eraser tool
+ url: microsoft-surface-data-eraser.md
+
+ # Card
+ - title: Discover Surface tools
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Surface Dock Firmware Update
+ url: surface-dock-firmware-update.md
+ - text: Surface Diagnostic Toolkit for Business
+ url: surface-diagnostic-toolkit-for-business-intro.md
+ - text: SEMM and UEFI
+ url: surface-enterprise-management-mode.md
+ - text: Surface Brightness Control
+ url: microsoft-surface-brightness-control.md
+ - text: Battery Limit setting
+ url: battery-limit.md
+
+ # Card
+ - title: Support and community
+ linkLists:
+ - linkListType: learn
+ links:
+ - text: Top support solutions
+ url: support-solutions-surface.md
+ - text: Maximize your Surface battery life
+ url: https://support.microsoft.com/help/4483194/maximize-surface-battery-life
+ - text: Troubleshoot Surface Dock and docking stations
+ url: https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations
+ - linkListType: reference
+ links:
+ - text: Surface IT Pro blog
+ url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro
+ - text: Surface Devices Tech Community
+ url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices
diff --git a/devices/surface/images/config-mgr-semm-fig3.png b/devices/surface/images/config-mgr-semm-fig3.png
index c844b60531..e699359552 100644
Binary files a/devices/surface/images/config-mgr-semm-fig3.png and b/devices/surface/images/config-mgr-semm-fig3.png differ
diff --git a/devices/surface/images/dataeraser-arch.png b/devices/surface/images/dataeraser-arch.png
new file mode 100644
index 0000000000..5010120cf1
Binary files /dev/null and b/devices/surface/images/dataeraser-arch.png differ
diff --git a/devices/surface/images/enable-bl.png b/devices/surface/images/enable-bl.png
index a99cb994fb..b1f7cff7f6 100644
Binary files a/devices/surface/images/enable-bl.png and b/devices/surface/images/enable-bl.png differ
diff --git a/devices/surface/images/go-batterylimit.png b/devices/surface/images/go-batterylimit.png
new file mode 100644
index 0000000000..893e78ea9f
Binary files /dev/null and b/devices/surface/images/go-batterylimit.png differ
diff --git a/devices/surface/images/graphics-settings2.png b/devices/surface/images/graphics-settings2.png
new file mode 100644
index 0000000000..3ee5235962
Binary files /dev/null and b/devices/surface/images/graphics-settings2.png differ
diff --git a/devices/surface/images/manage-surface-uefi-fig4.png b/devices/surface/images/manage-surface-uefi-fig4.png
index e956cefeaf..480b1d7f46 100644
Binary files a/devices/surface/images/manage-surface-uefi-fig4.png and b/devices/surface/images/manage-surface-uefi-fig4.png differ
diff --git a/devices/surface/images/manage-surface-uefi-fig5-a.png b/devices/surface/images/manage-surface-uefi-fig5-a.png
new file mode 100644
index 0000000000..7605291e93
Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-fig5-a.png differ
diff --git a/devices/surface/images/surface-dock2.png b/devices/surface/images/surface-dock2.png
new file mode 100644
index 0000000000..410bcd1df7
Binary files /dev/null and b/devices/surface/images/surface-dock2.png differ
diff --git a/devices/surface/images/surface-semm-enroll-fig3.jpg b/devices/surface/images/surface-semm-enroll-fig3.jpg
new file mode 100644
index 0000000000..bdbc3dfd4f
Binary files /dev/null and b/devices/surface/images/surface-semm-enroll-fig3.jpg differ
diff --git a/devices/surface/index.md b/devices/surface/index.md
deleted file mode 100644
index 3d8e45e45e..0000000000
--- a/devices/surface/index.md
+++ /dev/null
@@ -1,151 +0,0 @@
----
-title: Microsoft Surface documentation and resources
-layout: HubPage
-hide_bc: true
-description: Surface and Surface Hub documentation for admins & IT professionals
-author: greg-lindsay
-ms.author: greglin
-manager: laurawi
-ms.topic: hub-page
-keywords: Microsoft Surface, Microsoft Surface Hub, Surface documentation
-ms.localizationpriority: High
-audience: ITPro
-ms.prod: Surface
-description: Learn about Microsoft Surface and Surface Hub devices.
----
-
-
-
Microsoft Surface
-
Learn how to plan, deploy, and manage Microsoft Surface and Surface Hub devices.
-
- -
-
-
- -
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
Surface Devices
-
Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface devices in your organization.
-
-
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
Surface Hub
-
Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device that brings the power of Windows 10 to team collaboration. Learn how to plan, deploy, manage, and support your Surface Hub devices.
-
-
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
Surface for Business
-
Explore how Surface devices are transforming the modern workplace with people-centric design and flexible form factors, helping you get the most out of AI, big data, the cloud, and other foundational technologies.
-
-
-
-
- -
-
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
-
- -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+ *Figure 2. Select device architecture*
+
+
+4. Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 3, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost.
>[!NOTE]
>If the Start button is disabled, check that your removable drive has a total capacity of at least 4 GB.
- *Figure 2. USB thumb drive selection*
+ *Figure 3. USB thumb drive selection*
5. After the creation process is finished, the USB drive has been formatted and all binaries are copied to the USB drive. Click **Success**.
-6. When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 3.
+6. When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 4.
- *Figure 3. Complete the Microsoft Surface Data Eraser USB creation process*
+ *Figure 4. Complete the Microsoft Surface Data Eraser USB creation process*
7. Click **X** to close Microsoft Surface Data Eraser.
@@ -133,11 +134,11 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
>[!NOTE]
>If your device does not boot to USB using these steps, you may need to turn on the **Enable Alternate Boot Sequence** option in Surface UEFI. You can read more about Surface UEFI boot configuration in [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
-3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 4.
+3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 5.
- *Figure 4. Booting the Microsoft Surface Data Eraser USB stick*
+ *Figure 5. Booting the Microsoft Surface Data Eraser USB stick*
4. Read the software license terms, and then close the Notepad file.
@@ -150,7 +151,7 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
- *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
+ *Figure 6. Partition to be erased is displayed in Microsoft Surface Data Eraser*
7. If you pressed **Y** in step 6, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md
index 8fbc32d7df..6c25746e2a 100644
--- a/devices/surface/microsoft-surface-deployment-accelerator.md
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@@ -3,16 +3,15 @@ title: Microsoft Surface Deployment Accelerator (Surface)
description: Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4
ms.reviewer: hachidan
-manager: dansimp
-ms.date: 10/31/2019
+manager: laurawi
ms.localizationpriority: medium
keywords: deploy, install, tool
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.audience: itpro
---
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index 04d78253ee..e10b8209c9 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -3,15 +3,15 @@ title: Step by step Surface Deployment Accelerator (Surface)
description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices.
ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
keywords: deploy, configure
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.date: 10/31/2019
---
diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md
index b311e28937..ab4c3a46c4 100644
--- a/devices/surface/support-solutions-surface.md
+++ b/devices/surface/support-solutions-surface.md
@@ -1,16 +1,16 @@
---
-title: Top support solutions for Surface devices
+title: Top support solutions for Surface devices in the enterprise
description: Find top solutions for common issues using Surface devices in the enterprise.
ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Troubleshoot common problems, setup issues
ms.prod: w10
ms.mktglfcycl: support
ms.sitesec: library
ms.pagetype: surfacehub
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.date: 09/26/2019
ms.localizationpriority: medium
@@ -20,16 +20,36 @@ ms.audience: itpro
# Top support solutions for Surface devices
> [!Note]
-> **Home users**: This article is only intended for use by IT professionals and technical support agents, and applies only to Surface devices. If you're looking for help with a problem with your home device, please see [Surface Devices Help](https://support.microsoft.com/products/surface-devices).
+> **Home users**: This article is only intended for use by IT professionals and technical support agents, and applies only to Surface devices. If you're looking for help with a problem with your home device, please see [Surface Devices Help](https://support.microsoft.com/products/surface-devices).
-Microsoft regularly releases both updates and solutions for Surface devices. To ensure your devices can receive future updates, including security updates, it's important to keep your Surface devices updated. For a complete listing of the update history, see [Surface update history](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) and [Install Surface and Windows updates](https://www.microsoft.com/surface/support/performance-and-maintenance/install-software-updates-for-surface?os=windows-10&=undefined).
+These are the Microsoft Support solutions for common issues you may experience using Surface devices in an enterprise. If your issue is not listed here, [contact Microsoft Support](https://support.microsoft.com/supportforbusiness/productselection).
+## Surface Drivers and Firmware
-These are the top Microsoft Support solutions for common issues experienced when using Surface devices in an enterprise.
+Microsoft regularly releases both updates and solutions for Surface devices. To ensure your devices can receive future updates, including security updates, it's important to keep your Surface devices updated.
+
+- [Surface update history](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history)
+- [Install Surface and Windows updates](https://www.microsoft.com/surface/support/performance-and-maintenance/install-software-updates-for-surface?os=windows-10&=undefined)
+- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482)
+- [Deploy the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices)
+- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates)
+- [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906)
+
+## Surface Dock Issues
+
+- [Troubleshoot Surface Dock and docking stations](https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations)
+
+- [Troubleshoot connecting Surface to a second screen](https://support.microsoft.com/help/4023496)
+
+- [Microsoft Surface Dock Firmware Update](https://docs.microsoft.com/surface/surface-dock-updater)
+
+## Device cover or keyboard issues
+
+- [Troubleshoot your Surface Type Cover or keyboard](https://www.microsoft.com/surface/support/hardware-and-drivers/troubleshoot-surface-keyboards)
## Screen cracked or scratched issues
-- [Contact Microsoft Support](https://support.microsoft.com/supportforbusiness/productselection)
+- [Contact Microsoft Support](https://support.microsoft.com/supportforbusiness/productselection)
## Surface Power or battery Issues
@@ -41,29 +61,13 @@ These are the top Microsoft Support solutions for common issues experienced when
- [Maximize your Surface battery life](https://support.microsoft.com/help/4483194)
-## Device cover or keyboard issues
+## Reset device
-- [Troubleshoot your Surface Type Cover or keyboard](https://www.microsoft.com/surface/support/hardware-and-drivers/troubleshoot-surface-keyboards)
+- [Creating and using a USB recovery drive for Surface](https://support.microsoft.com/help/4023512)
-## Surface Dock Issues
+- [FAQ: Protecting your data if you send your Surface in for Service](https://support.microsoft.com/help/4023508)
-- [Troubleshoot Surface Dock and docking stations](https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations)
-
-- [Troubleshoot connecting Surface to a second screen](https://support.microsoft.com/help/4023496)
-
-- [Microsoft Surface Dock Firmware Update](https://docs.microsoft.com/surface/surface-dock-updater)
-
-## Surface Drivers and Firmware
-
-- [Surface Update History](https://support.microsoft.com/help/4036283)
-
-- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482)
-
-- [Deploy the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices)
-
-- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates)
-
-- [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906)
+- [Microsoft Surface Data Eraser](https://docs.microsoft.com/surface/microsoft-surface-data-eraser)
## Deployment Issues
@@ -72,11 +76,3 @@ These are the top Microsoft Support solutions for common issues experienced when
- [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/help/4046105)
- [System SKU reference](https://docs.microsoft.com/surface/surface-system-sku-reference)
-
-## Reset device
-
-- [Creating and using a USB recovery drive for Surface](https://support.microsoft.com/help/4023512)
-
-- [FAQ: Protecting your data if you send your Surface in for Service](https://support.microsoft.com/help/4023508)
-
-- [Microsoft Surface Data Eraser](https://docs.microsoft.com/surface/microsoft-surface-data-eraser)
diff --git a/devices/surface/surface-book-gpu-overview.md b/devices/surface/surface-book-gpu-overview.md
new file mode 100644
index 0000000000..337ae2daf6
--- /dev/null
+++ b/devices/surface/surface-book-gpu-overview.md
@@ -0,0 +1,166 @@
+---
+title: Surface Book 3 GPU technical overview
+description: This article provides a technical evaluation of GPU capabilities across Surface Book 3 models.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.localizationpriority: medium
+ms.sitesec: library
+author: coveminer
+ms.author: greglin
+ms.topic: article
+ms.date: 5/06/2020
+ms.reviewer: brrecord
+manager: laurawi
+audience: itpro
+---
+# Surface Book 3 GPU technical overview
+
+## Introduction
+
+Surface Book 3, the most powerful Surface laptop yet released, integrates fully modernized compute and graphics capabilities into its famous detachable form factor. Led by the quad-core 10th Gen Intel® Core™ i7 and NVIDIA® Quadro RTX™ 3000 graphical processing unit (GPU) on the 15-inch model, Surface Book 3 comes in a wide range of configurations for consumers, creative professionals, architects, engineers, and data scientists. This article explains the major differences between the GPU configurations across 13-inch and 15-inch models of Surface Book 3.
+
+A significant differentiator across Surface Book 3 models is the GPU configuration. In addition to the integrated Intel GPU built into all models, all but the entry-level, 13.5-inch core i5 device also feature a discrete NVIDIA GPU with Max-Q Design, which incorporates features that optimize energy efficiency for mobile form factors.
+
+Built into the keyboard base, the additional NVIDIA GPU provides advanced graphics rendering capabilities and comes in two primary configurations: GeForce® GTX® 1650/1660 Ti for consumers or creative professionals and Quadro RTX 3000 for creative professionals, engineers, and other business professionals who need advanced graphics or deep learning capabilities. This article also describes how to optimize app utilization of GPUs by specifying which apps should use the integrated iGPU versus the discrete NVIDIA GPU.
+
+## Surface Book 3 GPUs
+
+This section describes the integrated and discrete GPUs across Surface Book 3 models. For configuration details of all models, refer to [Appendix A: Surface Book 3 SKUs](#).
+
+### Intel Iris™ Plus Graphics
+
+The integrated GPU (iGPU) included on all Surface Book 3 models incorporates a wider graphics engine and a redesigned memory controller with support for LPDDR4X. Installed as the secondary GPU on most Surface Book 3 models, Intel Iris Plus Graphics functions as the singular GPU in the core i5, 13.5-inch model. Although nominally the entry level device in the Surface Book 3 line, it delivers advanced graphics capabilities enabling consumers, hobbyists, and online creators to run the latest productivity software like Adobe Creative Cloud or enjoy gaming titles in 1080p.
+
+### NVIDIA GeForce GTX 1650
+
+NVIDIA GeForce GTX 1650 with Max-Q design delivers a major upgrade of the core streaming multiprocessor to more efficiently handle the complex graphics of modern games. Its
+concurrent execution of floating point and integer operations boosts performance in compute-heavy workloads of modern games. A new unified memory architecture with twice the cache of its predecessor allows for better performance on complex modern games. New shading advancements improve performance, enhance image quality, and deliver new levels of geometric complexity.
+
+### NVIDIA GeForce GTX 1660 Ti
+
+Compared with the GeForce GTX 1650, the faster GeForce GTX 1660 Ti provides Surface Book 3 with additional performance improvements and includes the new and upgraded NVIDIA Encoder, making it better for consumers, gamers, live streamers, and creative professionals.
+
+Thanks to 6 GB of GDDR6 graphics memory, Surface Book 3 models equipped with NVIDIA GeForce GTX 1660 TI provide superior speeds on advanced business productivity software and popular games especially when running the most modern titles or livestreaming. With an optional 2 TB SSD (available in U.S. only), the 15-inch model with GeForce GTX 1660 Ti delivers the most storage of any Surface Book 3 device.
+
+### NVIDIA Quadro RTX 3000
+
+NVIDIA Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance. A combination of 30 RT cores, 240 tensor cores, and 6 GB of GDDR6 graphics memory enables multiple advanced workloads including Al-powered workflows, 3D content creation, advanced video editing, professional broadcasting, and multi-app workflows. Enterprise level hardware and software support integrate deployment tools to maximize uptime and minimize IT support requirements. Certified for the world’s most advanced software, Quadro drivers are optimized for professional applications, and are tuned, tested, and validated to provide app certification, enterprise level stability, reliability, availability, and support with extended product availability.
+
+
+## Comparing GPUs across Surface Book 3
+
+NVIDIA GPUs provide users with great performance for gaming, live streaming, and content creation. GeForce GTX products are great for gamers and content creators. Quadro RTX products are targeted at professional users, provide great performance in gaming and content creation, and also add the following features:
+
+- RTX acceleration for ray tracing and AI. This makes it possible to render film-quality, photorealistic objects and environments with physically accurate shadows, reflections and refractions. And its hardware accelerated AI capabilities means the advanced AI-based features in popular applications can run faster than ever before.
+- Enterprise-level hardware, drivers and support, as well as ISV app certifications.
+- IT management features including an additional layer of dedicated enterprise tools for remote management that help maximize uptime and minimize IT support requirements.
+
+ Unless you count yourself among the ranks of advanced engineering, design, architecture, or data science professionals, Surface Book 3 equipped with NVIDIA GeForce graphics capabilities will likely meet your needs. Conversely, if you’re already in -- or aspiring to join -- a profession that requires highly advanced graphics capabilities in a portable form factor that lets you work from anywhere, Surface Book 3 with Quadro RTX 3000 deserves serious consideration. To learn more, refer to the Surface Book 3 Quadro RTX 3000 technical overview.
+
+**Table 1. Discrete GPUs on Surface Book 3**
+
+| | **GeForce GTX 1650** | **GeForce GTX 1660 Ti** | **Quadro RTX 3000** |
+| -------------------- | -------------------------------------- | -------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
+| **Target users** | Gamers, hobbyists and online creators | Gamers, creative professionals and online creators | Creative professionals, architects, engineers, developers, data scientists |
+| **Workflows** | Graphic design
Photography
Video | Graphic design
Photography
Video | Al-powered Workflows
App certifications
High-res video
Pro broadcasting
Multi-app workflows |
+| **Key apps** | Adobe Creative Suite | Adobe Creative Suite | Adobe Creative Suite
Autodesk AutoCAD
Dassault Systemes SolidWorks |
+| **GPU acceleration** | Video and image processing | Video and image processing | Ray tracing + AI + 6K video
Pro broadcasting features
Enterprise support |
+
+
+
+**Table 2. GPU tech specs on Surface Book 3**
+
+| | **GeForce GTX 1650** | **GeForce GTX 1660 Ti** | **Quadro RTX 3000** |
+| -------------------------------------------------------- | -------------------- | ----------------------- | ------------------- |
+| **NVIDIA CUDA processing cores** | 1024 | 1536 | 1920 |
+| **NVIDIA Tensor Cores** | No | No | 240 |
+| **NVIDIA RT Cores** | No | No | 30 |
+| **GPU memory** | 4 GB | 6 GB | 6 GB |
+| **Memory Bandwidth (GB/sec)** | Up to 112 | Up to 288 | Up to 288 |
+| **Memory type** | GDDR5 | GDDR6 | GDDR6 |
+| **Memory interface** | 128-bit | 192-bit | 192-bit |
+| **Boost clock MHz** | 1245 | 1425 | 1305 |
+| **Base clock (MHz)** | 1020 | 1245 | 765 |
+| **Real-time ray tracing** | No | No | Yes |
+| **AI hardware acceleration** | No | No | Yes |
+| **Hardware Encoder** | Yes | Yes | Yes |
+| **Game Ready Driver (GRD)** | Yes 1 | Yes 1 |Yes 2
+| **Studio Driver (SD)** | Yes 1 | Yes1 | Yes 1 |
+| **Optimal Driver for Enterprise (ODE)** | No | No | Yes |
+| **Quadro New Feature Driver (QNF)** | No | No | Yes |
+| **Microsoft DirectX 12 API, Vulkan API, Open GL 4.6** | Yes | Yes | Yes |
+| **High-bandwidth Digital Content Protection (HDCP) 2.2** | Yes | Yes | Yes |
+| **NVIDIA GPU Boost** | Yes | Yes | Yes |
+
+
+ 1. *Recommended*
+ 2. *Supported*
+
+## Optimizing power and performance on Surface Book 3
+
+Windows 10 includes a Battery Saver mode with a performance slider that lets you maximize app performance (by sliding it to the right) or preserve battery life (by sliding it to the left). Surface Book 3 implements this functionality algorithmically to optimize power and performance across the following components:
+
+- CPU Energy Efficiency Registers (Intel Speed Shift technology) and other SoC tuning parameters to maximize efficiency.
+- Fan Maximum RPM with four modes: quiet, nominal, performance, and max.
+- Processor Power Caps (PL1/PL2).
+- Processor IA Turbo limitations.
+
+By default, when the battery drops below 20 percent, the Battery Saver adjusts settings to extend battery life. When connected to power, Surface Book 3 defaults to “Best Performance” settings to ensure apps run in high performance mode on the secondary NVIDIA GPU present on all i7 Surface Book 3 systems.
+
+Using default settings is recommended for optimal performance when used as a laptop or detached in tablet or studio mode. You can access Battery Saver by selecting the battery icon on the far right of the taskbar.
+
+### Game mode
+
+Surface Book 3 includes a new game mode that automatically selects maximum performance settings when launched.
+
+### Safe Detach
+
+New in Surface Book 3, apps enabled for Safe Detach let you disconnect while the app is using the GPU. For supported apps like *World of Warcraft*, your work is moved to the iGPU.
+
+### Modifying app settings to always use a specific GPU
+
+You can switch between the power-saving but still capable built-in Intel graphics and the more powerful discrete NVIDIA GPU and associate a GPU with a specific app. By default, Windows 10 automatically chooses the appropriate GPU, assigning graphically demanding apps to the discrete NVIDIA GPU. In most instances there is no need to manually adjust these settings. However, if you frequently detach and reattach the display from the keyboard base while using a graphically demanding app, you’ll typically need to close the app prior to detaching. To enable continuous use of the app without having to close it every time you detach or reattach the display, you can assign it to the integrated GPU, albeit with some loss of graphics performance.
+
+In some instances, Windows 10 may assign a graphically demanding app to be iGPU; for example, if the app is not fully optimized for hybrid graphics. To remedy this, you can manually assign the app to the discrete NVIDIA GPU.
+
+**To configure apps using custom per-GPU options:**
+
+1. Go to **Settings** > **System** > **Display** and select **Graphics Settings**.
+
+ 1. For a Windows desktop program, choose **Classic App** > **Browse** and then locate the program.
+ 2. For a UWP app, choose **Universal App** and then select the app from the drop-down list.
+
+2. Select **Add** to create a new entry on the list for your selected program, select Options to open Graphics Specifications, and then select your desired option.
+
+ 
+
+3. To verify which GPU are used for each app, open **Task Manager,** select **Performance,** and view the **GPU Engine** column.
+
+
+## Appendix A: Surface Book 3 SKUs
+
+| **Display** | **Processor** | **GPU** | **RAM** | **Storage** |
+| ------------- | --------------------------------- | ---------------------------------------------------------------------------------------------------- | ---------- | ----------- |
+| **13.5-inch** | Quad-core 10th Gen Core i5-1035G7 | Intel Iris™ Plus Graphics | 16 LPDDR4x | 256 GB |
+| **13.5-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1650. Max-Q Design with 4GB GDDR5 graphics memory | 16 LPDDR4x | 256 GB |
+| **13.5-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1650. Max-Q Design with 4GB GDDR5 graphics memory | 32 LPDDR4x | 512 GB |
+| **13.5-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1650. Max-Q Design with 4GB GDDR5 graphics memory | 32 LPDDR4x | 1 TB |
+| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 16 LPDDR4x | 256 GB |
+| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 512 GB |
+| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 1 TB |
+| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 2 TB |
+| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 512 GB |
+| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 1 TB |
+
+> [!NOTE]
+> 2TB SSD available in U.S. only: Surface Book 3 15” with NVIDIA GTX 1660Ti
+
+## Summary
+
+Built for performance, Surface Book 3 includes different GPU configurations optimized to meet specific workload and use requirements. An integrated Intel Iris graphics GPU functions as the sole GPU on the entry-level core i5 device and as a secondary GPU on all other models. GeForce GTX 1650 features a major upgrade of the core streaming multiprocessor to run complex graphics more efficiently. The faster GeForce GTX 1660 Ti provides Surface Book 3 with additional performance improvements making it better for consumers, gamers, live streamers, and creative professionals. Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance.
+
+
+## Learn more
+
+- [Surface Book 3 Quadro RTX 3000 technical overview](surface-book-quadro.md)
+- [Surface for Business](https://www.microsoft.com/surface/business)
diff --git a/devices/surface/surface-book-quadro.md b/devices/surface/surface-book-quadro.md
new file mode 100644
index 0000000000..eaf5870411
--- /dev/null
+++ b/devices/surface/surface-book-quadro.md
@@ -0,0 +1,136 @@
+---
+title: Surface Book 3 GPU technical overview
+description: This article describes the advanced capabilities enabled by Nvidia Quadro RTX 3000 in select Surface Book 3 for Business 15-inch models.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.localizationpriority: medium
+ms.sitesec: library
+author: coveminer
+ms.author: v-jokai
+ms.topic: article
+ms.date: 5/06/2020
+ms.reviewer: brrecord
+manager: laurawi
+audience: itpro
+---
+
+# Surface Book 3 Quadro RTX 3000 technical overview
+
+Surface Book 3 for Business powered by the NVIDIA® Quadro RTX™ 3000 GPU is built for professionals who need real-time rendering, AI acceleration, and advanced graphics and compute performance in a portable form factor. Quadro RTX 3000 fundamentally changes what you can do with the new Surface Book 3:
+
+- **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing.
+- **Artificial Intelligence** - Remove redundant, tedious tasks and compute intensive work with 240 Tensor Cores for GPU-accelerated AI.
+- **Advanced Graphics and Compute Technology** - Experience remarkable speed and interactivity during your most taxing graphics and compute workloads with 1,920 CUDA Cores and 6GB of GDDR6 memory.
+
+## Enterprise grade solution
+
+Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs providing an additional layer of quality assurance to validate stability, reliability, and performance.
+
+Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements.
+
+NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update.
+
+
+## Built for compute-intensive workloads
+
+Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere.
+
+- **Creative professionals such as designers and animators.** Quadro RTX enables real-time cinematic-quality rendering through Turing-optimized ray tracing APIs such as NVIDIA OptiX, Microsoft DXR, and Vulkan.
+- **Architects and engineers using large, complex computer aided design (CAD) models and assemblies.** The RTX platform features the new NGX SDK to infuse powerful AI-enhanced capabilities into visual applications. This frees up time and resources through intelligent manipulation of images, automation of repetitive tasks, and optimization of compute-intensive processes.
+- **Software developers across manufacturing, media & entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs.
+- **Data scientists using Tensor Cores and CUDA cores to accelerate computationally intensive tasks and other deep learning operations.** By using sensors, increased connectivity, and deep learning, researchers and developers can enable AI applications for everything from autonomous vehicles to scientific research.
+
+
+**Table 1. Quadro RTX 3000 performance features**
+
+| **Component** | **Description** |
+| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| RT cores | Dedicated hardware-based ray-tracing technology allows the GPU to render film quality, photorealistic objects and environments with physically accurate shadows, reflections, and refractions. The real-time ray-tracing engine works with NVIDIA OptiX, Microsoft DXR, and Vulkan APIs to deliver a level of realism far beyond what is possible using traditional rendering techniques. RT cores accelerate the Bounding Volume Hierarchy (BVH) traversal and ray casting functions using low number of rays casted through a pixel. |
+| Enhanced tensor cores | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation. Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock. In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. |
+| Turing optimized software | Deep learning frameworks such as the Microsoft Cognitive Toolkit (CNTK), Caffe2, MXNet, TensorFlow, and others deliver significantly faster training times and higher multi-node training performance. GPU accelerated libraries such as cuDNN, cuBLAS, and TensorRT deliver higher performance for both deep learning inference and High-Performance Computing (HPC) applications. |
+| NVIDIA CUDA parallel computing platform | Natively execute standard programming languages like C/C++ and Fortran, and APIs such as OpenCL, OpenACC and Direct Compute to accelerate techniques such as ray tracing, video and image processing, and computation fluid dynamics. |
+| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain best application performance. |
+| High performance GDDR6 Memory | Quadro RTX 3000 features 6GB of frame buffer making it the ideal platform for handling large datasets and latency-sensitive applications. |
+| Single instruction, multiple thread (SIMT) | New independent thread scheduling capability enables finer-grain synchronization and cooperation between parallel threads by sharing resources among small jobs. |
+| Mixed-precision computing | 16-bit floating-point precision computing enables the training and deployment of larger neural networks. With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations. |
+| Dynamic load balancing | Provides dynamic allocation capabilities of GPU resources for graphics and compute tasks as needed to maximize resource utilization. |
+| Compute preemption | Preemption at the instruction-level provides finer grain control over compute tasks to prevent long-running applications from either monopolizing system resources or timing out. |
+| H.264, H.265 and HEVC encode/decode engines | Enables faster than real-time performance for transcoding, video editing, and other encoding applications with two dedicated H.264 and HEVC encode engines and a dedicated decode engine that are independent of 3D/compute pipeline. |
+| NVIDIA GPU boost 4.0 | Maximizes application performance automatically without exceeding the power and thermal envelope of the GPU. Allows applications to stay within the boost clock state longer under higher temperature threshold before dropping to a secondary temperature setting base clock. |
+
+ **Table 2. Quadro RTX tech specs**
+
+| **Component** | **Description** |
+| ---------------------------------------------------------- | --------------- |
+| NVIDIA CUDA processing cores | 1,920 |
+| NVIDIA RT Cores | 30 |
+| Tensor Cores | 240 |
+| GPU memory | 6 GB |
+| Memory bandwidth | 288 Gbps |
+| Memory type | GDDR6 |
+| Memory interface | 192-bit |
+| TGP max power consumption | 65W |
+| Display port | 1.4 |
+| OpenGL | 4.6 |
+| Shader model | 5.1 |
+| DirectX | 12.1 |
+| PCIe generation | 3 |
+| Single precision floating point performance (TFLOPS, Peak) | 5.4 |
+| Tensor performance (TOPS, Peak) | 42.9 |
+| NVIDIA FXAA/TX AA antialiasing | Yes |
+| GPU direct for video | Yes |
+| Vulkan support | Yes |
+| NVIDIA 3D vision Pro | Yes |
+| NVIDIA Optimus | Yes |
+
+
+## App acceleration
+
+The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in market March 2020.
+
+**Table 3. App acceleration on Surface Book 3 with Quadro RTX 3000**
+
+| **App** | **Quadro RTX 3000 app acceleration capabilities**
|
+| ------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Adobe Dimension | - RTX-accelerated ray tracing delivers photorealistic 3D rendering to 2D artists and designers. |
+| Adobe Substance Alchemist | - Create and blend materials with ease, featuring RTX-accelerated AI. |
+| Adobe Substance Painter | - Paint materials onto 3d models, featuring RTX accelerated bakers, and Iray RTX rendering which generates photorealistic imagery for interactive and batch rendering workflows.
|
+| Adobe Substance Designer | - Author procedural materials featuring RTX accelerated bakers
- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray powered compatible with MDL.
- DXR-accelerated light and ambient occlusion baking. |
+| Adobe Photoshop | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, & perspective warp enable photographers and designers to modify images smoothly and quickly. |
+| Adobe Lightroom | - Faster editing high res images with GPU-accelerated viewport, which enables the modeling of larger 3D scenes, and the rigging of more complex animations.
- GPU-accelerated image processing enables dramatically more responsive adjustments, especially on 4K or higher resolution displays.
- GPU-accelerated AI-powered “Enhance Details” for refining fine color detail of RAW images. |
+| Adobe Illustrator | - Pan and zoom with GPU-accelerated canvas faster, which enables graphic designers and illustrators to pan across and zoom in and out of complex vector graphics smoothly and interactively. |
+| Adobe
Premiere Pro | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU:
- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.
- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video. |
+| Autodesk
Revit | - GPU-accelerated viewport for a smoother, more interactive design experience.
- Supports 3rd party GPU-accelerated 3D renderers such as V-Ray and Enscape. |
+| Autodesk
3ds Max | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.
- RTX-accelerated ray tracing and AI denoising ****with the default Arnold renderer.
- More than 70 percent faster compared with Surface Book 2 15”. |
+| Autodesk
Maya | - RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.
- OpenGL Viewport Acceleration. |
+| Dassault Systemes
Solidworks | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.
- Runs more than 50% faster compared with Surface Book 2 15” |
+| Dassault Systemes
3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.
- Catia runs more than 100% faster compared with Surface Book 2 15. |
+| ImageVis3D | - Runs more than 2x faster compared with Surface Book 2 15”.. |
+| McNeel & Associates
Rhino 3D | - GPU-accelerated viewport for a smooth and interactive modelling and design experience.
- Supports Cycles for GPU-accelerated 3D rendering. |
+| Siemens NX | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.
- Runs more than 10 x faster compared with Surface Book 2 15”.. |
+| Esri ArcGIS | - Real-time results from what took days & weeks, due to DL inferencing leveraging tensor cores. |
+| PTC Creo | - Creo's real-time engineering simulation tool (Creo Simulation Live) built on CUDA.
- Runs more than 15% faster compared with Surface Book 2 15”. |
+| Luxion KeyShot | - 3rd party Interactive Ray Tracer used by Solidworks, Creo, and Rhino. Accelerated by RT Cores, OptiX™ AI-accelerated denoising. |
+| ANSYS
Discovery Live | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA |
+## SKUs
+
+**Table 4. Surface Book 3 with Quadro RTX 3000 SKUs**
+
+| **Display** | **Processor** | **GPU** | **RAM** | **Storage** |
+| ----------- | --------------------------------- | ------------------------------------------------------------------------------------------------ | ---------- | ----------- |
+| 15-inch | Quad-core 10th Gen Core i7-1065G7 | Intel Iris™ Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 512 GB |
+| 15-inch | Quad-core 10th Gen Core i7-1065G7 | Intel Iris™ Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 1 TB |
+
+## Summary
+
+Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance on any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere:
+
+- RTX-acceleration across multiple workflows like design, animation, video production, and more.
+- Desktop-grade performance in a mobile form factor.
+- Enterprise-class features, reliability, and support for mission-critical projects.
+
+## Learn more
+
+- [Surface Book 3 GPU technical overview](surface-book-GPU-overview.md)
+- [Surface for Business](https://www.microsoft.com/surface/business)
+- [Microsoft Cognitive Toolkit (CNTK)](https://docs.microsoft.com/cognitive-toolkit/)
\ No newline at end of file
diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
index d57966b6cf..044b0e0437 100644
--- a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
+++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
@@ -6,14 +6,13 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 10/21/2019
ms.reviewer: scottmca
-manager: dansimp
+manager: laurawi
---
# Surface device compatibility with Windows 10 Long-Term Servicing Channel (LTSC)
diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md
index 62c4129d08..11a032fb45 100644
--- a/devices/surface/surface-diagnostic-toolkit-business.md
+++ b/devices/surface/surface-diagnostic-toolkit-business.md
@@ -5,12 +5,12 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.localizationpriority: medium
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.date: 10/31/2019
ms.reviewer: hachidan
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md
index 6ea9d9ac55..035eec60da 100644
--- a/devices/surface/surface-diagnostic-toolkit-command-line.md
+++ b/devices/surface/surface-diagnostic-toolkit-command-line.md
@@ -4,12 +4,11 @@ description: How to run Surface Diagnostic Toolkit in a command console
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 11/15/2018
ms.reviewer: hachidan
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
index 738ec1ecae..795bff7f7f 100644
--- a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
+++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
@@ -4,12 +4,11 @@ description: How to use SDT to help users in your organization run the tool to i
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 10/31/2019
ms.reviewer: hachidan
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
index df3918d715..2b19282899 100644
--- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
+++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
@@ -4,12 +4,11 @@ description: This page provides an introduction to the Surface Diagnostic Toolki
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 06/11/2019
ms.reviewer: cottmca
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
@@ -30,11 +29,12 @@ Before you run the diagnostic tool, make sure you have the latest Windows update
**To run the Surface Diagnostic Toolkit for Business:**
-1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/SDT4B).
+1. Download the Surface Diagnostic Toolkit for Business. To do this, go to the [**Surface Tools for IT** download page](https://www.microsoft.com/download/details.aspx?id=46703), choose **Download**, select **Surface Diagnostic Toolkit for Business** from the provided list, and choose **Next**.
2. Select Run and follow the on-screen instructions. For full details, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business).
The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required.
-# If you still need help
+
+## If you still need help
If the Surface Diagnostic Toolkit for Business didn’t fix the problem, you can also:
diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md
index dc3e5b41f0..26264b1509 100644
--- a/devices/surface/surface-dock-firmware-update.md
+++ b/devices/surface/surface-dock-firmware-update.md
@@ -1,67 +1,95 @@
---
-title: Microsoft Surface Dock Firmware Update
-description: This article explains how to use Microsoft Surface Dock Firmware Update, newly redesigned to update Surface Dock firmware while running in the background on your Surface device.
+title: Microsoft Surface Dock Firmware Update - Technical information for IT administrators
+description: This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device.
ms.localizationpriority: medium
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: greg-lindsay
+ms.author: greglin
ms.topic: article
-ms.date: 10/09/2019
ms.reviewer: scottmca
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
-# Microsoft Surface Dock Firmware Update
+# Microsoft Surface Dock Firmware Update: Technical information for IT administrators
-This article explains how to use Microsoft Surface Dock Firmware Update, newly redesigned to update Surface Dock firmware while running in the background on your Surface device. Once installed, it will update any Surface Dock attached to your Surface device.
+> [!IMPORTANT]
+> This article contains technical instructions for IT administrators. If you are a home user, please see [How to update your Surface Dock Firmware](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) on the Microsoft Support site. The instructions at the support site are the same as the general installation steps below, but this article has additional information for monitoring, verifying, and deploying the update to multiple devices on a network.
+
+This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device.
+
+This tool supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. The earlier tool was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number) and is no longer available for download and should not be used.
+
+## Install the Surface Dock Firmware Update
+
+This section describes how to manually install the firmware update.
> [!NOTE]
->Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. It was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version of the tool). The earlier tool has been retired, is no longer available for download, and should not be used.
-
-## To run Surface Dock Firmware Update
+> Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version.
1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703).
- - The file is released in the following naming format: **Surface_Dock_FwUpdate_X.XX.XXX_Win10_XXXXX_XX.XXX.XXXXX_X.MSI** and installs by default to C:\Program Files\SurfaceUpdate.
- - Requires Surface devices running at least Windows 10 version 1803 or later.
+ - The update requires a Surface device running Windows 10, version 1803 or later.
+ - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update.
-2. After you connect Surface Dock to your Surface device, the tool checks the firmware status while running in the background.
-
-4. After several seconds, disconnect your Surface Dock from your device and then wait for 5 seconds before reconnecting. The Surface Dock Firmware Update will normally update the dock silently in background after you disconnect from the dock and reconnect. The process can take a few minutes to complete and will continue even if interrupted.
+2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted.
-### Manual installation
-If preferred, you can manually complete the update as follows:
+## Monitor the Surface Dock Firmware Update
-- Reconnect your Surface Dock for 2 minutes and then disconnect it from your device. The DisplayPort firmware update will be installed while the hardware is disconnected. The LED in the Ethernet port of the dock will blink while the update is in progress. Please wait until the LED stops blinking before you unplug your Surface Dock from power.
+This section is optional and provides an overview of how to monitor installation of the firmware update.
-> [!NOTE]
->
-> - Manually installing the MSI file may prompt you to restart Surface; however, restarting is optional and not required.
-> - You will need to disconnect and reconnect the dock twice before the update fully completes.
-> - To create a log file, specify the path in the Msiexec command. For example, append /l*v %windir%\logs\ SurfaceDockFWI.log".
+To monitor the update:
+
+1. Open Event Viewer, browse to **Windows Logs > Application**, and then under **Actions** in the right-hand pane click **Filter Current Log**, enter **SurfaceDockFwUpdate** next to **Event sources**, and then click **OK**.
+
+2. Type the following command at an elevated command prompt:
+
+ ```cmd
+ Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters"
+ ```
+3. Install the update as described in the [next section](#install-the-surface-dock-firmware-update) of this article.
+4. Event 2007 with the following text indicates a successful update: **Firmware update finished. hr=0 DriverTelementry EventCode = 2007**.
+ - If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current.
+5. When the update is complete, updated DWORD values will be displayed in the Windows Registry, corresponding to the current version of the tool. See the [Versions reference](#versions-reference) section in this article for details. For example:
+ - Component10CurrentFwVersion 0x04ac3970 (78395760)
+ - Component20CurrentFwVersion 0x04915a70 (76634736)
+
+>[!TIP]
+>If you see "The description for Event ID xxxx from source SurfaceDockFwUpdate cannot be found" in event text, this is expected and can be ignored.
+
+Also see the following sections in this article:
+ - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update)
+ - [Event logging](#event-logging)
+ - [Troubleshooting tips](#troubleshooting-tips)
+ - [Versions reference](#versions-reference)
## Network deployment
You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firmware Update to multiple devices across your network. When using Microsoft Endpoint Configuration Manager or other deployment tool, enter the following syntax to ensure the installation is silent:
-- **Msiexec.exe /i /quiet /norestart**
+- **Msiexec.exe /i \ /quiet /norestart**
-> [!NOTE]
-> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]"
+ For example:
+ ```
+ msiexec /i "\\share\folder\Surface_Dock_FwUpdate_1.42.139_Win10_17134_19.084.31680_0.msi" /quiet /norestart
+ ```
-For more information, refer to [Command line options](https://docs.microsoft.com/windows/win32/msi/command-line-options) documentation.
+ > [!NOTE]
+ > A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]". For example: Msiexec.exe /i \ /l*v %windir%\logs\ SurfaceDockFWI.log"
+
+ For more information, refer to [Command line options](https://docs.microsoft.com/windows/win32/msi/command-line-options) documentation.
> [!IMPORTANT]
> If you want to keep your Surface Dock updated using any other method, refer to [Update your Surface Dock](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) for details.
## Intune deployment
+
You can use Intune to distribute Surface Dock Firmware Update to your devices. First you will need to convert the MSI file to the .intunewin format, as described in the following documentation: [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps/apps-win32-app-management).
Use the following command:
- - **msiexec /i /quiet /q**
+ - **msiexec /i \ /quiet /q**
-## How to verify completion of firmware update
+## How to verify completion of the firmware update
Surface dock firmware consists of two components:
@@ -74,11 +102,11 @@ Successful completion of Surface Dock Firmware Update results in new registry ke
1. Open Regedit and navigate to the following registry path:
-- **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters**
+ - **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters**
2. Look for the registry keys: **Component10CurrentFwVersion and Component20CurrentFwVersion**, which refer to the firmware that is currently on the device.
- 
+ 
3. Verify the new registry key values match the updated registry key values listed in the Versions reference at the end of this document. If the values match, the firmware was updated successfully.
@@ -117,11 +145,11 @@ Events are logged in the Application Event Log. Note: Earlier versions of this
- Ensure that the Surface Dock is disconnected, and then allow enough time for the update to complete as monitored via an LED in the Ethernet port of the dock. Wait until the LED stops blinking before you unplug Surface Dock from power.
- Connect the Surface Dock to a different device to see if it is able to update the dock.
-## Changes and updates
-
-Microsoft periodically releases new versions of Surface Dock Firmware Update.Note that the MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version of the MSI.
-
## Versions reference
+
+>[!NOTE]
+>The installation file is released with the following naming format: **Surface_Dock_FwUpdate_X.XX.XXX_Win10_XXXXX_XX.XXX.XXXXX_X.MSI** (ex: Surface_Dock_FwUpdate_1.42.139_Win10_17134_19.084.31680_0.msi) and installs by default to C:\Program Files\SurfaceUpdate.
+
### Version 1.42.139
*Release Date: September 18 2019*
diff --git a/devices/surface/surface-dock-whats-new.md b/devices/surface/surface-dock-whats-new.md
new file mode 100644
index 0000000000..253a73b069
--- /dev/null
+++ b/devices/surface/surface-dock-whats-new.md
@@ -0,0 +1,124 @@
+---
+title: What’s new in Surface Dock 2
+description: This article highlights new features and functionality for the next generation Surface Dock.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.localizationpriority: medium
+ms.sitesec: library
+author: coveminer
+ms.author: greglin
+ms.topic: article
+ms.date: 5/06/2020
+ms.reviewer: brrecord
+manager: laurawi
+audience: itpro
+---
+# What’s new in Surface Dock 2
+
+Surface Dock 2, the next generation Surface dock, lets users connect external monitors and multiple peripherals to obtain a fully modernized desktop experience from a Surface device. Built to maximize efficiency at the office, in a flexible workspace, or at home, Surface Dock 2 features seven ports, including two front-facing USB-C ports, with 15 watts of fast charging power for phone and accessories. Surface Dock 2 is designed to simplify IT management, enabling admins to automate firmware updates using Windows Update or centralize updates with internal software distribution tools. An extended set of management tools will be released via Windows update upon commercial distribution.
+
+## General system requirements
+
+- Windows 10 version 1809. There is no support for Windows 7, Windows 8, or non-Surface host devices. Surface Dock 2 works with the following Surface devices:
+
+ - Surface Pro (5th Gen)
+ - Surface Pro (5th Gen) with LTE Advanced
+ - Surface Laptop (1st Gen)
+ - Surface Pro 6
+ - Surface Book 2
+ - Surface Laptop 2
+ - Surface Go
+ - Surface Go with LTE Advanced
+ - Surface Studio 2
+ - Surface Pro 7
+ - Surface Laptop 3
+ - Surface Book 3
+ - Surface Go 2
+ - Surface Go 2 with LTE Advanced
+
+
+## Surface Dock 2 Components
+
+
+
+### USB
+
+- Two front facing USB-C ports.
+- Two rear facing USB-C (gen 2) ports.
+- Two rear facing USB-A ports.
+
+### Video
+
+- Dual 4K@60hz. Supports up to two displays on the following devices:
+
+ - Surface Book 3
+ - Surface Go 2
+ - Surface Go 2 with LTE Advanced
+ - Surface Pro 7
+ - Surface Pro X
+ - Surface Laptop 3
+
+- Dual 4K@ 4K@30Hz. Supports up to two displays on the following devices:
+
+ - Surface Pro 6
+ - Surface Pro (5th Gen)
+ - Surface Pro (5th Gen) with LTE Advanced
+ - Surface Laptop 2
+ - Surface Laptop (1st Gen)
+ - Surface Go
+ - Surface Book 2.
+
+### Ethernet
+
+- 1 gigabit Ethernet port.
+
+### External Power supply
+
+- 199 watts supporting 100V-240V.
+
+
+## Comparing Surface Dock 2
+
+### Table 1. Surface Dock 2 tech specs comparison
+
+|Component|Surface Dock|Surface Dock 2|
+|---|---|---|
+|Surflink|Yes|Yes|
+|USB-A|2 front facing USB 3.1 Gen 1
2 rear facing USB 3.1 Gen 1|2 rear facing USB 3.2 Gen 2 (7.5W power)|
+|Mini Display port|2 rear facing (DP1.2)|None|
+|USB-C|None|2 front facing USB 3.2 Gen 2
[15W power]
2 rear facing USB 3.2 Gen 2 (DP1.4a)
[7.5W power]|
+|3.5 mm Audio in/out|Yes|Yes|
+|Ethernet|Yes, 1 gigabit|Yes 1 gigabit|
+|DC power in|Yes|Yes|
+|Kensington lock|Yes|Yes|
+|Surflink cable length|65cm|80cm|
+|Surflink host power|60W|120W|
+|USB load power|30W|60W|
+|USB bit rate|5 Gbps|10 Gbps|
+|Monitor support|2 x 4k @30fps, or
1 x 4k @ 60fps|2 x 4K @ 60fps|
+|Wake-on-LAN from Connected Standby1|Yes|Yes|
+|Wake-on-LAN from S4/S5 sleep modes|No|Yes|
+|Network PXE boot|Yes|Yes|
+|SEMM host access control|No|Coming in Windows Update2|
+|SEMM port access control3|No|Coming in Windows Update|
+|Servicing support|MSI|Windows Update or MSI|
+||||
+
+1. *Devices must be configured for Wake on LAN via Surface Enterprise Management Mode (SEMM) or Device Firmware Control Interface (DFCI) to wake from Hibernation or Power-Off states. Wake from Hibernation or Power-Off is supported on Surface Pro 7, Surface Laptop 3, Surface Pro X, Surface Book 3, and Surface Go 2. Software license required for some features. Sold separately.*
+
+2. *Pending release via Windows Update.*
+
+3. *Software license required for some features. Sold separately.*
+
+## Streamlined device management
+
+Following the public announcement of Surface Dock 2, Surface will release streamlined management functionality via Windows Update enabling IT admins to utilize the following enterprise-grade features:
+
+- **Frictionless updates**. Update your docks silently and automatically, with Windows Update or Microsoft Endpoint Configuration Manager, (formerly System Center Configuration Manager - SCCM) or other MSI deployment tools.
+- **Wake from the network**. Manage and access corporate devices without depending on users to keep their devices powered on. Even when a docked device is in sleep, hibernation, or power off mode, your team can wake from the network for service and management, using Endpoint Configuration Manager or other enterprise management tools.
+- **Centralized IT control**. Control who can connect to Surface Dock 2 by turning ports on and off. Restrict which host devices can be used with Surface Dock 2. Limit dock access to a single user or configure docks so they can only be accessed by specific users in your team or across the entire company.
+
+## Next steps
+
+- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
+- [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)
diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index 52e193b6dd..fc88993c64 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -6,12 +6,11 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 12/02/2019
ms.reviewer: scottmca
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md
index efb5fa93b5..f21805f1a7 100644
--- a/devices/surface/surface-manage-dfci-guide.md
+++ b/devices/surface/surface-manage-dfci-guide.md
@@ -5,12 +5,12 @@ ms.localizationpriority: medium
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.date: 11/13/2019
ms.reviewer: jesko
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
# Intune management of Surface UEFI settings
diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md
index fd98f72368..488eeca1a2 100644
--- a/devices/surface/surface-pro-arm-app-management.md
+++ b/devices/surface/surface-pro-arm-app-management.md
@@ -5,12 +5,12 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.localizationpriority: high
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 1/22/2020
+ms.date: 4/15/2020
ms.reviewer: jessko
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
# Deploying, managing, and servicing Surface Pro X
@@ -44,7 +44,7 @@ Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager
A component of Microsoft Enterprise Mobility + Security, Intune integrates with Azure Active Directory for identity and access control and provides granular management of enrolled Surface Pro X devices. Intune mobile device management (MDM) policies have a number of advantages over older on-premises tools such as Windows Group Policy. This includes faster device login times and a more streamlined catalog of policies enabling full device management from the cloud. For example, you can manage LTE using eSIM profiles to configure data plans and deploy activation codes to multiple devices.
-For more information about setting up Intune, refer to the [Intune documentation](https://docs.microsoft.com/intune/).
+For more information about using Intune, refer to the [Intune documentation](https://docs.microsoft.com/intune/).
### Co-management
@@ -109,9 +109,9 @@ Popular browsers run on Surface Pro X:
## Installing and using Microsoft Office
- Use Office 365 for the best experience on a Windows 10 PC on an ARM-based processor.
-- Office 365 “click-to-run” installs Outlook, Word, Excel, and PowerPoint, optimized to run on a Windows 10 PC on an ARM-based processor.
+- Office 365 "click-to-run" installs Outlook, Word, Excel, and PowerPoint, optimized to run on a Windows 10 PC on an ARM-based processor.
- Microsoft Teams runs great on Surface Pro X.
-- For “perpetual versions” of Office such as Office 2019, install the 32-bit version.
+- For "perpetual versions" of Office such as Office 2019, install the 32-bit version.
## VPN
@@ -139,10 +139,10 @@ The following tables show the availability of selected key features on Surface P
| Endpoint Configuration Manager | Yes | Yes | |
| Power on When AC Restore | Yes | Yes | |
| Surface Diagnostic Toolkit (SDT) for Business | Yes | Yes | |
-| Surface Dock Firmware Update | Yes | Yes | |
+| Surface Dock Firmware Update | Yes | No | |
| Asset Tag Utility | Yes | Yes | |
| Surface Enterprise management Mode (SEMM) | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. |
-| Surface UEFI Configurator | Yes | | No option to disable hardware. on Surface Pro X at the firmware level. |
+| Surface UEFI Configurator | Yes | No | No option to disable hardware. on Surface Pro X at the firmware level. |
| Surface UEFI Manager | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. |
diff --git a/devices/surface/surface-pro-arm-app-performance.md b/devices/surface/surface-pro-arm-app-performance.md
index baa547d04b..4459d6052b 100644
--- a/devices/surface/surface-pro-arm-app-performance.md
+++ b/devices/surface/surface-pro-arm-app-performance.md
@@ -5,12 +5,12 @@ ms.prod: w10
ms.localizationpriority: medium
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.date: 10/03/2019
ms.reviewer: jessko
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
# Surface Pro X app compatibility
diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md
index dbcb9648b0..c0de20193f 100644
--- a/devices/surface/surface-system-sku-reference.md
+++ b/devices/surface/surface-system-sku-reference.md
@@ -6,12 +6,12 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 10/31/2019
+ms.date: 03/09/2020
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
@@ -24,24 +24,22 @@ System Model and System SKU are variables that are stored in the System Manageme
| Device | System Model | System SKU |
| ---------- | ----------- | -------------- |
-| AMD Surface Laptop 3 | Surface 3 | Surface_Laptop_3_1873 |
-| Surface Laptop 3 | Surface 3 | Surface_Laptop_3_1867:1868 |
-| Surface Laptop 3 | Surface 3 | Surface_3
| Surface 3 WiFI | Surface 3 | Surface_3 |
| Surface 3 LTE AT&T | Surface 3 | Surface_3_US1 |
| Surface 3 LTE Verizon | Surface 3 | Surface_3_US2 |
| Surface 3 LTE North America | Surface 3 | Surface_3_NAG |
-| Surface 3 LTE Outside of North America and Y!mobile In Japan | Surface 3 | Surface_3_ROW |
+| Surface 3 LTE outside of North America and Y!mobile in Japan | Surface 3 | Surface_3_ROW |
| Surface Pro | Surface Pro | Surface_Pro_1796 |
| Surface Pro with LTE Advanced | Surface Pro | Surface_Pro_1807 |
-| Surface Book 2 13inch | Surface Book 2 | Surface_Book_1832 |
-| Surface Book 2 15inch | Surface Book 2 | Surface_Book_1793 |
+| Surface Book 2 13" | Surface Book 2 | Surface_Book_1832 |
+| Surface Book 2 15" | Surface Book 2 | Surface_Book_1793 |
| Surface Go LTE Consumer | Surface Go | Surface_Go_1825_Consumer |
| Surface Go LTE Commercial | System Go | Surface_Go_1825_Commercial |
| Surface Go Consumer | Surface Go | Surface_Go_1824_Consumer |
| Surface Go Commercial | Surface Go | Surface_Go_1824_Commercial |
| Surface Pro 6 Consumer | Surface Pro 6 | Surface_Pro_6_1796_Consumer |
| Surface Pro 6 Commercial | Surface Pro 6 | Surface_Pro_6_1796_Commercial |
+| Surface Laptop | Surface Laptop | Surface_Laptop |
| Surface Laptop 2 Consumer | Surface Laptop 2 | Surface_Laptop_2_1769_Consumer |
| Surface Laptop 2 Commercial | Surface Laptop 2 | Surface_Laptop_2_1769_Commercial |
| Surface Pro 7 | Surface Pro 7 | Surface_Pro_7_1866 |
diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md
index 6e225137c2..24a358065b 100644
--- a/devices/surface/surface-wireless-connect.md
+++ b/devices/surface/surface-wireless-connect.md
@@ -4,14 +4,13 @@ description: This topic describes recommended Wi-Fi settings to ensure Surface d
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
+author: coveminer
ms.audience: itpro
ms.localizationpriority: medium
-ms.author: dansimp
+ms.author: v-jokai
ms.topic: article
-ms.date: 10/31/2019
ms.reviewer: tokatz
-manager: dansimp
+manager: laurawi
---
# Optimize Wi-Fi connectivity for Surface devices
diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md
index 39b70f6006..0caea932ab 100644
--- a/devices/surface/unenroll-surface-devices-from-semm.md
+++ b/devices/surface/unenroll-surface-devices-from-semm.md
@@ -6,12 +6,11 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 01/06/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
index ac6102c2ef..c9345502d8 100644
--- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
+++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
@@ -6,14 +6,14 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 10/21/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
+ms.date: 04/24/2020
---
# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit
@@ -38,216 +38,7 @@ manager: dansimp
- Surface Pro
- Windows 10
-In addition to the traditional deployment method of reimaging devices, administrators that want to upgrade Surface devices that are running Windows 8.1 or Windows 10 have the option of deploying upgrades. By performing an upgrade deployment, Windows 10 can be applied to devices without removing users, apps, or configuration. The users of the deployed devices can simply continue using the devices with the same apps and settings that they used prior to the upgrade. The process described in this article shows how to perform a Windows 10 upgrade deployment to Surface devices.
+In addition to the traditional deployment method of reimaging devices, administrators who want to upgrade Surface devices that are running Windows 8.1 or Windows 10 have the option of deploying upgrades. By performing an upgrade deployment, Windows 10 can be applied to devices without removing users, apps, or configuration. The users of the deployed devices can simply continue using the devices with the same apps and settings that they used prior to the upgrade.
-If you are not already familiar with the deployment of Windows or the Microsoft deployment tools and technologies, you should read [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) and familiarize yourself with the traditional deployment method before you proceed.
+For the latest information about upgrading surface devices using MDT, refer to [Perform an in-place upgrade to Windows 10 with MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit).
-#### The upgrade concept
-
-When you use the factory installation media to install Windows on a device, you are presented with two options or *installation paths* to install Windows on that device. The first of these installation paths – *clean installation* – allows you to apply a factory image of Windows to that device, including all default settings. The second of these installation paths – *upgrade* – allows you to apply Windows to the device but retains the device’s users, apps, and settings.
-
-When you perform a Windows deployment using traditional deployment methods, you follow an installation path that is very similar to a clean installation. The primary difference between the clean installation and the traditional deployment method of *reimaging* is that with reimaging, you can apply an image that includes customizations. Microsoft deployment technologies, such as the Microsoft Deployment Toolkit (MDT), expand the capabilities of the reimaging process by modifying the image during deployment. For example, MDT is able to inject drivers for a specific hardware configuration during deployment, and with pre and post imaging scripts to perform a number of tasks, such as the installation of applications.
-
-For versions of Windows prior to Windows 10, if you wanted to install a new version of Windows on your devices and preserve the configuration of those systems, you had to perform additional steps during your deployment. For example, if you wanted to keep the data of users on the device, you had to back up user data with the User State Migration Tool (USMT) prior to the deployment and restore that data after the deployment had completed.
-
-Introduced with Windows 10 and MDT 2013 Update 1, you can use the upgrade installation path directly with Microsoft deployment technologies such as the Microsoft Deployment Toolkit (MDT). With an upgrade deployment you can use the same deployment technologies and process, but you can preserve users settings, and applications of the existing environment on the device.
-
-> [!NOTE]
-> MDT is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
-
-## Deployment tools and resources
-
-Performing an upgrade deployment of Windows 10 requires the same tools and resources that are required for a traditional reimaging deployment. You can read about the tools required, including detailed explanations and installation instructions, in [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md). To proceed with the upgrade deployment described in this article, you will need the following tools installed and configured:
-
-* [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/windows/dn475741)
-* [Windows Assessment and Deployment Kit (Windows ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#windowsadk), which includes:
- * Deployment Image Servicing and Management (DISM)
- * Windows Preinstallation Environment (Windows PE)
- * Windows System Image Manager (Windows SIM)
-
-You will also need to have available the following resources:
-
-* Windows 10 installation files, such as the installation media downloaded from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx)
-
- >[!NOTE]
- >Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT.
-* [Surface firmware and drivers](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10
-
-* Application installation files for any applications you want to install, such as the Surface app
-
-## Prepare the upgrade deployment
-
-Before you begin the process described in this section, you need to have installed and configured the deployment tools outlined in the previous [Deployment tools and resources](#deployment-tools-and-resources) section. For instructions on how to install and configure the deployment tools, see the **Install the deployment tools** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#install-the-deployment-tools) article. You will also have needed to create a deployment share with MDT, described in the section Create a Deployment Share in the aforementioned article.
-
-### Import Windows 10 installation files
-
-Windows 10 installation files only need to be imported if you have not already done so in the deployment share. To import Windows 10 installation files, follow the steps described in the **Import Windows installation files** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#import-windows-installation-files) article.
-
-### Import Surface drivers
-In the import process example shown in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, drivers for Surface Pro 4 were imported for Windows 10. To perform an upgrade deployment of Windows 10 to Surface Pro 3, drivers for Surface Pro 3 must also be imported. To import the Surface drivers for Surface Pro 3, follow these steps:
-
-1. Download the Surface Pro 3 firmware and driver pack for Windows 10 archive file (.zip), SurfacePro3_Win10_xxxxxx.zip, from the [Surface Pro 3 download page](https://www.microsoft.com/download/details.aspx?id=38826) in the Microsoft Download Center.
-2. Extract the contents of the Surface Pro 3 firmware and driver pack archive file to a temporary folder. Keep the driver files separate from other drivers or files.
-3. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share.
-4. If you have not already created a folder structure by operating system version, you should do so next. Under the **Windows 10 x64** folder, create a new folder for Surface Pro 3 drivers named **Surface Pro 3**. Your Out-of-Box Drivers folder should resemble the following structure:
- * WinPE x86
- * WinPE x64
- * Windows 10 x64
- * Microsoft Corporation
- * Surface Pro 4
- * Surface Pro 3
-5. Right-click the **Surface Pro 3** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1.
-
- 
-
- *Figure 1. Import Surface Pro 3 drivers for Windows 10*
-
-6. The Import Driver Wizard displays a series of steps, as follows:
- - **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 3 firmware and drivers in Step 1.
- - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
- - **Progress** – While the drivers are imported, a progress bar is displayed on this page.
- - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Drivers Wizard.
-7. Select the **Surface Pro 3** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 2.
-
- 
-
- *Figure 2. Drivers for Surface Pro 3 imported and organized in the MDT deployment share*
-
-### Import applications
-
-Installation of applications in an upgrade deployment is not always necessary because the applications from the previous environment will remain on the device. (For example, in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, the deployment includes Office 365 which is not required in an upgrade deployment where the user is already using Office 365 on the device.)
-
-There are still some circumstances where you will want to deploy an application, even during an upgrade deployment. For example, you may have Surface Pro 3 devices on which you would like to add the Surface app. To deploy the Surface app in an upgrade scenario use the same process as you would for a traditional deployment. See the [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article for instructions on how to add the Surface app to an MDT task sequence.
-
-### Create the upgrade task sequence
-
-After you have all of the resources in place to perform the deployment (including the installation files, Surface drivers, and application files), the next step is to create the upgrade task sequence. This task sequence is a series of steps that will be performed on the device being upgraded that applies the new Windows environment, compatible drivers, and any applications you have specified.
-
-Create the upgrade task sequence with the following process:
-
-1. In the Deployment Workbench under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard.
-2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard:
- - **General Settings** – Enter an identifier for the deployment task sequence in the Task Sequence ID field, a name for the deployment task sequence in the Task Sequence Name field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, and then click **Next**.
- >[!NOTE]
- >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
- - **Select Template** – Select **Standard Client Upgrade Task Sequence** from the drop-down menu, and then click **Next**.
- - **Select OS** – Navigate to and select the Windows image that you imported, and then click **Next**.
- - **Specify Product Key** – Select the product key entry that fits your organization’s licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.
- - **OS Settings** – Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
- - **Admin Password** – Select **Use the Specified Local Administrator Password** and enter a password in the provided fields, and then click **Next**.
- - **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
- - **Progress** – While the task sequence is being created, a progress bar is displayed on this page.
- - **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete New Task Sequence Wizard.
-
-After the task sequence is created, you can modify some additional settings to provide additional automation of the task sequence and require less interaction during deployment. Follow these steps to modify the task sequence:
-
-1. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**.
-2. Select the **Task Sequence** tab to view the steps that are included in the new task sequence.
-3. Select the **Windows Update (Pre-Application Installation)** step, located under the **State Restore** folder.
-4. Click the **Options** tab, and then clear the **Disable This Step** check box.
-5. Repeat Step 3 and Step 4 for the **Windows Update (Post-Application Installation)** step.
-6. Between the two Windows Update steps is an **Install Applications** step. Select that step and then click **Add**.
-7. Hover the mouse over **General** under the **Add** menu, and then choose **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3.
-
- 
-
- *Figure 3. A new Install Application step in the deployment task sequence*
-
-8. On the **Properties** tab of the new **Install Application** step, enter **Install Surface App** in the **Name** field.
-9. Select **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share.
-10. Select **Surface App** from the list of applications, and then click **OK**.
-11. Expand the **Preinstall** folder and select the **Enable BitLocker (Offline)** step.
-12. Open the **Add** menu again and choose **Set Task Sequence Variable** from under the **General** menu.
-13. On the **Properties** tab of the new **Set Task Sequence Variable** step (as shown in Figure 4) configure the following options:
-
- - **Name** – Set DriverGroup001
- - **Task Sequence Variable** – DriverGroup001
- - **Value** – Windows 10 x64\%Make%\%Model%
-
- 
-
- *Figure 4. Configure a new Set Task Sequence Variable step in the deployment task sequence*
-
-14. Select the **Inject Drivers** step, the next step in the task sequence.
-15. On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 5) configure the following options:
- * In the **Choose a selection profile** drop-down menu, select **Nothing**.
- * Click the **Install all drivers from the selection profile** button.
-
- 
-
- *Figure 5. Configure the deployment task sequence to not install drivers*
-
-16. Click **OK** to apply changes to the task sequence and close the task sequence properties window.
-
-Steps 11 through 15 are very important to the deployment of Surface devices. These steps instruct the task sequence to install only drivers that are organized into the correct folder using the organization for drivers from the [Import Surface drivers](#import-surface-drivers) section.
-
-### Deployment share rules
-
-To automate the upgrade process, the rules of the MDT deployment share need to be modified to suppress prompts for information from the user. Unlike a traditional deployment, Bootstrap.ini does not need to be modified because the deployment process is not started from boot media. Similarly, boot media does not need to be imported into WDS because it will not be booted over the network with PXE.
-
-To modify the deployment share rules and suppress the Windows Deployment Wizard prompts for information, copy and paste the following text into the text box on the **Rules** tab of your deployment share properties:
-
-```
-[Settings]
-Priority=Model,Default
-Properties=MyCustomProperty
-
-[Surface Pro 4]
-SkipTaskSequence=YES
-TaskSequenceID=Win10SP4
-
-[Surface Pro 3]
-SkipTaskSequence=YES
-TaskSequenceID=Win10SP3Up
-
-[Default]
-OSInstall=Y
-SkipCapture=YES
-SkipAdminPassword=YES
-SkipProductKey=YES
-SkipComputerBackup=YES
-SkipBitLocker=YES
-SkipBDDWelcome=YES
-SkipUserData=YES
-UserDataLocation=AUTO
-SkipApplications=YES
-SkipPackageDisplay=YES
-SkipComputerName=YES
-SkipDomainMembership=YES
-JoinDomain=contoso.com
-DomainAdmin=MDT
-DomainAdminDomain=contoso
-DomainAdminPassword=P@ssw0rd
-SkipLocaleSelection=YES
-KeyboardLocale=en-US
-UserLocale=en-US
-UILanguage=en-US
-SkipTimeZone=YES
-TimeZoneName=Pacific Standard Time
-UserID=MDTUser
-UserDomain=STNDeployServer
-UserPassword=P@ssw0rd
-SkipSummary=YES
-SkipFinalSummary=YES
-FinishAction=LOGOFF
-```
-
-
-
-For more information about the rules configured by this text, see the **Configure deployment share rules** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#configure-deployment-share-rules) article.
-
-### Update deployment share
-
-To update the deployment share, right-click the deployment share in the Deployment Workbench and click **Update Deployment Share**, then proceed through the Update Deployment Share Wizard. See the **Update and import updated MDT boot media** section of the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#update-and-import-updated-mdt-boot-media) article for detailed steps.
-
-### Run the upgrade deployment
-
-Unlike a traditional deployment, the upgrade task sequence must be launched from within the Windows environment that will be upgraded. This requires that a user on the device to be upgraded navigate to the deployment share over the network and launch a script, LiteTouch.vbs. This script is the same script that displays the Windows Deployment Wizard in Windows PE in a traditional deployment. In this scenario, Litetouch.vbs will run within Windows. To perform the upgrade task sequence and deploy the upgrade to Windows 10 follow these steps:
-
-1. Browse to the network location of your deployment share in File Explorer.
-2. Navigate to the **Scripts** folder, locate **LiteTouch.vbs**, and then double-click **LiteTouch.vbs** to start the Windows Deployment Wizard.
-3. Enter your credentials when prompted.
-4. The upgrade task sequence for Surface Pro 3 devices will automatically start when the model of the device is detected and determined to match the deployment share rules.
-5. The upgrade process will occur automatically and without user interaction.
-
-The task sequence will automatically install the drivers for Surface Pro 3 and the Surface app, and will perform any outstanding Windows Updates. When it completes, it will log out and be ready for the user to log on with the credentials they have always used for this device.
diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
index 0cf1ab9bda..21616dc89e 100644
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@@ -6,12 +6,11 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 11/22/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
@@ -75,10 +74,9 @@ To create a new application and deploy it to a collection that contains your Sur
* **Import Information** – The Create Application Wizard will parse the .msi file and read the **Application Name** and **Product Code**. SurfaceUEFIManagerSetup.msi should be listed as the only file under the line **Content Files**, as shown in Figure 1. Select **Next** to proceed.
-
- 
-
- *Figure 1. Information from Microsoft Surface UEFI Manager setup is automatically parsed*
+ 
+
+ *Figure 1. Information from Microsoft Surface UEFI Manager setup is automatically parsed*
* **General Information** – You can modify the name of the application and information about the publisher and version, or add comments on this page. The installation command for Microsoft Surface UEFI Manager is displayed in the Installation Program field. The default installation behavior of Install for system will allow Microsoft Surface UEFI Manager to install the required assemblies for SEMM even if a user is not logged on to the Surface device. Select **Next** to proceed.
* **Summary** – The information that was parsed in the **Import Information** step and your selections from the **General Information** step is displayed on this page. Select **Next** to confirm your selections and create the application.
@@ -107,7 +105,7 @@ The sample scripts include examples of how to set Surface UEFI settings and how
The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, and the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script.
- ```
+ ```powershell
56 $WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition
57 $packageRoot = "$WorkingDirPath\Config"
58 $certName = "FabrikamSEMMSample.pfx"
@@ -137,7 +135,7 @@ On line 73, replace the value of the **$password** variable, from **1234** to th
> [!Note]
> The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this.
-```
+```powershell
150 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
151 # For convenience we get the thumbprint here and present to the user.
152 $pw = ConvertTo-SecureString $password -AsPlainText -Force
@@ -163,7 +161,7 @@ Administrators with access to the certificate file (.pfx) can read the thumbprin
The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras.
-```
+```powershell
210 # Configure Permissions
211 foreach ($uefiV2 IN $surfaceDevices.Values) {
212 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) {
@@ -215,7 +213,7 @@ You can find information about the available settings names and IDs for Surface
The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows.
-```
+```powershell
291 # Configure Settings
292 foreach ($uefiV2 IN $surfaceDevices.Values) {
293 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) {
@@ -277,7 +275,7 @@ To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 sc
The following code fragment, found on lines 380-477, is used to write these registry keys.
-```
+```powershell
380 # For Endpoint Configuration Manager or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry:
381 $UTCDate = (Get-Date).ToUniversalTime().ToString()
382 $certIssuer = $certPrint.Issuer
@@ -384,56 +382,11 @@ To configure Surface UEFI settings or permissions for Surface UEFI settings, you
The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device.
-The following tables show the available settings for Surface Pro 4 and later including Surface Pro 7, Surface Book, Surface Laptop 3, and Surface Go.
+The best way to view the most current Setting names and IDs for devices is to use the ConfigureSEMM.ps1 script or the ConfigureSEMM - .ps1 from the SEMM_Powershell.zip in [Surface Tools for IT Downloads](https://www.microsoft.com/download/details.aspx?id=46703).
-*Table 1. Surface UEFI settings for Surface Pro 4*
+Setting names and IDs for all devices can be seen in the ConfigureSEMM.ps1 script.
-| Setting ID | Setting Name | Description | Default Setting |
-| --- | --- | --- | --- |
-|501| Password | UEFI System Password | |
-|200| Secure Boot Keys | Secure Boot signing keys to enable for EFI applications | MsPlus3rdParty |
-|300| Trusted Platform Module (TPM) | TPM device enabled or disabled | Enabled |
-|301| Docking USB Port | Docking USB Port enabled or disabled | Enabled |
-|302| Front Camera | Front Camera enabled or disabled | Enabled |
-|303| Bluetooth | Bluetooth radio enabled or disabled | Enabled |
-|304| Rear Camera | Rear Camera enabled or disabled | Enabled |
-|305| IR Camera | InfraRed Camera enabled or disabled | Enabled |
-|308| Wi-Fi and Bluetooth | Wi-Fi and Bluetooth enabled or disabled | Enabled |
-|310| Type Cover | Surface Type Cover connector | Enabled |
-|320| On-board Audio | On-board audio enabled or disabled | Enabled |
-|330| Micro SD Card | Micro SD Card enabled or disabled | Enabled |
-|370| USB Port 1 | Side USB Port (1) | UsbPortEnabled |
-|400| IPv6 for PXE Boot | Enable IPv6 PXE boot before IPv4 PXE boot |Disabled |
-|401| Alternate Boot | Alternate Boot allows users to override the boot order by holding the volume down button when powering up the device | Enabled |
-|402| Boot Order Lock | Boot Order variable lock enabled or disabled | Disabled |
-|403| USB Boot | Enable booting from USB devices | Enabled |
-|500| TPM clear EFI protocol | Enable EFI protocol for invoking TPM clear | Disabled |
-|600| Security | UEFI Security Page Display enabled or disabled | Enabled |
-|601| Devices | UEFI Devices Page Display enabled or disabled | Enabled |
-|602| Boot | UEFI Boot Manager Page Display enabled or disabled | Enabled |
-
-*Table 2. Surface UEFI settings for Surface Book*
-
-| Setting ID | Setting Name | Description | Default Setting |
-| --- | --- | --- | --- |
-| 501 | Password | UEFI System Password | |
-| 200 | Secure Boot Keys | Secure Boot signing keys to enable for EFI applications | MsPlus3rdParty |
-| 300 | Trusted Platform Module (TPM) | TPM device enabled or disabled | Enabled |
-| 301 | Docking USB Port | Docking USB Port enabled or disabled | Enabled |
-| 302 | Front Camera | Front Camera enabled or disabled | Enabled |
-| 303 | Bluetooth | Bluetooth radio enabled or disabled | Enabled |
-| 304 | Rear Camera | Rear Camera enabled or disabled | Enabled |
-| 305 | IR Camera | InfraRed Camera enabled or disabled | Enabled |
-| 308 | Wi-Fi and Bluetooth | Wi-Fi and Bluetooth enabled or disabled | Enabled |
-| 320 | On-board Audio | On-board audio enabled or disabled | Enabled |
-| 400 | IPv6 for PXE Boot Enable | IPv6 PXE boot before IPv4 PXE boot | Disabled |
-| 401 | Alternate Boot | Alternate Boot allows users to override the boot order by holding the volume down button when powering up the device | Enabled |
-| 402 | Boot Order Lock | Boot Order variable lock enabled or disabled | Disabled |
-| 403 | USB Boot | Enable booting from USB devices | Enabled |
-| 500 | TPM clear EFI protocol | Enable EFI protocol for invoking TPM clear | Disabled |
-| 600 | Security | UEFI Security Page Display enabled or disabled | Enabled |
-| 601 | Devices | UEFI Devices Page Display enabled or disabled | Enabled |
-| 602 | Boot | UEFI Boot Manager Page Display enabled or disabled | Enabled |
+Setting names and IDs for specific devices can be seen in the ConfigureSEMM - .ps1 scripts. For example, setting names and IDs for Surface Pro X can be found in the ConfigureSEMM – ProX.ps1 script.
## Deploy SEMM Configuration Manager scripts
@@ -480,10 +433,10 @@ To add the SEMM Configuration Manager scripts to Configuration Manager as an app
- Select **Registry** from the **Setting Type** drop-down menu.
- Select **HKEY_LOCAL_MACHINE** from the **Hive** drop-down menu.
- Enter **SOFTWARE\Microsoft\Surface\SEMM** in the **Key** field.
- - Enter **Enabled_Version1000** in the **Value** field.
+ - Enter **CertName** in the **Value** field.
- Select **String** from the **Data Type** drop-down menu.
- Select the **This registry setting must satisfy the following rule to indicate the presence of this application** button.
- - Enter **1** in the **Value** field.
+ - Enter the name of the certificate you entered in line 58 of the script in the **Value** field.
- Select **OK** to close the **Detection Rule** window.
diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md
index 20ad4f6903..0309d071ec 100644
--- a/devices/surface/using-the-sda-deployment-share.md
+++ b/devices/surface/using-the-sda-deployment-share.md
@@ -6,14 +6,13 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 10/21/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
---
# Using the Microsoft Surface Deployment Accelerator deployment share
diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md
index 53ff389c02..a6686dcf69 100644
--- a/devices/surface/wake-on-lan-for-surface-devices.md
+++ b/devices/surface/wake-on-lan-for-surface-devices.md
@@ -7,12 +7,11 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 12/30/2019
ms.reviewer: scottmca
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md
index 1c8eaa3c06..b4da164970 100644
--- a/devices/surface/windows-autopilot-and-surface-devices.md
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@@ -1,19 +1,18 @@
---
title: Windows Autopilot and Surface devices
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Find out about Windows Autopilot deployment options for Surface devices.
keywords: autopilot, windows 10, surface, deployment
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 02/06/2020
---
# Windows Autopilot and Surface devices
@@ -25,34 +24,42 @@ Windows Autopilot-registered devices are identified over the Internet at first s
You can register Surface devices at the time of purchase from a Surface partner that's enabled for Windows Autopilot. These partners can ship new devices directly to your users. The devices will be automatically enrolled and configured when they are first turned on. This process eliminates reimaging during deployment, which lets you implement new, agile methods of device management and distribution.
## Modern management
+
Autopilot is the recommended deployment option for Surface devices, including Surface Pro 7, Surface Laptop 3, and Surface Pro X, which is specifically designed for deployment through Autopilot.
It's best to enroll your Surface devices with the help of a Microsoft Cloud Solution Provider. This step allows you to manage UEFI firmware settings on Surface directly from Intune. It eliminates the need to physically touch devices for certificate management. See [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) for details.
## Windows version considerations
+
Broad deployment of Surface devices through Windows Autopilot, including enrollment by Surface partners at the time of purchase, requires Windows 10 Version 1709 (Fall Creators Update) or later.
These Windows versions support a 4,000-byte (4k) hash value that uniquely identifies devices for Windows Autopilot, which is necessary for deployments at scale. All new Surface devices, including Surface Pro 7, Surface Pro X, and Surface Laptop 3, ship with Windows 10 Version 1903 or later.
+## Exchange experience on Surface devices in need of repair or replacement
+
+Microsoft automatically checks every Surface for Autopilot enrollment and will deregister the device from the customer's tenant. Microsoft ensures the replacement device is enrolled into Windows Autopilot once a replacement is shipped back to the customer. This service is available on all device exchange service orders directly with Microsoft.
+
+> [!NOTE]
+> When customers use a Partner to return devices, the Partner is responsible for managing the exchange process including deregistering and enrolling devices into Windows Autopilot.
+
## Surface partners enabled for Windows Autopilot
Select Surface partners can enroll Surface devices in Windows Autopilot for you at the time of purchase. They can also ship enrolled devices directly to your users. The devices can be configured entirely through a zero-touch process by using Windows Autopilot, Azure AD, and mobile device management.
Surface partners that are enabled for Windows Autopilot include:
-- [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp)
-- [Atea](https://www.atea.com/)
-- [Bechtle](https://www.bechtle.com/backend/cms/marken/microsoft/microsoft-windows-autopilot)
-- [Cancom](https://www.cancom.de/)
-- [CDW](https://www.cdw.com/)
-- [Computacenter](https://www.computacenter.com/uk)
-- [Connection](https://www.connection.com/brand/microsoft/microsoft-surface)
-- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html)
-- [SHI](https://www.shi.com/Surface)
-- [Synnex](https://www.synnexcorp.com/us/microsoft/surface-autopilot/)
-- [Techdata](https://www.techdata.com/)
+| US partners | Global partners | US distributors |
+|--------------|---------------|-------------------|
+| * [CDW](https://www.cdw.com/) | * [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp) | * [Synnex](https://www.synnexcorp.com/us/microsoft/surface-autopilot/) |
+| * [Connection](https://www.connection.com/brand/microsoft/microsoft-surface) | * [ATEA](https://www.atea.com/) | * [Techdata](https://www.techdata.com/) |
+| * [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html) | * [Bechtle](https://www.bechtle.com/marken/microsoft/microsoft-windows-autopilot) | * [Ingram](https://go.microsoft.com/fwlink/p/?LinkID=2128954) |
+| * [SHI](https://www.shi.com/Surface) | * [Cancom](https://www.cancom.de/) | |
+| * [LDI Connect](https://www.myldi.com/managed-it/) | * [Computacenter](https://www.computacenter.com/uk) | |
+| * [F1](https://www.functiononeit.com/#empower) | | |
+| * [Protected Trust](https://go.microsoft.com/fwlink/p/?LinkID=2129005) | | |
## Learn more
+
For more information about Windows Autopilot, see:
- [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot)
- [Windows Autopilot requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements)
\ No newline at end of file
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index c081cfa696..280778ccb4 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -558,16 +558,16 @@ Complete the following steps to select the appropriate Office 365 Education lice
1. Determine the number of faculty members and students who will use the classroom. Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan.
-2. Determine the faculty members and students who need to install Microsoft Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 8 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
+2. Determine the faculty members and students who need to install Microsoft Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Microsoft 365 Apps for enterprise plans). Table 8 lists the advantages and disadvantages of standard and Microsoft 365 Apps for enterprise plans.
|Plan |Advantages |Disadvantages |
|----- |----------- |------------- |
- |Office 365 Education |- Less expensive than Office 365 ProPlus
- Can be run from any device
- No installation necessary
| - Must have an Internet connection to use it
- Does not support all the features found in Office 365 ProPlus
|
- |Office 365 ProPlus |- Only requires an Internet connection every 30 days (for activation)
- Supports the full set of Office features
- Can be installed on five devices per user (there is no limit to the number of devices on which you can run Office apps online)
|- Requires installation
- More expensive than Office 365 Education
|
+ |Office 365 Education |- Less expensive than Microsoft 365 Apps for enterprise
- Can be run from any device
- No installation necessary
| - Must have an Internet connection to use it
- Does not support all the features found in Microsoft 365 Apps for enterprise
|
+ |Microsoft 365 Apps for enterprise |- Only requires an Internet connection every 30 days (for activation)
- Supports the full set of Office features
- Can be installed on five devices per user (there is no limit to the number of devices on which you can run Office apps online)
|- Requires installation
- More expensive than Office 365 Education
|
- *Table 8. Comparison of standard and Office 365 ProPlus plans*
+ *Table 8. Comparison of standard and Microsoft 365 Apps for enterprise plans*
- The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
+ The best user experience is to run Microsoft 365 Apps for enterprise or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
3. Determine whether students or faculty need Azure Rights Management.
@@ -1259,7 +1259,7 @@ Your MDT deployment share and Microsoft Endpoint Configuration Manager are now r
## Capture the reference image
-The reference device is a device that you use as the template for all the other devices in your district. On this device, you install any Windows desktop apps the classroom needs. For example, install the Windows desktop apps for Office 365 ProPlus if you selected that student license plan.
+The reference device is a device that you use as the template for all the other devices in your district. On this device, you install any Windows desktop apps the classroom needs. For example, install the Windows desktop apps for Microsoft 365 Apps for enterprise if you selected that student license plan.
After you deploy Windows 10 and the desktop apps to the reference device, you capture an image of the device (the reference image). You import the reference image to an MDT deployment share or into Configuration Manager. Finally, you create a task sequence to deploy the reference image to faculty and student devices.
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index f582026716..5631f3e6ab 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -173,9 +173,9 @@ Complete the following steps to select the appropriate Office 365 Education lice
- Determine the number of faculty members and students who will use the classroom.
Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan.
-- Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 1 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
+- Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Microsoft 365 Apps for enterprise plans). Table 1 lists the advantages and disadvantages of standard and Microsoft 365 Apps for enterprise plans.
-Table 1. Comparison of standard and Microsoft Office 365 ProPlus plans
+Table 1. Comparison of standard and Microsoft Microsoft 365 Apps for enterprise plans
@@ -191,13 +191,13 @@ Complete the following steps to select the appropriate Office 365 Education lice
-| Standard | - Less expensive than Office 365 ProPlus
- Can be run from any device
- No installation necessary
| - Must have an Internet connection to use it
- Does not support all the features found in Office 365 ProPlus
|
+| Standard | - Less expensive than Microsoft 365 Apps for enterprise
- Can be run from any device
- No installation necessary
| - Must have an Internet connection to use it
- Does not support all the features found in Microsoft 365 Apps for enterprise
|
| Office ProPlus | - Only requires an Internet connection every 30 days (for activation)
- Supports full set of Office features
| - Requires installation
- Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online)
|
-The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
+The best user experience is to run Microsoft 365 Apps for enterprise or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
- Determine whether students or faculty need Azure Rights Management.
You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see Azure Rights Management.
- Record the Office 365 Education license plans needed for the classroom in Table 2.
@@ -506,7 +506,7 @@ Assign SharePoint Online resource permissions to Office 365 security groups, not
**Note** If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
-For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
+For information about creating security groups, see [Create and manage Microsoft 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
You can add and remove users from security groups at any time.
@@ -520,7 +520,7 @@ You can create email distribution groups based on job role (such as teachers, ad
**Note** Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps.
-For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
+For information about how to create security groups, see [Create and manage Microsoft 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
### Summary
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 3149237ba1..de941be3c6 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -83,7 +83,7 @@ Applies to: IT admins
Self-service sign up makes it easier for teachers and students in your organization to get started with **Minecraft: Education Edition**. If you have self-service sign up enabled in your tenant, teachers can assign **Minecraft: Education Edition** to students before they have a work or school account. Students receive an email that steps them through the process of signing up for a work or school account. For more information on self-service sign up, see [Using self-service sign up in your organization](https://support.office.com/article/Using-self-service-sign-up-in-your-organization-4f8712ff-9346-4c6c-bb63-a21ad7a62cbd?ui=en-US&rs=en-US&ad=US).
### Domain verification
-For education organizations, domain verification ensures you are on the academic verification list. As an admin, you might need to verify your domain using the Office 365 portal. For more information, see [Verify your Office 365 domain to prove ownership, nonprofit or education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590?ui=en-US&rs=en-US&ad=US).
+For education organizations, domain verification ensures you are on the academic verification list. As an admin, you might need to verify your domain using the Microsoft 365 admin center. For more information, see [Verify your Office 365 domain to prove ownership, nonprofit or education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590?ui=en-US&rs=en-US&ad=US).
## Acquire apps
Applies to: IT admins and teachers
diff --git a/education/windows/images/edu-districtdeploy-fig1.png b/education/windows/images/edu-districtdeploy-fig1.png
index a9ed962f95..9e9cd6c238 100644
Binary files a/education/windows/images/edu-districtdeploy-fig1.png and b/education/windows/images/edu-districtdeploy-fig1.png differ
diff --git a/education/windows/images/edu-districtdeploy-fig2.png b/education/windows/images/edu-districtdeploy-fig2.png
index 3838c18153..dfa00a0132 100644
Binary files a/education/windows/images/edu-districtdeploy-fig2.png and b/education/windows/images/edu-districtdeploy-fig2.png differ
diff --git a/education/windows/images/edu-districtdeploy-fig4.png b/education/windows/images/edu-districtdeploy-fig4.png
index c55ee20d47..ca07e5a968 100644
Binary files a/education/windows/images/edu-districtdeploy-fig4.png and b/education/windows/images/edu-districtdeploy-fig4.png differ
diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md
index 7d74f93c5d..fe8d0d640e 100644
--- a/education/windows/set-up-school-pcs-whats-new.md
+++ b/education/windows/set-up-school-pcs-whats-new.md
@@ -21,7 +21,7 @@ Learn what’s new with the Set up School PCs app each week. Find out about new
## Week of September 23, 2019
### Easier way to deploy Office 365 to your classroom devices
- Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Office 365 ProPlus. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams.
+ Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Microsoft 365 Apps for enterprise. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams.
## Week of June 24, 2019
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index c326ec1cba..69d4efc9c1 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -20,7 +20,7 @@ manager: dansimp
- Windows 10
-Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test.
+Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test.
Follow the guidance in this topic to set up Take a Test on multiple PCs.
@@ -130,7 +130,7 @@ To set up a test account through Windows Configuration Designer, follow these st
1. [Install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd).
2. Create a provisioning package by following the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-for-initial-deployment). However, make a note of these other settings to customize the test account.
- 1. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtine settings**.
+ 1. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtime settings**.
2. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
3. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
@@ -211,7 +211,7 @@ Anything hosted on the web can be presented in a locked down manner, not just as
For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
- To get started, go here: [Create a link using a web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link).
+ To get started, go here: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link).
- Create a link using schema activation
@@ -255,7 +255,7 @@ One of the ways you can present content in a locked down manner is by embedding
See [Permissive mode](take-a-test-app-technical.md#permissive-mode) and [Secure Browser API Specification](https://github.com/SmarterApp/SB_BIRT/blob/master/irp/doc/req/SecureBrowserAPIspecification.md) for more info.
### Create a shortcut for the test link
-You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
+You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 41fbb7b7fd..1286a5aec8 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -66,7 +66,7 @@ Anything hosted on the web can be presented in a locked down manner, not just as
For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
- To get started, go here: [Create a link using a web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link).
+ To get started, go here: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link).
- Create a link using schema activation
@@ -117,7 +117,7 @@ One of the ways you can present content in a locked down manner is by embedding
### Create a shortcut for the test link
-You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
+You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index fed3ff8374..7e016c22c0 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -34,8 +34,12 @@ Many schools use online testing for formative and summative assessments. It's cr
-There are several ways to configure devices for assessments. You can:
-- **Configure an assessment URL and a dedicated testing account**
+There are several ways to configure devices for assessments, depending on your use case:
+
+- For higher stakes testing such as mid-term exams, you can set up a device with a dedicated testing account and URL.
+- For lower stakes assessments such as a quick quiz in a class, you can quickly create and distribute the assessment URL through any method of your choosing.
+
+1. **Configure an assessment URL and a dedicated testing account**
In this configuration, a user signs into in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
@@ -58,9 +62,9 @@ There are several ways to configure devices for assessments. You can:
For more info about these methods, see [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md).
-- **Distribute the assessment URL through the web, email, OneNote, or any other method of your choosing. You can also create shortcuts to distribute the link**
+2. **Create and distribute the assessment URL through the web, email, OneNote, or any other method**
- This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
+ This allows teachers and test administrators an easier way to deploy assessments quickly and simply. We recommend this method for lower stakes assessments. You can also create shortcuts to distribute the link.
You can enable this using a schema activation.
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 501e3f3249..136499ee4c 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -93,7 +93,7 @@ Enter email addresses for your students, and each student will get an email with
You can assign the app to students with work or school accounts.
- If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Office 365 portal where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin.
+ If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin.
**To finish Minecraft install (for students)**
diff --git a/mdop/agpm/agpm-4-navengl.md b/mdop/agpm/agpm-4-navengl.md
index 76b3146249..d9b63043f8 100644
--- a/mdop/agpm/agpm-4-navengl.md
+++ b/mdop/agpm/agpm-4-navengl.md
@@ -25,7 +25,8 @@ ms.date: 06/16/2016
- [Release Notes for Microsoft Advanced Group Policy Management 4.0](release-notes-for-microsoft-advanced-group-policy-management-40.md)
-
+> [!NOTE]
+> Advanced Group Policy Management (AGPM) 4.0 will be end of life on January 12, 2021. Please upgrade to a supported version, such as AGPM 4.0 with Service Pack 3 prior to this date.
diff --git a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md
index abe185ad6b..5fa848da03 100644
--- a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md
+++ b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md
@@ -45,9 +45,9 @@ For more information about AGPM, see the following:
- [Advanced Group Policy Management TechNet Library](https://go.microsoft.com/fwlink/?LinkID=146846) (https://go.microsoft.com/fwlink/?LinkID=146846)
-- [Microsoft Desktop Optimization Pack TechCenter](https://go.microsoft.com/fwlink/?LinkId=159870) (http://www.microsoft.com/technet/mdop)
+- [Microsoft Desktop Optimization Pack TechCenter](https://go.microsoft.com/fwlink/?LinkId=159870) (https://www.microsoft.com/technet/mdop)
-- [Group Policy TechCenter](https://go.microsoft.com/fwlink/?LinkId=145531) (http://www.microsoft.com/gp)
+- [Group Policy TechCenter](https://go.microsoft.com/fwlink/?LinkId=145531) (https://www.microsoft.com/gp)
## Providing feedback
diff --git a/mdop/appv-v5/about-app-v-50-dynamic-configuration.md b/mdop/appv-v5/about-app-v-50-dynamic-configuration.md
index 8a54d8a0da..03301519d2 100644
--- a/mdop/appv-v5/about-app-v-50-dynamic-configuration.md
+++ b/mdop/appv-v5/about-app-v-50-dynamic-configuration.md
@@ -102,7 +102,7 @@ The structure of the App-V 5.0 Dynamic Configuration file is explained in the fo
**Header** - the header of a dynamic user configuration file is as follows:
-<?xml version="1.0" encoding="utf-8"?><UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
+<?xml version="1.0" encoding="utf-8"?><UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
The **PackageId** is the same value as exists in the Manifest file.
@@ -110,7 +110,7 @@ The **PackageId** is the same value as exists in the Manifest file.
1. **Applications** - All app-extensions that are contained in the Manifest file within a package are assigned with an Application ID, which is also defined in the manifest file. This allows you to enable or disable all the extensions for a given application within a package. The **Application ID** must exist in the Manifest file or it will be ignored.
- <UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
+ <UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
<Applications>
@@ -128,7 +128,7 @@ The **PackageId** is the same value as exists in the Manifest file.
2. **Subsystems** - AppExtensions and other subsystems are arranged as subnodes under the <Subsystems>:
- <UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
+ <UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
<Subsystems>
@@ -572,7 +572,7 @@ The **PackageId** is the same value as exists in the Manifest file.
**Header** - The header of a Deployment Configuration file is as follows:
-<?xml version="1.0" encoding="utf-8"?><DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
+<?xml version="1.0" encoding="utf-8"?><DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
The **PackageId** is the same value as exists in the manifest file.
@@ -582,7 +582,7 @@ The **PackageId** is the same value as exists in the manifest file.
- Machine Configuration section–contains information that can be configured only for an entire machine, not for a specific user on the machine. For example, HKEY\_LOCAL\_MACHINE registry keys in the VFS.
-<DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
+<DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
<UserConfiguration>
diff --git a/mdop/appv-v5/about-app-v-51-reporting.md b/mdop/appv-v5/about-app-v-51-reporting.md
index b37f88f1db..381a1231a7 100644
--- a/mdop/appv-v5/about-app-v-51-reporting.md
+++ b/mdop/appv-v5/about-app-v-51-reporting.md
@@ -16,36 +16,32 @@ ms.date: 08/30/2016
# About App-V 5.1 Reporting
-
Microsoft Application Virtualization (App-V) 5.1 includes a built-in reporting feature that helps you collect information about computers running the App-V 5.1 client as well as information about virtual application package usage. You can use this information to generate reports from a centralized database.
## App-V 5.1 Reporting Overview
-
The following list displays the end–to-end high-level workflow for reporting in App-V 5.1.
-1. The App-V 5.1 Reporting server has the following prerequisites:
+1. The App-V 5.1 Reporting server has the following prerequisites:
- - Internet Information Service (IIS) web server role
+ - Internet Information Service (IIS) web server role
- - Windows Authentication role (under **IIS / Security**)
+ - Windows Authentication role (under **IIS / Security**)
- - SQL Server installed and running with SQL Server Reporting Services (SSRS)
+ - SQL Server installed and running with SQL Server Reporting Services (SSRS)
To confirm SQL Server Reporting Services is running, view `http://localhost/Reports` in a web browser as administrator on the server that will host App-V 5.1 Reporting. The SQL Server Reporting Services Home page should display.
-2. Install the App-V 5.1 reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md). Configure the time when the computer running the App-V 5.1 client should send data to the reporting server.
+2. Install the App-V 5.1 reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md). Configure the time when the computer running the App-V 5.1 client should send data to the reporting server.
-3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at .
+3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined SSRS Reports from the [Download Center](https://go.microsoft.com/fwlink/?LinkId=397255).
- **Note**
- If you are using the Configuration Manager integration with App-V 5.1, most reports are generated from Configuration Manager rather than from App-V 5.1.
+ > [!NOTE]
+ > If you are using the Configuration Manager integration with App-V 5.1, most reports are generated from Configuration Manager rather than from App-V 5.1.
-
+4. After importing the App-V 5.1 PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V 5.1 client. This sample PowerShell cmdlet enables App-V 5.1 reporting:
-4. After importing the App-V 5.1 PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V 5.1 client. This sample PowerShell cmdlet enables App-V 5.1 reporting:
-
- ``` syntax
+ ```powershell
Set-AppvClientConfiguration –reportingserverurl : -reportingenabled 1 – ReportingStartTime <0-23> - ReportingRandomDelay <#min>
```
@@ -53,18 +49,14 @@ The following list displays the end–to-end high-level workflow for reporting i
For more information about installing the App-V 5.1 client with reporting enabled see [About Client Configuration Settings](about-client-configuration-settings51.md). To administer App-V 5.1 Reporting with Windows PowerShell, see [How to Enable Reporting on the App-V 5.1 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md).
-5. After the reporting server receives the data from the App-V 5.1 client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server and then a notification is sent to the App-V 5.1 client.
+5. After the reporting server receives the data from the App-V 5.1 client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server and then a notification is sent to the App-V 5.1 client.
-6. When the App-V 5.1 client receives the success notification, it empties the data cache to conserve space.
+6. When the App-V 5.1 client receives the success notification, it empties the data cache to conserve space.
- **Note**
- By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache.
+ > [!NOTE]
+ > By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache.
-
-
-~~~
If the App-V 5.1 client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache.
-~~~
### App-V 5.1 reporting server frequently asked questions
@@ -121,52 +113,50 @@ The following table displays answers to common questions about App-V 5.1 reporti
Note
Group Policy settings override local settings configured using PowerShell.
-
-
-
## App-V 5.1 Client Reporting
-
To use App-V 5.1 reporting you must install and configure the App-V 5.1 client. After the client has been installed, use the **Set-AppVClientConfiguration** PowerShell cmdlet or the **ADMX Template** to configure reporting. The reporting feature cmdlets are available by using the following link and are prefaced by **Reporting**. For a complete list of client configuration settings see [About Client Configuration Settings](about-client-configuration-settings51.md). The following section provides examples of App-V 5.1 client reporting configuration using PowerShell.
### Configuring App-V Client reporting using PowerShell
The following examples show how PowerShell parameters can configure the reporting features of the App-V 5.1 client.
-**Note**
-The following configuration task can also be configured using Group Policy settings in the App-V 5.1 ADMX template. For more information about using the ADMX template, see [How to Modify App-V 5.1 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md).
-
-
+> [!NOTE]
+> The following configuration task can also be configured using Group Policy settings in the App-V 5.1 ADMX template. For more information about using the ADMX template, see [How to Modify App-V 5.1 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md).
**To enable reporting and to initiate data collection on the computer running the App-V 5.1 client**:
-`Set-AppVClientConfiguration –ReportingEnabled 1`
+```powershell
+Set-AppVClientConfiguration –ReportingEnabled 1
+```
**To configure the client to automatically send data to a specific reporting server**:
-``` syntax
-Set-AppVClientConfiguration –ReportingServerURL http://MyReportingServer:MyPort/ -ReportingStartTime 20 -ReportingInterval 1 -ReportingRandomDelay 30
+```powershell
+Set-AppVClientConfiguration –ReportingServerURL http://MyReportingServer:MyPort/ -ReportingStartTime 20 -ReportingInterval 1 -ReportingRandomDelay 30 -ReportingInterval 1 -ReportingRandomDelay 30
```
-`-ReportingInterval 1 -ReportingRandomDelay 30`
-
-This example configures the client to automatically send the reporting data to the reporting server URL http://MyReportingServer:MyPort/. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session.
+This example configures the client to automatically send the reporting data to the reporting server URL **http://MyReportingServer:MyPort/**. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session.
**To limit the size of the data cache on the client**:
-`Set-AppvClientConfiguration –ReportingDataCacheLimit 100`
+```powershell
+Set-AppvClientConfiguration –ReportingDataCacheLimit 100
+```
Configures the maximum size of the reporting cache on the computer running the App-V 5.1 client to 100 MB. If the cache limit is reached before the data is sent to the server, then the log rolls over and data will be overwritten as necessary.
**To configure the data block size transmitted across the network between the client and the server**:
-`Set-AppvClientConfiguration –ReportingDataBlockSize 10240`
+```powershell
+Set-AppvClientConfiguration –ReportingDataBlockSize 10240
+```
Specifies the maximum data block that the client sends to 10240 MB.
@@ -174,59 +164,15 @@ Specifies the maximum data block that the client sends to 10240 MB.
The following table displays the types of information you can collect by using App-V 5.1 reporting.
-
-
-
-
-
-
-
-
-
-
-
-Host Name |
-Package Name |
-Start and End Times |
-
-
-App-V 5.1 Client Version |
-Package Version |
-Run Status |
-
-
-Processor Architecture |
-Package Source |
-Shutdown State |
-
-
-Operating System Version |
-Percent Cached |
-Application Name |
-
-
-Service Pack Level |
- |
-Application Version |
-
-
-Operating System Type |
- |
-Username |
-
-
- |
- |
-Connection Group |
-
-
-
-
-
+|Client Information |Package Information |Application Usage |
+|---------|---------|---------|
+|Host Name |Package Name|Start and End Times|
+|App-V 5.1 Client Version |Package Version|Run Status|
+|Processor Architecture |Package Source|Shutdown State|
+|Operating System Version|Percent Cached|Application Name|
+|Service Pack Level| |Application Version|
+|Operating System Type| |Username|
+| | |Connection Group|
The client collects and saves this data in an **.xml** format. The data cache is hidden by default and requires administrator rights to open the XML file.
@@ -234,19 +180,17 @@ The client collects and saves this data in an **.xml** format. The data cache is
You can configure the computer that is running the App-V 5.1 client to automatically send data to the specified reporting server. To specify the server use the **Set-AppvClientConfiguration** cmdlet with the following settings:
-- ReportingEnabled
-
-- ReportingServerURL
-
-- ReportingStartTime
-
-- ReportingInterval
-
-- ReportingRandomDelay
+- ReportingEnabled
+- ReportingServerURL
+- ReportingStartTime
+- ReportingInterval
+- ReportingRandomDelay
After you configure the previous settings, you must create a scheduled task. The scheduled task will contact the server specified by the **ReportingServerURL** setting and will initiate the transfer. If you want to manually send data outside of the scheduled times, use the following PowerShell cmdlet:
-`Send-AppVClientReport –URL http://MyReportingServer:MyPort/ -DeleteOnSuccess`
+```powershell
+Send-AppVClientReport –URL http://MyReportingServer:MyPort/ -DeleteOnSuccess
+```
If the reporting server has been previously configured, then the **–URL** parameter can be omitted. Alternatively, if the data should be sent to an alternate location, specify a different URL to override the configured **ReportingServerURL** for this data collection.
@@ -277,23 +221,20 @@ You can also use the **Send-AppVClientReport** cmdlet to manually collect data.
Note
If a location other than the Reporting Server is specified, the data is sent using .xml format with no additional processing.
-
-
-
### Creating Reports
To retrieve report information and create reports using App-V 5.1 you must use one of the following methods:
-- **Microsoft SQL Server Reporting Services (SSRS)** - Microsoft SQL Server Reporting Services is available with Microsoft SQL Server. SSRS is not installed when you install the App-V 5.1 reporting server. It must be deployed separately to generate the associated reports.
+- **Microsoft SQL Server Reporting Services (SSRS)** - Microsoft SQL Server Reporting Services is available with Microsoft SQL Server. SSRS is not installed when you install the App-V 5.1 reporting server. It must be deployed separately to generate the associated reports.
Use the following link for more information about using [Microsoft SQL Server Reporting Services](https://go.microsoft.com/fwlink/?LinkId=285596).
-- **Scripting** – You can generate reports by scripting directly against the App-V 5.1 reporting database. For example:
+- **Scripting** – You can generate reports by scripting directly against the App-V 5.1 reporting database. For example:
**Stored Procedure:**
@@ -303,25 +244,10 @@ To retrieve report information and create reports using App-V 5.1 you must use o
The stored procedure is also created when using the App-V 5.1 database scripts.
-You should also ensure that the reporting server web service’s **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**.
-
-
-
-
-
+You should also ensure that the reporting server web service's **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**.
## Related topics
-
[Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md)
[How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md)
-
-
-
-
-
-
-
-
-
diff --git a/mdop/appv-v5/about-the-connection-group-file.md b/mdop/appv-v5/about-the-connection-group-file.md
index 6052eca8c9..49785fcb96 100644
--- a/mdop/appv-v5/about-the-connection-group-file.md
+++ b/mdop/appv-v5/about-the-connection-group-file.md
@@ -87,7 +87,7 @@ The following table describes the parameters in the XML file that define the con
Schema name |
Name of the schema.
Applicable starting in App-V 5.0 SP3: If you want to use the new “optional packages” and “use any version” features that are described in this table, you must specify the following schema in the XML file:
-xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
|
+xmlns="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
AppConnectionGroupId |
@@ -160,8 +160,8 @@ The following example connection group XML file shows examples of the fields in
```XML
Schema name
Name of the schema.
Applicable starting in App-V 5.0 SP3: If you want to use the new “optional packages” and “use any version” features that are described in this table, you must specify the following schema in the XML file:
-xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
|
+xmlns="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
AppConnectionGroupId |
@@ -160,8 +160,8 @@ The following example connection group XML file shows examples of the fields in
```XML
-
-
-
-
-
-
-
-
-
-
-
- |
-Review the getting started information about App-V 5.1 to gain a basic understanding of the product before beginning deployment planning. |
-Getting Started with App-V 5.1 |
- |
-
-
- |
-Plan for App-V 5.1 1.0 Deployment Prerequisites and prepare your computing environment. |
-App-V 5.1 Prerequisites |
- |
-
-
- |
-If you plan to use the App-V 5.1 management server, plan for the required roles. |
-Planning for the App-V 5.1 Server Deployment |
- |
-
-
- |
-Plan for the App-V 5.1 sequencer and client so you to create and run virtualized applications. |
-Planning for the App-V 5.1 Sequencer and Client Deployment |
- |
-
-
- |
-If applicable, review the options and steps for migrating from a previous version of App-V. |
-Planning for Migrating from a Previous Version of App-V |
- |
-
-
- |
-Plan for running App-V 5.1 clients using in shared content store mode. |
-How to Install the App-V 5.1 Client for Shared Content Store Mode |
- |
-
-
-
-
-
-
-
-
-
+> [!NOTE]
+> This checklist outlines the recommended steps and a high-level list of items to consider when planning for an App-V 5.1 deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
+| |Task |References |
+|-|-|-|
+| |Review the getting started information about App-V 5.1 to gain a basic understanding of the product before beginning deployment planning.|[Getting Started with App-V 5.1](getting-started-with-app-v-51.md)|
+| |Plan for App-V 5.1 1.0 Deployment Prerequisites and prepare your computing environment.|[App-V 5.1 Prerequisites](app-v-51-prerequisites.md)|
+| |If you plan to use the App-V 5.1 management server, plan for the required roles.|[Planning for the App-V 5.1 Server Deployment](planning-for-the-app-v-51-server-deployment.md)|
+| |Plan for the App-V 5.1 sequencer and client so you to create and run virtualized applications.|[Planning for the App-V 5.1 Sequencer and Client Deployment](planning-for-the-app-v-51-sequencer-and-client-deployment.md)|
+| |If applicable, review the options and steps for migrating from a previous version of App-V.|[Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v51.md)|
+| |Plan for running App-V 5.1 clients using in shared content store mode.|[How to Install the App-V 5.1 Client for Shared Content Store Mode](how-to-install-the-app-v-51-client-for-shared-content-store-mode.md)|
+| | | |
## Related topics
-
[Planning for App-V 5.1](planning-for-app-v-51.md)
-
-
-
-
-
-
-
-
-
diff --git a/mdop/appv-v5/app-v-51-supported-configurations.md b/mdop/appv-v5/app-v-51-supported-configurations.md
index aa2a35a202..7785be89ee 100644
--- a/mdop/appv-v5/app-v-51-supported-configurations.md
+++ b/mdop/appv-v5/app-v-51-supported-configurations.md
@@ -10,18 +10,16 @@ ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 09/27/2016
+ms.date: 04/02/2020
---
# App-V 5.1 Supported Configurations
-
This topic specifies the requirements to install and run Microsoft Application Virtualization (App-V) 5.1 in your environment.
## App-V Server system requirements
-
This section lists the operating system and hardware requirements for all of the App-V Server components.
### Unsupported App-V 5.1 Server scenarios
@@ -117,6 +115,12 @@ The following table lists the SQL Server versions that are supported for the App
+
+Microsoft SQL Server 2019 |
+ |
+32-bit or 64-bit |
+
+
Microsoft SQL Server 2017 |
|
@@ -145,7 +149,7 @@ The following table lists the SQL Server versions that are supported for the App
-
+For more information on user configuration files with SQL server 2016 or later, see the [support article](https://support.microsoft.com/help/4548751/app-v-server-publishing-might-fail-when-you-apply-user-configuration-f).
### Publishing server operating system requirements
@@ -303,7 +307,6 @@ The following table lists the SQL Server versions that are supported for the App
## App-V client system requirements
-
The following table lists the operating systems that are supported for the App-V 5.1 client installation.
**Note:** With the Windows 10 Anniversary release (aka 1607 version), the App-V client is in-box and will block installation of any previous version of the App-V client
@@ -416,7 +419,6 @@ App-V adds no additional requirements beyond those of Windows Server.
## Sequencer system requirements
-
The following table lists the operating systems that are supported for the App-V 5.1 Sequencer installation.
@@ -479,7 +481,6 @@ See the Windows or Windows Server documentation for the hardware requirements. A
## Supported versions of System Center Configuration Manager
-
The App-V client supports the following versions of System Center Configuration Manager:
- Microsoft System Center 2012 Configuration Manager
@@ -543,23 +544,8 @@ The following App-V and System Center Configuration Manager version matrix shows
For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx).
-
-
-
-
-
## Related topics
-
[Planning to Deploy App-V](planning-to-deploy-app-v51.md)
[App-V 5.1 Prerequisites](app-v-51-prerequisites.md)
-
-
-
-
-
-
-
-
-
diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md
index c781eb4fea..a2dc196c47 100644
--- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md
+++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md
@@ -20,7 +20,7 @@ ms.date: 06/16/2016
After you have properly deployed the Microsoft Application Virtualization (App-V) 5.1 sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application.
**Note**
-For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx).
+For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx).
**Note**
The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated.
diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
index 6ac193ddbc..ec3642bc65 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
@@ -101,7 +101,7 @@ Before you deploy Office by using App-V, review the following requirements.
Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:
|
@@ -640,7 +640,7 @@ Use the steps in this section to enable Office plug-ins with your Office package
1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet.
-2. Sequence your plug-ins using the App-V 5.0 Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins.
+2. Sequence your plug-ins using the App-V 5.0 Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It is recommended you use Microsoft 365 Apps for enterprise(non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins.
3. Create an App-V 5.0 package that includes the desired plug-ins.
diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
index 2e781bfa2b..3c08f56eaf 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
@@ -100,7 +100,7 @@ Before you deploy Office by using App-V, review the following requirements.
Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:
|
@@ -648,7 +648,7 @@ Use the steps in this section to enable Office plug-ins with your Office package
1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet.
-2. Sequence your plug-ins using the App-V 5.1 Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins.
+2. Sequence your plug-ins using the App-V 5.1 Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It is recommended you use Microsoft 365 Apps for enterprise(non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins.
3. Create an App-V 5.1 package that includes the desired plug-ins.
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
index f66484192f..2856f34f5d 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
@@ -102,7 +102,7 @@ Before you deploy Office by using App-V, review the following requirements.
Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:
|
@@ -293,7 +293,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
Channel (attribute of Add element) |
- Optional. Specifies the update channel for the product that you want to download or install. For more information about update channels, see Overview of update channels for Office 365 ProPlus. |
+ Optional. Specifies the update channel for the product that you want to download or install. For more information about update channels, see Overview of update channels for Microsoft 365 Apps for enterprise. |
Channel="Deferred"
|
@@ -348,7 +348,7 @@ After you download the Office 2016 applications through the Office Deployment To
The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make.
->**Note** You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
+>**Note** You can use the Office Deployment Tool to create App-V packages for Microsoft 365 Apps for enterprise. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
@@ -588,7 +588,7 @@ Use the steps in this section to enable Office plug-ins with your Office package
1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet.
-2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins.
+2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Microsoft 365 Apps for enterprise(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins.
3. Create an App-V package that includes the desired plug-ins.
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
index 317e8df4e7..6d6021c95e 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
@@ -102,7 +102,7 @@ Before you deploy Office by using App-V, review the following requirements.
Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:
|
@@ -293,7 +293,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
Branch (attribute of Add element) |
- Optional. Specifies the update branch for the product that you want to download or install. For more information about update branches, see Overview of update branches for Office 365 ProPlus. |
+ Optional. Specifies the update branch for the product that you want to download or install. For more information about update branches, see Overview of update branches for Microsoft 365 Apps for enterprise. |
Branch = "Business"
|
@@ -348,7 +348,7 @@ After you download the Office 2016 applications through the Office Deployment To
The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make.
->**Note** You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
+>**Note** You can use the Office Deployment Tool to create App-V packages for Microsoft 365 Apps for enterprise. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
@@ -588,7 +588,7 @@ Use the steps in this section to enable Office plug-ins with your Office package
1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet.
-2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins.
+2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Microsoft 365 Apps for enterprise(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins.
3. Create an App-V package that includes the desired plug-ins.
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-51-server-using-a-script.md b/mdop/appv-v5/how-to-deploy-the-app-v-51-server-using-a-script.md
index e3c13b3c79..5a39bf03ab 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-51-server-using-a-script.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-51-server-using-a-script.md
@@ -10,787 +10,371 @@ ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 06/16/2016
+ms.date: 03/20/2020
---
-
# How to Deploy the App-V 5.1 Server Using a Script
-
In order to complete the **appv\_server\_setup.exe** Server setup successfully using the command line, you must specify and combine multiple parameters.
-**To Install the App-V 5.1 server using a script**
-
-- Use the following tables for more information about installing the App-V 5.1 server using the command line.
-
- **Note**
- The information in the following tables can also be accessed using the command line by typing the following command: **appv\_server\_setup.exe /?**.
-
-
-
-~~~
-**Common parameters and Examples**
-
-
-
-
-
-
-
-
-To Install the Management server and Management database on a local machine. |
-To use the default instance of Microsoft SQL Server, use the following parameters:
-
-To use a custom instance of Microsoft SQL Server, use the following parameters:
-
-Using a custom instance of Microsoft SQL Server example:
-/appv_server_setup.exe /QUIET
-/MANAGEMENT_SERVER
-/MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”
-/MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”
-/MANAGEMENT_WEBSITE_PORT=”8080”
-/DB_PREDEPLOY_MANAGEMENT
-/MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
-/MANAGEMENT_DB_NAME=”AppVManagement” |
-
-
-
-
-
-
-
-
-
-
-
-
-
-To Install the Management server using an existing Management database on a local machine. |
-To use the default instance of Microsoft SQL Server, use the following parameters:
-
-/MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT /MANAGEMENT_WEBSITE_NAME /MANAGEMENT_WEBSITE_PORT /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL /EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT /EXISTING_MANAGEMENT_DB_NAME
-To use a custom instance of Microsoft SQL Server, use these parameters:
-
-/MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT /MANAGEMENT_WEBSITE_NAME /MANAGEMENT_WEBSITE_PORT /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE /EXISTING_MANAGEMENT_DB_NAME
-Using a custom instance of Microsoft SQL Server example:
-/appv_server_setup.exe /QUIET
-/MANAGEMENT_SERVER
-/MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”
-/MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”
-/MANAGEMENT_WEBSITE_PORT=”8080”
-/EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL
-/EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE =”SqlInstanceName”
-/EXISTING_MANAGEMENT_DB_NAME =”AppVManagement” |
-
-
-
-
-
-
-
-
-
-
-
-
-
-To install the Management server using an existing Management database on a remote machine. |
-To use the default instance of Microsoft SQL Server, use the following parameters:
-
-/MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT /MANAGEMENT_WEBSITE_NAME /MANAGEMENT_WEBSITE_PORT /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME /EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT /EXISTING_MANAGEMENT_DB_NAME
-To use a custom instance of Microsoft SQL Server, use these parameters:
-
-/MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT /MANAGEMENT_WEBSITE_NAME /MANAGEMENT_WEBSITE_PORT /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE /EXISTING_MANAGEMENT_DB_NAME
-Using a custom instance of Microsoft SQL Server example:
-/appv_server_setup.exe /QUIET
-/MANAGEMENT_SERVER
-/MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”
-/MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”
-/MANAGEMENT_WEBSITE_PORT=”8080”
-/EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME=”SqlServermachine.domainName”
-/EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE =”SqlInstanceName”
-/EXISTING_MANAGEMENT_DB_NAME =”AppVManagement” |
-
-
-
-
-
-
-
-
-
-
-
-
-
-To Install the Management database and the Management Server on the same computer. |
-To use the default instance of Microsoft SQL Server, use the following parameters:
-
-/DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT /MANAGEMENT_DB_NAME /MANAGEMENT_SERVER_MACHINE_USE_LOCAL /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
-To use a custom instance of Microsoft SQL Server, use these parameters:
-
-/DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE /MANAGEMENT_DB_NAME /MANAGEMENT_SERVER_MACHINE_USE_LOCAL /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
-Using a custom instance of Microsoft SQL Server example:
-/appv_server_setup.exe /QUIET
-/DB_PREDEPLOY_MANAGEMENT
-/MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
-/MANAGEMENT_DB_NAME=”AppVManagement”
-/MANAGEMENT_SERVER_MACHINE_USE_LOCAL
-/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount” |
-
-
-
-
-
-
-
-
-
-
-
-
-
-To install the Management database on a different computer than the Management server. |
-To use the default instance of Microsoft SQL Server, use the following parameters:
-
-/DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT /MANAGEMENT_DB_NAME /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
-To use a custom instance of Microsoft SQL Server, use these parameters:
-
-/DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE /MANAGEMENT_DB_NAME /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
-Using a custom instance of Microsoft SQL Server example:
-/appv_server_setup.exe /QUIET
-/DB_PREDEPLOY_MANAGEMENT
-/MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
-/MANAGEMENT_DB_NAME=”AppVManagement”
-/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT=”Domain\MachineAccount”
-/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount” |
-
-
-
-
-
-
-
-
-
-
-
-
-
-To Install the publishing server. |
-To use the default instance of Microsoft SQL Server, use the following parameters:
-
-/PUBLISHING_SERVER /PUBLISHING_MGT_SERVER /PUBLISHING_WEBSITE_NAME /PUBLISHING_WEBSITE_PORT
-Using a custom instance of Microsoft SQL Server example:
-/appv_server_setup.exe /QUIET
-/PUBLISHING_SERVER
-/PUBLISHING_MGT_SERVER=”http://ManagementServerName:ManagementPort”
-/PUBLISHING_WEBSITE_NAME=”Microsoft AppV Publishing Service”
-/PUBLISHING_WEBSITE_PORT=”8081” |
-
-
-
-
-
-
-
-
-
-
-
-
-
-To Install the Reporting server and Reporting database on a local machine. |
-To use the default instance of Microsoft SQL Server, use the following parameters:
-
-To use a custom instance of Microsoft SQL Server, use these parameters:
-
-Using a custom instance of Microsoft SQL Server example:
-
-/appv_server_setup.exe /QUIET /REPORTING_SERVER /REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service” /REPORTING_WEBSITE_PORT=”8082” /DB_PREDEPLOY_REPORTING /REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName” /REPORTING_DB_NAME=”AppVReporting” |
-
-
-
-
-
-
-
-
-
-
-
-
-
-To Install the Reporting server and using an existing Reporting database on a local machine. |
-To use the default instance of Microsoft SQL Server, use the following parameters:
-
-/REPORTING _SERVER /REPORTING _WEBSITE_NAME /REPORTING _WEBSITE_PORT /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL /EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT /EXISTING_REPORTING _DB_NAME
-To use a custom instance of Microsoft SQL Server, use these parameters:
-
-/REPORTING _SERVER /REPORTING _ADMINACCOUNT /REPORTING _WEBSITE_NAME /REPORTING _WEBSITE_PORT /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE /EXISTING_REPORTING _DB_NAME
-Using a custom instance of Microsoft SQL Server example:
-/appv_server_setup.exe /QUIET
-/REPORTING_SERVER
-/REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”
-/REPORTING_WEBSITE_PORT=”8082”
-/EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL
-/EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
-/EXITING_REPORTING_DB_NAME=”AppVReporting” |
-
-
-
-
-
-
-
-
-
-
-
-
-
-To Install the Reporting server using an existing Reporting database on a remote machine. |
-To use the default instance of Microsoft SQL Server, use the following parameters:
-
-/REPORTING _SERVER /REPORTING _WEBSITE_NAME /REPORTING _WEBSITE_PORT /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME /EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT /EXISTING_REPORTING _DB_NAME
-To use a custom instance of Microsoft SQL Server, use these parameters:
-
-/REPORTING _SERVER /REPORTING _ADMINACCOUNT /REPORTING _WEBSITE_NAME /REPORTING _WEBSITE_PORT /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE /EXISTING_REPORTING _DB_NAME
-Using a custom instance of Microsoft SQL Server example:
-/appv_server_setup.exe /QUIET
-/REPORTING_SERVER
-/REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”
-/REPORTING_WEBSITE_PORT=”8082”
-/EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME=”SqlServerMachine.DomainName”
-/EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
-/EXITING_REPORTING_DB_NAME=”AppVReporting” |
-
-
-
-
-
-
-
-
-
-
-
-
-
-To install the Reporting database on the same computer as the Reporting server. |
-To use the default instance of Microsoft SQL Server, use the following parameters:
-
-/DB_PREDEPLOY_REPORTING /REPORTING _DB_SQLINSTANCE_USE_DEFAULT /REPORTING _DB_NAME /REPORTING_SERVER_MACHINE_USE_LOCAL /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
-To use a custom instance of Microsoft SQL Server, use these parameters:
-
-/DB_PREDEPLOY_REPORTING /REPORTING _DB_CUSTOM_SQLINSTANCE /REPORTING _DB_NAME /REPORTING_SERVER_MACHINE_USE_LOCAL /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
-Using a custom instance of Microsoft SQL Server example:
-/appv_server_setup.exe /QUIET
-/DB_PREDEPLOY_REPORTING
-/REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
-/REPORTING_DB_NAME=”AppVReporting”
-/REPORTING_SERVER_MACHINE_USE_LOCAL
-/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount” |
-
-
-
-
-
-
-
-
-
-
-
-
-
-To install the Reporting database on a different computer than the Reporting server. |
-To use the default instance of Microsoft SQL Server, use the following parameters:
-
-/DB_PREDEPLOY_REPORTING /REPORTING _DB_SQLINSTANCE_USE_DEFAULT /REPORTING _DB_NAME /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
-To use a custom instance of Microsoft SQL Server, use these parameters:
-
-/DB_PREDEPLOY_REPORTING /REPORTING _DB_CUSTOM_SQLINSTANCE /REPORTING _DB_NAME /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
-Using a custom instance of Microsoft SQL Server example:
-/appv_server_setup.exe /QUIET
-/DB_PREDEPLOY_REPORTING
-/REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
-/REPORTING_DB_NAME=”AppVReporting”
-/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT=”Domain\MachineAccount”
-/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount” |
-
-
-
-
-
-
-**Parameter Definitions**
-
-**General Parameters**
-
-
-
-
-
-
-
-
-
-
-
-/QUIET |
-Specifies silent install. |
-
-
-/UNINSTALL |
-Specifies an uninstall. |
-
-
-/LAYOUT |
-Specifies layout action. This extracts the MSIs and script files to a folder without actually installing the product. No value is expected. |
-
-
-/LAYOUTDIR |
-Specifies the layout directory. Takes a string. For example, /LAYOUTDIR=”C:\Application Virtualization Server” |
-
-
-/INSTALLDIR |
-Specifies the installation directory. Takes a string. E.g. /INSTALLDIR=”C:\Program Files\Application Virtualization\Server” |
-
-
-/MUOPTIN |
-Enables Microsoft Update. No value is expected |
-
-
-/ACCEPTEULA |
-Accepts the license agreement. This is required for an unattended installation. Example usage: /ACCEPTEULA or /ACCEPTEULA=1. |
-
-
-
-
-
-
-**Management Server Installation Parameters**
-
-
-
-
-
-
-
-
-
-
-
-/MANAGEMENT_SERVER |
-Specifies that the management server will be installed. No value is expected |
-
-
-/MANAGEMENT_ADMINACCOUNT |
-Specifies the account that will be allowed to Administrator access to the management server This account can be an individual user account or a group. Example usage: /MANAGEMENT_ADMINACCOUNT=”mydomain\admin”. If /MANAGEMENT_SERVER is not specified, this will be ignored. Specifies the account that will be allowed to Administrator access to the management server. This can be a user account or a group. For example, /MANAGEMENT_ADMINACCOUNT="mydomain\admin". |
-
-
-/MANAGEMENT_WEBSITE_NAME |
-Specifies name of the website that will be created for the management service. For example, /MANAGEMENT_WEBSITE_NAME=”Microsoft App-V Management Service” |
-
-
-MANAGEMENT_WEBSITE_PORT |
-Specifies the port number that will be used by the management service will use. For example, /MANAGEMENT_WEBSITE_PORT=82. |
-
-
-
-
-
-
-**Parameters for the Management Server Database**
-
-
-
-
-
-
-
-
-
-
-
-/DB_PREDEPLOY_MANAGEMENT |
-Specifies that the management database will be installed. You must have sufficient database permissions to complete this installation. No value is expected |
-
-
-/MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT |
-Indicates that the default SQL instance should be used. No value is expected. |
-
-
-/MANAGEMENT_DB_ CUSTOM_SQLINSTANCE |
-Specifies the name of the custom SQL instance that should be used to create a new database. Example usage: /MANAGEMENT_DB_ CUSTOM_SQLINSTANCE=”MYSQLSERVER”. If /DB_PREDEPLOY_MANAGEMENT is not specified, this will be ignored. |
-
-
-/MANAGEMENT_DB_NAME |
-Specifies the name of the new management database that should be created. Example usage: /MANAGEMENT_DB_NAME=”AppVMgmtDB”. If /DB_PREDEPLOY_MANAGEMENT is not specified, this will be ignored. |
-
-
-/MANAGEMENT_SERVER_MACHINE_USE_LOCAL |
-Indicates if the management server that will be accessing the database is installed on the local server. Switch parameter so no value is expected. |
-
-
-/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT |
-Specifies the machine account of the remote machine that the management server will be installed on. Example usage: /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT=”domain\computername” |
-
-
-/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT |
-Indicates the Administrator account that will be used to install the management server. Example usage: /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT =”domain\alias” |
-
-
-
-
-
-
-**Parameters for Installing Publishing Server**
-
-
-
-
-
-
-
-
-
-
-
-/PUBLISHING_SERVER |
-Specifies that the Publishing Server will be installed. No value is expected |
-
-
-/PUBLISHING_MGT_SERVER |
-Specifies the URL to Management Service the Publishing server will connect to. Example usage: http://<management server name>:<Management server port number>. If /PUBLISHING_SERVER is not used, this parameter will be ignored |
-
-
-/PUBLISHING_WEBSITE_NAME |
-Specifies name of the website that will be created for the publishing service. For example, /PUBLISHING_WEBSITE_NAME=”Microsoft App-V Publishing Service” |
-
-
-/PUBLISHING_WEBSITE_PORT |
-Specifies the port number used by the publishing service. For example, /PUBLISHING_WEBSITE_PORT=83 |
-
-
-
-
-
-
-**Parameters for Reporting Server**
-
-
-
-
-
-
-
-
-
-
-
-/REPORTING_SERVER |
-Specifies that the Reporting Server will be installed. No value is expected |
-
-
-/REPORTING_WEBSITE_NAME |
-Specifies name of the website that will be created for the Reporting Service. E.g. /REPORTING_WEBSITE_NAME="Microsoft App-V ReportingService" |
-
-
-/REPORTING_WEBSITE_PORT |
-Specifies the port number that the Reporting Service will use. E.g. /REPORTING_WEBSITE_PORT=82 |
-
-
-
-
-
-
-**Parameters for using an Existing Reporting Server Database**
-
-
-
-
-
-
-
-
-
-
-
-/EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL |
-Indicates that the Microsoft SQL Server is installed on the local server. Switch parameter so no value is expected. |
-
-
-/EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME |
-Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_REPORTING_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1" |
-
-
-/EXISTING_ REPORTING _DB_SQLINSTANCE_USE_DEFAULT |
-Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. |
-
-
-/EXISTING_ REPORTING_DB_CUSTOM_SQLINSTANCE |
-Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /EXISTING_REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER" |
-
-
-/EXISTING_ REPORTING _DB_NAME |
-Specifies the name of the existing Reporting database that should be used. Takes a string. E.g. /EXISTING_REPORTING_DB_NAME="AppVReporting" |
-
-
-
-
-
-
-**Parameters for installing Reporting Server Database**
-
-
-
-
-
-
-
-
-
-
-
-/DB_PREDEPLOY_REPORTING |
-Specifies that the Reporting Database will be installed. DBA permissions are required for this installation. No value is expected |
-
-
-/REPORTING_DB_SQLINSTANCE_USE_DEFAULT |
-Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER" |
-
-
-/REPORTING_DB_NAME |
-Specifies the name of the new Reporting database that should be created. Takes a string. E.g. /REPORTING_DB_NAME="AppVMgmtDB" |
-
-
-/REPORTING_SERVER_MACHINE_USE_LOCAL |
-Indicates that the Reporting server that will be accessing the database is installed on the local server. Switch parameter so no value is expected. |
-
-
-/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT |
-Specifies the machine account of the remote machine that the Reporting server will be installed on. Takes a string. E.g. /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT = "domain\computername" |
-
-
-/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT |
-Indicates the Administrator account that will be used to install the App-V Reporting Server. Takes a string. E.g. /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT = "domain\alias" |
-
-
-
-
-
-
-**Parameters for using an existing Management Server Database**
-
-
-
-
-
-
-
-
-
-
-
-/EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL |
-Indicates that the SQL Server is installed on the local server. Switch parameter so no value is expected.If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored. |
-
-
-/EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME |
-Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_MANAGEMENT_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1" |
-
-
-/EXISTING_ MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT |
-Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored. |
-
-
-/EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE |
-Specifies the name of the custom SQL instance that will be used. Example usage /EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE=”AppVManagement”. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored. |
-
-
-/EXISTING_MANAGEMENT_DB_NAME |
-Specifies the name of the existing management database that should be used. Example usage: /EXISTING_MANAGEMENT_DB_NAME=”AppVMgmtDB”. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.
-
-Got a suggestion for App-V? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). Got an App-V issue? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). |
-
-
-
-~~~
+## Install the App-V 5.1 server using a script
+- Use the following information about installing the App-V 5.1 server using the command line.
+ > [!NOTE]
+ > The information in the following tables can also be accessed using the command line by typing the following command: **appv\_server\_setup.exe /?**.
+
+### Install the Management server and Management database on a local machine
+
+The following parameters are valid with both the default and custom instance of Microsoft SQL Server:
+
+- /MANAGEMENT_SERVER
+- /MANAGEMENT_ADMINACCOUNT
+- /MANAGEMENT_WEBSITE_NAME
+- /MANAGEMENT_WEBSITE_PORT
+- /DB_PREDEPLOY_MANAGEMENT
+- /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
+- /MANAGEMENT_DB_NAME
+
+**Example: Using a custom instance of Microsoft SQL Server**
+
+```dos
+appv_server_setup.exe /QUIET /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT="Domain\AdminGroup" /MANAGEMENT_WEBSITE_NAME="Microsoft AppV Management Service" /MANAGEMENT_WEBSITE_PORT="8080" /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /MANAGEMENT_DB_NAME="AppVManagement"
+```
+
+### Install the Management server using an existing Management database on a local machine
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /MANAGEMENT_SERVER
+- /MANAGEMENT_ADMINACCOUNT
+- /MANAGEMENT_WEBSITE_NAME
+- /MANAGEMENT_WEBSITE_PORT
+- /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL
+- */EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT*
+- /EXISTING_MANAGEMENT_DB_NAME
+
+To use a custom instance of Microsoft SQL Server, use the following parameters (difference from default instance in *italic*):
+
+- /MANAGEMENT_SERVER
+- /MANAGEMENT_ADMINACCOUNT
+- /MANAGEMENT_WEBSITE_NAME
+- /MANAGEMENT_WEBSITE_PORT
+- /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL
+- */EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE*
+- /EXISTING_MANAGEMENT_DB_NAME
+
+**Example: Using a custom instance of Microsoft SQL Server**
+
+```dos
+appv_server_setup.exe /QUIET /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT="Domain\AdminGroup" /MANAGEMENT_WEBSITE_NAME="Microsoft AppV Management Service" /MANAGEMENT_WEBSITE_PORT="8080" /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE ="SqlInstanceName" /EXISTING_MANAGEMENT_DB_NAME ="AppVManagement"
+```
+
+### Install the Management server using an existing Management database on a remote machine
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /MANAGEMENT_SERVER
+- /MANAGEMENT_ADMINACCOUNT
+- /MANAGEMENT_WEBSITE_NAME
+- /MANAGEMENT_WEBSITE_PORT
+- /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME
+- */EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT*
+- /EXISTING_MANAGEMENT_DB_NAME
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /MANAGEMENT_SERVER
+- /MANAGEMENT_ADMINACCOUNT
+- /MANAGEMENT_WEBSITE_NAME
+- /MANAGEMENT_WEBSITE_PORT
+- /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME
+- */EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE*
+- /EXISTING_MANAGEMENT_DB_NAME
+
+**Example: Using a custom instance of Microsoft SQL Server:**
+
+```dos
+appv_server_setup.exe /QUIET /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT="Domain\AdminGroup" /MANAGEMENT_WEBSITE_NAME="Microsoft AppV Management Service" /MANAGEMENT_WEBSITE_PORT="8080" /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME="SqlServermachine.domainName" /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE ="SqlInstanceName" /EXISTING_MANAGEMENT_DB_NAME ="AppVManagement"
+```
+
+### Install the Management database and the Management Server on the same computer
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /DB_PREDEPLOY_MANAGEMENT
+- */MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT*
+- /MANAGEMENT_DB_NAME
+- /MANAGEMENT_SERVER_MACHINE_USE_LOCAL
+- /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /DB_PREDEPLOY_MANAGEMENT
+- */MANAGEMENT_DB_CUSTOM_SQLINSTANCE*
+- /MANAGEMENT_DB_NAME
+- /MANAGEMENT_SERVER_MACHINE_USE_LOCAL
+- /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
+
+**Example: Using a custom instance of Microsoft SQL Server**
+
+```dos
+appv_server_setup.exe /QUIET /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /MANAGEMENT_DB_NAME="AppVManagement" /MANAGEMENT_SERVER_MACHINE_USE_LOCAL /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount"
+```
+
+### Install the Management database on a different computer than the Management server
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /DB_PREDEPLOY_MANAGEMENT
+- */MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT*
+- /MANAGEMENT_DB_NAME
+- /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT
+- /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /DB_PREDEPLOY_MANAGEMENT
+- */MANAGEMENT_DB_CUSTOM_SQLINSTANCE*
+- /MANAGEMENT_DB_NAME
+- /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT
+- /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
+
+**Example: Using a custom instance of Microsoft SQL Server**
+
+```dos
+appv_server_setup.exe /QUIET /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /MANAGEMENT_DB_NAME="AppVManagement" /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT="Domain\MachineAccount" /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount"
+```
+
+### Install the publishing server
+
+To use the default instance of Microsoft SQL Server, use the following parameters:
+
+- /PUBLISHING_SERVER
+- /PUBLISHING_MGT_SERVER
+- /PUBLISHING_WEBSITE_NAME
+- /PUBLISHING_WEBSITE_PORT
+
+**Example: Using a custom instance of Microsoft SQL Server:**
+
+```dos
+appv_server_setup.exe /QUIET /PUBLISHING_SERVER /PUBLISHING_MGT_SERVER="http://ManagementServerName:ManagementPort" /PUBLISHING_WEBSITE_NAME="Microsoft AppV Publishing Service" /PUBLISHING_WEBSITE_PORT="8081"
+```
+
+### Install the Reporting server and Reporting database on a local machine
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /REPORTING _SERVER
+- /REPORTING _WEBSITE_NAME
+- /REPORTING _WEBSITE_PORT
+- /DB_PREDEPLOY_REPORTING
+- */REPORTING _DB_SQLINSTANCE_USE_DEFAULT*
+- /REPORTING _DB_NAME
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /REPORTING _SERVER
+- */REPORTING _ADMINACCOUNT*
+- /REPORTING _WEBSITE_NAME
+- /REPORTING _WEBSITE_PORT
+- /DB_PREDEPLOY_REPORTING
+- */REPORTING _DB_CUSTOM_SQLINSTANCE*
+- /REPORTING _DB_NAME
+
+**Example: Using a custom instance of Microsoft SQL Server:**
+
+```dos
+appv_server_setup.exe /QUIET /REPORTING_SERVER /REPORTING_WEBSITE_NAME="Microsoft AppV Reporting Service" /REPORTING_WEBSITE_PORT="8082" /DB_PREDEPLOY_REPORTING /REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /REPORTING_DB_NAME="AppVReporting"
+```
+
+### Install the Reporting server and using an existing Reporting database on a local machine
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /REPORTING _SERVER
+- /REPORTING _WEBSITE_NAME
+- /REPORTING _WEBSITE_PORT
+- /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL
+- */EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT*
+- /EXISTING_REPORTING _DB_NAME
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /REPORTING _SERVER
+- */REPORTING _ADMINACCOUNT*
+- /REPORTING _WEBSITE_NAME
+- /REPORTING _WEBSITE_PORT
+- /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL
+- */EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE*
+- /EXISTING_REPORTING _DB_NAME
+
+**Example: Using a custom instance of Microsoft SQL Server:**
+
+```dos
+appv_server_setup.exe /QUIET /REPORTING_SERVER /REPORTING_WEBSITE_NAME="Microsoft AppV Reporting Service" /REPORTING_WEBSITE_PORT="8082" /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /EXITING_REPORTING_DB_NAME="AppVReporting"
+```
+
+### Install the Reporting server using an existing Reporting database on a remote machine
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /REPORTING _SERVER
+- /REPORTING _WEBSITE_NAME
+- /REPORTING _WEBSITE_PORT
+- /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME
+- */EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT*
+- /EXISTING_REPORTING _DB_NAME
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /REPORTING _SERVER
+- */REPORTING _ADMINACCOUNT*
+- /REPORTING _WEBSITE_NAME
+- /REPORTING _WEBSITE_PORT
+- /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME
+- */EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE*
+- /EXISTING_REPORTING _DB_NAME
+
+**Example: Using a custom instance of Microsoft SQL Server:**
+
+```dos
+appv_server_setup.exe /QUIET /REPORTING_SERVER /REPORTING_WEBSITE_NAME="Microsoft AppV Reporting Service" /REPORTING_WEBSITE_PORT="8082" /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME="SqlServerMachine.DomainName" /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /EXITING_REPORTING_DB_NAME="AppVReporting"
+```
+
+### Install the Reporting database on the same computer as the Reporting server
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /DB_PREDEPLOY_REPORTING
+- */REPORTING _DB_SQLINSTANCE_USE_DEFAULT*
+- /REPORTING _DB_NAME
+- /REPORTING_SERVER_MACHINE_USE_LOCAL
+- /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /DB_PREDEPLOY_REPORTING
+- */REPORTING _DB_CUSTOM_SQLINSTANCE*
+- /REPORTING _DB_NAME
+- /REPORTING_SERVER_MACHINE_USE_LOCAL
+- /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
+
+**Example: Using a custom instance of Microsoft SQL Server:**
+
+```dos
+appv_server_setup.exe /QUIET /DB_PREDEPLOY_REPORTING /REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /REPORTING_DB_NAME="AppVReporting" /REPORTING_SERVER_MACHINE_USE_LOCAL /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount"
+```
+
+### Install the Reporting database on a different computer than the Reporting server
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /DB_PREDEPLOY_REPORTING
+- /REPORTING _DB_SQLINSTANCE_USE_DEFAULT
+- /REPORTING _DB_NAME
+- /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT
+- /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /DB_PREDEPLOY_REPORTING
+- /REPORTING _DB_CUSTOM_SQLINSTANCE
+- /REPORTING _DB_NAME
+- /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT
+- /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
+
+**Example: Using a custom instance of Microsoft SQL Server:**
+
+```dos
+ appv_server_setup.exe /QUIET /DB_PREDEPLOY_REPORTING /REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /REPORTING_DB_NAME="AppVReporting" /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT="Domain\MachineAccount" /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount"
+```
+
+### Parameter Definitions
+
+#### General Parameters
+
+| Parameter | Information |
+|--|--|
+| /QUIET | Specifies silent install. |
+| /UNINSTALL | Specifies an uninstall. |
+| /LAYOUT | Specifies layout action. This extracts the MSIs and script files to a folder without actually installing the product. No value is expected. |
+| /LAYOUTDIR | Specifies the layout directory. Takes a string. Example usage: **/LAYOUTDIR="C:\\Application Virtualization Server"** |
+| /INSTALLDIR | Specifies the installation directory. Takes a string. Example usage: **/INSTALLDIR="C:\\Program Files\\Application Virtualization\\Server"** |
+| /MUOPTIN | Enables Microsoft Update. No value is expected. |
+| /ACCEPTEULA | Accepts the license agreement. This is required for an unattended installation. Example usage: **/ACCEPTEULA** or **/ACCEPTEULA=1** |
+
+#### Management Server Installation Parameters
+
+|Parameter |Information |
+|--|--|
+| /MANAGEMENT_SERVER | Specifies that the management server will be installed. No value is expected |
+| /MANAGEMENT_ADMINACCOUNT | Specifies the account that will be allowed Administrator access to the management server. This can be a user account or a group. Example usage: **/MANAGEMENT_ADMINACCOUNT="mydomain\\admin"**. If **/MANAGEMENT_SERVER** is not specified, this will be ignored. |
+| /MANAGEMENT_WEBSITE_NAME | Specifies name of the website that will be created for the management service. Example usage: **/MANAGEMENT_WEBSITE_NAME="Microsoft App-V Management Service"** |
+| MANAGEMENT_WEBSITE_PORT | Specifies the port number that will be used by the management service will use. Example usage: **/MANAGEMENT_WEBSITE_PORT=82** |
+
+#### Parameters for the Management Server Database
+
+| Parameter | Information |
+|--|--|
+| /DB_PREDEPLOY_MANAGEMENT | Specifies that the management database will be installed. You must have sufficient database permissions to complete this installation. No value is expected. |
+| /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT | Indicates that the default SQL instance should be used. No value is expected. |
+| /MANAGEMENT_DB_ CUSTOM_SQLINSTANCE | Specifies the name of the custom SQL instance that should be used to create a new database. Example usage: **/MANAGEMENT_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"**. If **/DB_PREDEPLOY_MANAGEMENT** is not specified, this will be ignored. |
+| /MANAGEMENT_DB_NAME | Specifies the name of the new management database that should be created. Example usage: **/MANAGEMENT_DB_NAME="AppVMgmtDB"**. If **/DB_PREDEPLOY_MANAGEMENT** is not specified, this will be ignored. |
+| /MANAGEMENT_SERVER_MACHINE_USE_LOCAL | Indicates if the management server that will be accessing the database is installed on the local server. Switch parameter so no value is expected. |
+| /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT | Specifies the machine account of the remote machine that the management server will be installed on. Example usage: **/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT="domain\\computername"** |
+| /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT | Indicates the Administrator account that will be used to install the management server. Example usage: **/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT ="domain\\alias"** |
+
+#### Parameters for Installing Publishing Server
+
+| Parameter | Information |
+|--|--|
+| /PUBLISHING_SERVER | Specifies that the Publishing Server will be installed. No value is expected. |
+| /PUBLISHING_MGT_SERVER | Specifies the URL to Management Service the Publishing server will connect to. Example usage: **http://<management server name>:<Management server port number>**. If **/PUBLISHING_SERVER** is not used, this parameter will be ignored. |
+| /PUBLISHING_WEBSITE_NAME | Specifies name of the website that will be created for the publishing service. Example usage: **/PUBLISHING_WEBSITE_NAME="Microsoft App-V Publishing Service"** |
+| /PUBLISHING_WEBSITE_PORT | Specifies the port number used by the publishing service. Example usage: **/PUBLISHING_WEBSITE_PORT=83** |
+
+#### Parameters for Reporting Server
+
+| Parameter | Information |
+|--|--|
+| /REPORTING_SERVER | Specifies that the Reporting Server will be installed. No value is expected. |
+| /REPORTING_WEBSITE_NAME | Specifies name of the website that will be created for the Reporting Service. Example usage: **/REPORTING_WEBSITE_NAME="Microsoft App-V ReportingService"** |
+| /REPORTING_WEBSITE_PORT | Specifies the port number that the Reporting Service will use. Example usage: **/REPORTING_WEBSITE_PORT=82** |
+
+#### Parameters for using an Existing Reporting Server Database
+
+| Parameter | Information |
+|--|--|
+| /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL | Indicates that the Microsoft SQL Server is installed on the local server. Switch parameter so no value is expected. |
+| /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME | Specifies the name of the remote computer that SQL Server is installed on. Takes a string. Example usage: **/EXISTING_REPORTING_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1"** |
+| /EXISTING_ REPORTING _DB_SQLINSTANCE_USE_DEFAULT | Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. |
+| /EXISTING_ REPORTING_DB_CUSTOM_SQLINSTANCE | Specifies the name of the custom SQL instance that should be used. Takes a string. Example usage: **/EXISTING_REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"** |
+| /EXISTING_ REPORTING _DB_NAME | Specifies the name of the existing Reporting database that should be used. Takes a string. Example usage: **/EXISTING_REPORTING_DB_NAME="AppVReporting"** |
+
+#### Parameters for installing Reporting Server Database
+
+| Parameter | Information |
+|--|--|
+| /DB_PREDEPLOY_REPORTING | Specifies that the Reporting Database will be installed. DBA permissions are required for this installation. No value is expected. |
+| /REPORTING_DB_SQLINSTANCE_USE_DEFAULT | Specifies the name of the custom SQL instance that should be used. Takes a string. Example usage: **/REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"** |
+| /REPORTING_DB_NAME | Specifies the name of the new Reporting database that should be created. Takes a string. Example usage: **/REPORTING_DB_NAME="AppVMgmtDB"** |
+| /REPORTING_SERVER_MACHINE_USE_LOCAL | Indicates that the Reporting server that will be accessing the database is installed on the local server. Switch parameter so no value is expected. |
+| /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT | Specifies the machine account of the remote machine that the Reporting server will be installed on. Takes a string. Example usage: **/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT="domain\computername"** |
+| /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT | Indicates the Administrator account that will be used to install the App-V Reporting Server. Takes a string. Example usage: **/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT="domain\\alias"** |
+
+#### Parameters for using an existing Management Server Database
+
+| Parameter | Information |
+|--|--|
+| /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL | Indicates that the SQL Server is installed on the local server. Switch parameter so no value is expected.If **/DB_PREDEPLOY_MANAGEMENT** is specified, this will be ignored. |
+| /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME | Specifies the name of the remote computer that SQL Server is installed on. Takes a string. Example usage: **/EXISTING_MANAGEMENT_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1"** |
+| /EXISTING_ MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT | Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. If **/DB_PREDEPLOY_MANAGEMENT** is specified, this will be ignored. |
+| /EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE | Specifies the name of the custom SQL instance that will be used. Example usage **/EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE="AppVManagement"**. If **/DB_PREDEPLOY_MANAGEMENT** is specified, this will be ignored. |
+| /EXISTING_MANAGEMENT_DB_NAME | Specifies the name of the existing management database that should be used. Example usage: **/EXISTING_MANAGEMENT_DB_NAME="AppVMgmtDB"**. If **/DB_PREDEPLOY_MANAGEMENT** is specified, this will be ignored. |
+
+Got an App-V issue? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
## Related topics
-
[Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md)
-
-
-
-
-
-
-
-
-
diff --git a/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md b/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md
index 4d6223aabf..b74f0be3c2 100644
--- a/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md
+++ b/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md
@@ -16,63 +16,46 @@ ms.date: 06/16/2016
# How to install the Reporting Server on a Standalone Computer and Connect it to the Database
-
Use the following procedure to install the reporting server on a standalone computer and connect it to the database.
-**Important**
+**Important**
Before performing the following procedure you should read and understand [About App-V 5.1 Reporting](about-app-v-51-reporting.md).
+## To install the reporting server on a standalone computer and connect it to the database
+1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
-**To install the reporting server on a standalone computer and connect it to the database**
+2. On the **Getting Started** page, review and accept the license terms, and click **Next**.
-1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
+3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**.
-2. On the **Getting Started** page, review and accept the license terms, and click **Next**.
+4. On the **Feature Selection** page, select the **Reporting Server** checkbox and click **Next**.
-3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
+5. On the **Installation Location** page, accept the default location and click **Next**.
-4. On the **Feature Selection** page, select the **Reporting Server** checkbox and click **Next**.
+6. On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**.
-5. On the **Installation Location** page, accept the default location and click **Next**.
+ > [!NOTE]
+ > If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**.
-6. On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**.
+ For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
- **Note**
- If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**.
-
-
-
-~~~
-For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
-
-Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**.
-~~~
+ Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**.
7. On the **Configure Reporting Server Configuration** page.
- - Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name.
+ - Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name.
- - For the **Port binding**, specify a unique port number that will be used by App-V 5.1, for example **55555**. You should also ensure that the port specified is not being used by another website.
+ - For the **Port binding**, specify a unique port number that will be used by App-V 5.1, for example **55555**. You should also ensure that the port specified is not being used by another website.
8. Click **Install**.
- **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
## Related topics
-
[About App-V 5.1 Reporting](about-app-v-51-reporting.md)
[Deploying App-V 5.1](deploying-app-v-51.md)
[How to Enable Reporting on the App-V 5.1 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md)
-
-
-
-
-
-
-
-
-
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md
index 02c3ed99ef..08be8a6ee4 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md
@@ -36,7 +36,7 @@ The following procedure does not require an App-V 5.0 management server.
<DeploymentConfiguration
- xmlns="" PackageId=<Package ID> DisplayName=<Display Name>
+ xmlns="" PackageId=<Package ID> DisplayName=<Display Name>
<MachineConfiguration/>
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md
index 19ee17d2ed..3a18c1b154 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md
@@ -37,7 +37,7 @@ The following procedure does not require an App-V 5.1 management server.
<DeploymentConfiguration
- xmlns="" PackageId=<Package ID> DisplayName=<Display Name>
+ xmlns="" PackageId=<Package ID> DisplayName=<Display Name>
<MachineConfiguration/>
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md
index 5221f2f8c7..6e636ec80a 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md
@@ -29,7 +29,7 @@ Use the following procedure to migrate packages created with App-V using the use
<UserConfiguration PackageId=<Package ID> DisplayName=<Name of the Package>
- xmlns="; <ManagingAuthority TakeoverExtensionPointsFrom46="true"
+ xmlns="; <ManagingAuthority TakeoverExtensionPointsFrom46="true"
PackageName=<Package ID>
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md
index ddcc67a299..cbec1bdbe6 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md
@@ -32,7 +32,7 @@ This procedure assumes that you are running the latest version of App-V 4.6.
<UserConfiguration PackageId=<Package ID> DisplayName=<Name of the Package>
- xmlns="; <ManagingAuthority TakeoverExtensionPointsFrom46="true"
+ xmlns="; <ManagingAuthority TakeoverExtensionPointsFrom46="true"
PackageName=<Package ID>
diff --git a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md
index d8239f46ed..8c95c046c5 100644
--- a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md
+++ b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md
@@ -119,7 +119,7 @@ Before using optional packages, see [Requirements for using optional packages in
Example connection group XML document with optional packages:
<?xml version="1.0" ?>
<AppConnectionGroup
- xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
+ xmlns="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
AppConnectionGroupId="8105CCD5-244B-4BA1-8888-E321E688D2CB"
VersionId="84CE3797-F1CB-4475-A223-757918929EB4"
DisplayName="Contoso Software Connection Group" >
diff --git a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md
index 8a87b7ff92..b29a4ff7a9 100644
--- a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md
+++ b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md
@@ -118,7 +118,7 @@ Before using optional packages, see [Requirements for using optional packages in
Example connection group XML document with optional packages:
<?xml version="1.0" ?>
<AppConnectionGroup
- xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
+ xmlns="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
AppConnectionGroupId="8105CCD5-244B-4BA1-8888-E321E688D2CB"
VersionId="84CE3797-F1CB-4475-A223-757918929EB4"
DisplayName="Contoso Software Connection Group" >
diff --git a/mdop/appv-v5/index.md b/mdop/appv-v5/index.md
index c51ad7bc30..8f3c652084 100644
--- a/mdop/appv-v5/index.md
+++ b/mdop/appv-v5/index.md
@@ -21,8 +21,14 @@ Microsoft Application Virtualization (App-V) 5 lets administrators make applicat
[Microsoft Application Virtualization 5.1 Administrator's Guide](microsoft-application-virtualization-51-administrators-guide.md)
+> [!NOTE]
+> Application Virtualization 5.1 for Remote Desktop Services will be end of life on January 10, 2023. Please upgrade to a supported version, such as App-V 5.0 with Service Pack 3 prior to this date.
+
[Microsoft Application Virtualization 5.0 Administrator's Guide](microsoft-application-virtualization-50-administrators-guide.md)
+> [!NOTE]
+> Application Virtualization 5.0 for Windows Desktops will be end of life on January 10, 2023. Please upgrade to a supported version, such as App-V 5.0 with Service Pack 3 prior to this date.
+
## More Information
diff --git a/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md b/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md
index fdfc5ef202..3645704cf9 100644
--- a/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md
+++ b/mdop/appv-v5/microsoft-application-virtualization-50-administrators-guide.md
@@ -52,7 +52,7 @@ The Microsoft Application Virtualization (App-V) 5.0 Administrator’s Guide pro
- [Viewing App-V Server Publishing Metadata](viewing-app-v-server-publishing-metadata.md)
- [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications.md)
-#
+## Also see
- Add or vote on suggestions on the ["Microsoft Application Virtualization" forum on UserVoice.com](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
- For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
diff --git a/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md b/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md
index b5120b6279..07efe04eca 100644
--- a/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md
+++ b/mdop/appv-v5/microsoft-application-virtualization-51-administrators-guide.md
@@ -48,7 +48,7 @@ The Microsoft Application Virtualization (App-V) 5.1 Administrator’s Guide pro
- [Viewing App-V Server Publishing Metadata](viewing-app-v-server-publishing-metadata51.md)
- [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md)
-#
+## Also see
- Add or vote on suggestions on the ["Microsoft Application Virtualization" forum on UserVoice.com](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
- For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
diff --git a/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md b/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md
index d8aa6ae42a..d18673c97f 100644
--- a/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md
+++ b/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md
@@ -476,11 +476,11 @@ Server Performance Tuning Guidelines for
- [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx)
-- [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
+- [Optimization Script: (Provided by Microsoft Support)](https://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
- [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
-- [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
+- [Optimization Script: (Provided by Microsoft Support)](https://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
## Sequencing Steps to Optimize Packages for Publishing Performance
diff --git a/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md b/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md
index 936a78123f..c6309edacb 100644
--- a/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md
+++ b/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md
@@ -483,11 +483,11 @@ Server Performance Tuning Guidelines for
- [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx)
-- [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
+- [Optimization Script: (Provided by Microsoft Support)](https://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
- [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
-- [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
+- [Optimization Script: (Provided by Microsoft Support)](https://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
## Sequencing Steps to Optimize Packages for Publishing Performance
diff --git a/mdop/appv-v5/planning-for-using-app-v-with-office.md b/mdop/appv-v5/planning-for-using-app-v-with-office.md
index 7f570f7070..bb0f791a10 100644
--- a/mdop/appv-v5/planning-for-using-app-v-with-office.md
+++ b/mdop/appv-v5/planning-for-using-app-v-with-office.md
@@ -61,7 +61,7 @@ The following table lists the versions of Microsoft Office that App-V supports,
-Office 365 ProPlus
+ | Microsoft 365 Apps for enterprise
Also supported:
Visio Pro for Office 365
From a recovery partition |
Lets you boot into DaRT without needing a CD, DVD, or UFD that includes instances in which there is no network connectivity.
-Also, can be implemented and managed as part of your standard Windows image process by using automated distribution tools, such as System Center Configuration Manager. |
+Also, can be implemented and managed as part of your standard Windows image process by using automated distribution tools, such as Microsoft Endpoint Configuration Manager.
When updating DaRT, requires you to update all computers in your enterprise instead of just one partition (on the network) or device (CD, DVD, or UFD). |
|
diff --git a/mdop/mbam-v2/about-mbam-20-sp1.md b/mdop/mbam-v2/about-mbam-20-sp1.md
index ab210f8c1c..cb1d4df6a7 100644
--- a/mdop/mbam-v2/about-mbam-20-sp1.md
+++ b/mdop/mbam-v2/about-mbam-20-sp1.md
@@ -16,12 +16,10 @@ ms.date: 08/30/2016
# About MBAM 2.0 SP1
-
This topic describes the changes in Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 Service Pack 1 (SP1). For a general description of MBAM, see [Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md).
## What’s new in MBAM 2.0 SP1
-
This version of MBAM provides the following new features and functionality.
### Support for Windows 8.1, Windows Server 2012 R2, and System Center 2012 R2 Configuration Manager
@@ -257,8 +255,9 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
// Microsoft BitLocker Administration and Monitoring
//===================================================
-# pragma namespace ("\\\\.\\root\\cimv2")
-# pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+ # pragma namespace ("\\\\.\\root\\cimv2")
+ # pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+
[Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
class Win32_BitLockerEncryptionDetails
{
@@ -290,8 +289,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
Boolean IsAutoUnlockEnabled;
};
-# pragma namespace ("\\\\.\\root\\cimv2")
-# pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+ # pragma namespace ("\\\\.\\root\\cimv2")
+ # pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
[DYNPROPS]
Class Win32Reg_MBAMPolicy
{
@@ -352,8 +351,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
EncodedComputerName;
};
-# pragma namespace ("\\\\.\\root\\cimv2")
-# pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
+ # pragma namespace ("\\\\.\\root\\cimv2")
+ # pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
[DYNPROPS]
Class Win32Reg_MBAMPolicy_64
{
@@ -414,8 +413,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
EncodedComputerName;
};
-# pragma namespace ("\\\\.\\root\\cimv2")
-# pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+ # pragma namespace ("\\\\.\\root\\cimv2")
+ # pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_OperatingSystemExtended
@@ -426,8 +425,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
uint32 SKU;
};
-# pragma namespace ("\\\\.\\root\\cimv2")
-# pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+ # pragma namespace ("\\\\.\\root\\cimv2")
+ # pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_ComputerSystemExtended
@@ -449,35 +448,23 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
MBAM 2.0 SP1 is now available in the following languages:
- English (United States) en-US
-
- French (France) fr-FR
-
- Italian (Italy) it-IT
-
- German (Germany) de-DE
-
- Spanish, International Sort (Spain) es-ES
-
- Korean (Korea) ko-KR
-
- Japanese (Japan) ja-JP
-
- Portuguese (Brazil) pt-BR
-
- Russian (Russia) ru-RU
-
- Chinese Traditional zh-TW
-
- Chinese Simplified zh-CN
## How to Get MDOP Technologies
-
MBAM 2.0 SP1 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049).
## Related topics
-
[Release Notes for MBAM 2.0 SP1](release-notes-for-mbam-20-sp1.md)
diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
index 3ed2c2c111..cd77d39b06 100644
--- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
+++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
@@ -19,7 +19,10 @@ author: shortpatti
This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
-[Desktop Optimization Pack](https://www.microsoft.com/download/details.aspx?id=58345)
+[Desktop Optimization Pack](https://www.microsoft.com/download/details.aspx?id=57157)
+
+> [!NOTE]
+> For more information about the hotfix releases, see the [MBAM version chart](https://docs.microsoft.com/archive/blogs/dubaisec/mbam-version-chart).
#### Steps to update the MBAM Server for existing MBAM environment
1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features).
diff --git a/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md
index b821b00937..f230087d93 100644
--- a/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md
+++ b/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md
@@ -68,9 +68,9 @@ The XML declaration must specify the XML version 1.0 attribute (<?xml version
**Type: String**
-UE-V uses the http://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
+UE-V uses the https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
-``
+``
### Data types
@@ -644,10 +644,10 @@ Here is the SettingsLocationTemplate.xsd file showing its elements, child elemen
```xml
@@ -1005,9 +1005,9 @@ The XML declaration must specify the XML version 1.0 attribute (<?xml version
**Type: String**
-UE-V uses the http://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
+UE-V uses the https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
-``
+``
### Data types
@@ -1578,10 +1578,10 @@ Here is the SettingsLocationTemplate.xsd file showing its elements, child elemen
```xml
diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md
index b3f0ec8f06..b62b89b55a 100644
--- a/smb/cloud-mode-business-setup.md
+++ b/smb/cloud-mode-business-setup.md
@@ -21,12 +21,12 @@ ms.localizationpriority: medium
**Applies to:**
-- Office 365 Business Premium, Azure AD Premium, Intune, Microsoft Store for Business, Windows 10
+- Microsoft 365 Business Standard, Azure AD Premium, Intune, Microsoft Store for Business, Windows 10
Are you ready to move your business to the cloud or wondering what it takes to make this happen with Microsoft cloud services and tools?
-In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Office 365 Business Premium, Microsoft Azure AD, Intune, Microsoft Store for Business, and Windows 10. We'll show you the basics on how to:
-- Acquire an Office 365 business domain
+In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Microsoft 365 Business Standard, Microsoft Azure AD, Intune, Microsoft Store for Business, and Windows 10. We'll show you the basics on how to:
+- Acquire an Microsoft 365 for business domain
- Add Microsoft Intune and Azure Active Directory (AD) Premium licenses to your business tenant
- Set up Microsoft Store for Business and manage app deployment and sync with Intune
- Add users and groups in Azure AD and Intune
@@ -52,11 +52,11 @@ See Get Started with Office 365 for business.
+To set up your Microsoft 365 for business tenant, see Get Started with Microsoft 365 for business.
If this is the first time you're setting this up, and you'd like to see how it's done, you can follow these steps to get started:
-1. Go to the Office 365 page in the Microsoft Business site. Select **Try now** to use the Office 365 Business Premium Trial or select **Buy now** to sign up for Office 365 Business Premium. In this walkthrough, we'll select **Try now**.
+1. Go to the Office 365 page in the Microsoft Business site. Select **Try now** to use the Microsoft 365 Business Standard Trial or select **Buy now** to sign up for Microsoft 365 Business Standard. In this walkthrough, we'll select **Try now**.
**Figure 1** - Try or buy Office 365
@@ -68,14 +68,14 @@ If this is the first time you're setting this up, and you'd like to see how it's
This step creates an onmicrosoft.com email address. You can use this email address to sign in to the various admin centers. Save your sign-in info so you can use it to sign into https://portal.office.com (the admin portal).
4. Select **Create my account** and then enter the phone number you used in step 2 to verify your identity. You'll be asked to enter your verification code.
-5. Select **You're ready to go...** which will take you to the Office 365 portal.
+5. Select **You're ready to go...** which will take you to the Microsoft 365 admin center.
> [!NOTE]
- > In the Office 365 portal, icons that are greyed out are still installing.
+ > In the Microsoft 365 admin center, icons that are greyed out are still installing.
- **Figure 2** - Office 365 portal
+ **Figure 2** - Microsoft 365 admin center
- 
+ 
6. Select the **Admin** tile to go to the admin center.
@@ -560,7 +560,7 @@ For other devices, such as those personally-owned by employees who need to conne
9. You can confirm that the new device and user are showing up as Intune-managed by going to the Intune management portal and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later.
### 4.2 Add a new user
-You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Microsoft Intune.
+You can add new users to your tenant simply by adding them to the Microsoft 365 groups. Adding new users to Microsoft 365 groups automatically adds them to the corresponding groups in Microsoft Intune.
See [Add users to Office 365](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc?ui=en-US&rs=en-US&ad=US&fromAR=1) to learn more. Once you're done adding new users, go to the Intune management portal and verify that the same users were added to the Intune groups as well.
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index cfbb3dcb99..3989e6d860 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -61,7 +61,7 @@ People in your org can request license for apps that they need, or that others n
## Acquire apps
**To acquire an app**
-1. Sign in to http://businessstore.microsoft.com
+1. Sign in to https://businessstore.microsoft.com
2. Select **Shop for my group**, or use Search to find an app.
3. Select the app you want to purchase.
4. On the product description page, choose your license type - either online or offline.
diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
index 8c1e9402e7..bddb37739a 100644
--- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md
+++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
@@ -100,4 +100,4 @@ Catalog signing is a vital step to adding your unsigned apps to your code integr
When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
6. Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store.
-7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with System Center Configuration Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
+7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Configuration Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
index 298857630c..d00eb08313 100644
--- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
+++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
@@ -43,6 +43,6 @@ After your management tool is added to your Azure AD directory, you can configur
Your MDM tool is ready to use with Microsoft Store. To learn how to configure synchronization and deploy apps, see these topics:
- [Manage apps you purchased from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune-classic/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
-- [Manage apps from Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
For third-party MDM providers or management servers, check your product documentation.
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index 52c8ea4a6b..5c70fb1b0b 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -44,7 +44,7 @@ You can't distribute offline-licensed apps directly from Microsoft Store. Once y
- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages).
- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
- - [Manage apps from Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+ - [Manage apps from Microsoft Store for Business with Microsoft Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
For third-party MDM providers or management servers, check your product documentation.
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
index cc3bbbad3c..03c3b38bdf 100644
--- a/store-for-business/release-history-microsoft-store-business-education.md
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -45,7 +45,7 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store
- **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results.
[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections)
- **Manage Skype Communication credits** - Office 365 customers that own Skype Communication Credits can now see and manage them in Microsoft Store for Business. You can view your account, add funds to your account, and manage auto-recharge settings.
-- **Upgrade Office 365 trial subscription** - Customers with Office 365 can upgrade their subscription and automatically re-assign their user licenses over to a new target subscription. For example, you could upgrade your Office 365 Business to Office 365 Business Premium.
+- **Upgrade Microsoft 365 trial subscription** - Customers with Office 365 can upgrade their subscription and automatically re-assign their user licenses over to a new target subscription. For example, you could upgrade your Office 365 for business subscription to a Microsoft 365 for business subscription.
## January and February 2018
- **One place for apps, software, and subscriptions** - The new **Products & services** page in Microsoft Store for Business and Education gives customers a single place to manage all products and services.
@@ -61,7 +61,7 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store
- **Export list of Minecraft: Education Edition users** - Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file.
## October 2017
-- Bug fixes and performance improvements.
+- Bug fixes and performance improvements.
## September 2017
diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md
index 2855e4cd43..0c9d5e23e1 100644
--- a/store-for-business/troubleshoot-microsoft-store-for-business.md
+++ b/store-for-business/troubleshoot-microsoft-store-for-business.md
@@ -51,7 +51,7 @@ The private store for your organization is a page in Microsoft Store app that co
-## Troubleshooting Microsoft Store for Business integration with System Center Configuration Manager
+## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager
If you encounter any problems when integrating Microsoft Store for Business with Configuration Manager, use the [troubleshooting guide](https://support.microsoft.com/help/4010214/understand-and-troubleshoot-microsoft-store-for-business-integration-w).
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index 197cff66cb..29d79221c5 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -18,7 +18,7 @@ ms.topic: article
After you have properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application.
-For more information about configuring the App-V sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide]().
+For more information about configuring the App-V sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx).
>[!NOTE]
>The App-V Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated.
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
index 9ee527503b..728f4943a1 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
@@ -1,6 +1,6 @@
---
title: How to Deploy the App-V Server Using a Script (Windows 10)
-description: How to Deploy the App-V Server Using a Script
+description: Information, lists, and tables that can help you deploy the App-V server using a script
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md
index d71a0f0476..14493f0b25 100644
--- a/windows/application-management/app-v/appv-deploying-appv.md
+++ b/windows/application-management/app-v/appv-deploying-appv.md
@@ -1,6 +1,6 @@
---
title: Deploying App-V (Windows 10)
-description: Deploying App-V
+description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index eb84b6e2b7..2e77179b7c 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -48,7 +48,7 @@ For detailed instructions on how to create virtual application packages using Ap
You can deploy Office 2010 packages by using any of the following App-V deployment methods:
-* System Center Configuration Manager
+* Microsoft Endpoint Configuration Manager
* App-V server
* Stand-alone through Windows PowerShell commands
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index 6fa996507f..4379625ee0 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -39,7 +39,7 @@ Before you deploy Office with App-V, review the following requirements.
|---|---|
|Packaging|All Office applications you wish to deploy to users must be in a single package.
In App-V and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.
If you're deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2013 and Project 2013 with Office](#deploying-visio-2013-and-project-2013-with-office).|
|Publishing|You can only publish one Office package per client computer.
You must publish the Office package globally, not to the user.|
-|Deploying Office 365 ProPlus, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer using Remote Desktop Services.|You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus).
You don’t need to use shared computer activation if you’re deploying a volume licensed product, such as Office Professional Plus 2013, Visio Professional 2013, or Project Professional 2013.|
+|Deploying Microsoft 365 Apps for enterprise, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer using Remote Desktop Services.|You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus).
You don’t need to use shared computer activation if you’re deploying a volume licensed product, such as Office Professional Plus 2013, Visio Professional 2013, or Project Professional 2013.|
### Excluding Office applications from a package
@@ -246,7 +246,7 @@ Use the following information to publish an Office package.
Deploy the App-V package for Office 2013 by using the same methods you use for any other package:
-* System Center Configuration Manager
+* Microsoft Endpoint Configuration Manager
* App-V Server
* Stand-alone through Windows PowerShell commands
@@ -284,10 +284,10 @@ Use the steps in this section to enable Office plug-ins with your Office package
#### To enable plug-ins for Office App-V packages
-1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet.
-2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It's a good idea to use Office 365 ProPlus (non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins.
+1. Add a Connection Group through App-V Server, Microsoft Endpoint Configuration Manager, or a Windows PowerShell cmdlet.
+2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It's a good idea to use Microsoft 365 Apps for enterprise (non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins.
3. Create an App-V package that includes the desired plug-ins.
-4. Add a Connection Group through App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet.
+4. Add a Connection Group through App-V Server, Configuration Manager, or a Windows PowerShell cmdlet.
5. Add the Office 2013 App-V package and the plug-ins package you sequenced to the Connection Group you created.
>[!IMPORTANT]
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index ce7303bbf8..e90fc8be78 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -39,7 +39,7 @@ Before you deploy Office with App-V, review the following requirements.
|-----------|-------------------|
| Packaging. | All Office applications that you deploy to users must be in a single package.
In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.
If you're deploying Microsoft Visio 2016 and Microsoft Project 2016 at the same time as Office, you must put them all in the same package. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office). |
| Publishing. | You can only publish one Office package per client computer.
You must publish the Office package globally, not to the user. |
-| Deploying Office 365 ProPlus, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer with Remote Desktop Services. | You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus). |
+| Deploying Microsoft 365 Apps for enterprise, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer with Remote Desktop Services. | You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus). |
### Excluding Office applications from a package
@@ -124,7 +124,7 @@ The XML file included in the Office Deployment Tool specifies the product detail
| Language element | Specifies which language the applications support. | `Language ID="en-us"` |
| Version (attribute of **Add** element) | Optional. Specifies which build the package will use.
Defaults to latest advertised build (as defined in v32.CAB at the Office source). | `16.1.2.3` |
| SourcePath (attribute of **Add** element) | Specifies the location the applications will be saved to. | `Sourcepath = "\\Server\Office2016"` |
- | Channel (part of **Add** element) | Optional. Defines which channel will be used to update Office after installation.
The default is **Deferred** for Office 365 ProPlus and **Current** for Visio Pro for Office 365 and Project Desktop Client.
For more information about update channels, see [Overview of update channels for Office 365 ProPlus](https://docs.microsoft.com/DeployOffice/overview-of-update-channels-for-office-365-proplus). | `Channel="Current"`
`Channel="Deferred"`
`Channel="FirstReleaseDeferred"`
`Channel="FirstReleaseCurrent"` |
+ | Channel (part of **Add** element) | Optional. Defines which channel will be used to update Office after installation.
The default is **Deferred** for Microsoft 365 Apps for enterprise and **Current** for Visio Pro for Office 365 and Project Desktop Client.
For more information about update channels, see [Overview of update channels for Microsoft 365 Apps for enterprise](https://docs.microsoft.com/DeployOffice/overview-of-update-channels-for-office-365-proplus). | `Channel="Current"`
`Channel="Deferred"`
`Channel="FirstReleaseDeferred"`
`Channel="FirstReleaseCurrent"` |
After editing the **configuration.xml** file to specify the desired product, languages, and the location where the Office 2016 applications will be saved to, you can save the configuration file under a name of your choice, such as "Customconfig.xml."
2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2016 applications that will later be converted into an App-V package. The following is an example command:
@@ -152,7 +152,7 @@ After you download the Office 2016 applications through the Office Deployment To
The following table summarizes the values you need to enter in the **Customconfig.xml** file. The steps in the sections that follow the table will specify the exact entries you need to make.
>[!NOTE]
->You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
+>You can use the Office Deployment Tool to create App-V packages for Microsoft 365 Apps for enterprise. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
| Product ID | Subscription licensing |
|---|---|
@@ -230,7 +230,7 @@ Use the following information to publish an Office package.
Deploy the App-V package for Office 2016 by using the same methods as the other packages that you've already deployed:
-* System Center Configuration Manager
+* Microsoft Endpoint Configuration Manager
* App-V Server
* Stand-alone through Windows PowerShell commands
@@ -267,10 +267,10 @@ The following steps will tell you how to enable Office plug-ins with your Office
#### Enable plug-ins for Office App-V packages
-1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet.
-2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer that will be used to sequence the plug-in. We recommend that you use Office 365 ProPlus (non-virtual) on the sequencing computer when sequencing Office 2016 plug-ins.
+1. Add a Connection Group through App-V Server, Microsoft Endpoint Configuration Manager, or a Windows PowerShell cmdlet.
+2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer that will be used to sequence the plug-in. We recommend that you use Microsoft 365 Apps for enterprise (non-virtual) on the sequencing computer when sequencing Office 2016 plug-ins.
3. Create an App-V package that includes the plug-ins you want.
-4. Add a Connection Group through the App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet.
+4. Add a Connection Group through the App-V Server, Configuration Manager, or a Windows PowerShell cmdlet.
5. Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created.
>[!IMPORTANT]
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index dac8271c33..da919b1dbf 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -30,7 +30,7 @@ You can use the App-V Sequencer to create plug-in packages for language packs, l
For a list of supported Office products, see [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click).
>[!NOTE]
->You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Office 365 ProPlus. App-V does not support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in February 2017](https://support.microsoft.com/kb/3199744).
+>You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Microsoft 365 Apps for enterprise. App-V does not support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in February 2017](https://support.microsoft.com/kb/3199744).
## Using App-V with coexisting versions of Office
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
index 7c682239c3..49e7266314 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
@@ -16,7 +16,7 @@ ms.topic: article
>Applies to: Windows 10, version 1607
-If you are using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with System Center Configuration Manager, see [Introduction to application management in Configuration Manager](https://technet.microsoft.com/library/gg682125.aspx#BKMK_Appv).
+If you are using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Endpoint Configuration Manager, see [Introduction to application management in Configuration Manager](https://technet.microsoft.com/library/gg682125.aspx#BKMK_Appv).
Review the following component and architecture requirements options that apply when you use an ESD to deploy App-V packages:
diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
index cd4469abe5..565f150699 100644
--- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
@@ -1,6 +1,6 @@
---
title: How to publish a package by using the Management console (Windows 10)
-description: How to publish a package by using the Management console.
+description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
index 3befc157bd..b1a6caca2c 100644
--- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
+++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
@@ -44,7 +44,7 @@ Each method accomplishes essentially the same task, but some methods may be bett
To add a locally installed application to a package or to a connection group’s virtual environment, you add a subkey to the `RunVirtual` registry key in the Registry Editor, as described in the following sections.
-There is no Group Policy setting available to manage this registry key, so you have to use System Center Configuration Manager or another electronic software distribution (ESD) system, or manually edit the registry.
+There is no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Configuration Manager or another electronic software distribution (ESD) system, or manually edit the registry.
Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages globally or to the user.
diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md
index 2dce846fd9..ebab019584 100644
--- a/windows/application-management/app-v/appv-supported-configurations.md
+++ b/windows/application-management/app-v/appv-supported-configurations.md
@@ -51,12 +51,15 @@ The following table lists the SQL Server versions that the App-V Management data
|SQL Server version|Service pack|System architecture|
|---|---|---|
+|Microsoft SQL Server 2019||32-bit or 64-bit|
|Microsoft SQL Server 2017||32-bit or 64-bit|
|Microsoft SQL Server 2016|SP2|32-bit or 64-bit|
|Microsoft SQL Server 2014||32-bit or 64-bit|
|Microsoft SQL Server 2012|SP2|32-bit or 64-bit|
|Microsoft SQL Server 2008 R2|SP3|32-bit or 64-bit|
+For more information on user configuration files with SQL server 2016 or later, see the [support article](https://support.microsoft.com/help/4548751/app-v-server-publishing-might-fail-when-you-apply-user-configuration-f).
+
### Publishing server operating system requirements
The App-V Publishing server can be installed on a server that runs Windows Server 2008 R2 with SP1 or later.
@@ -117,9 +120,9 @@ The following table lists the operating systems that the App-V Sequencer install
See the Windows or Windows Server documentation for the hardware requirements.
-## Supported versions of System Center Configuration Manager
+## Supported versions of Microsoft Endpoint Configuration Manager
-The App-V client works with System Center Configuration Manager versions starting with Technical Preview for System Center Configuration Manager, version 1606.
+The App-V client works with Configuration Manager versions starting with Technical Preview for System Center Configuration Manager, version 1606.
## Related topics
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 7b5828d9c2..7f0c586ed7 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -31,64 +31,61 @@ The following tables list the system apps, installed Windows apps, and provision
Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running.
-
## Provisioned Windows apps
-Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 and 1809.
+You can list all provisioned Windows apps with this PowerShell command:
-> [!TIP]
-> You can list all provisioned Windows apps with this PowerShell command:
-> ```
-> Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
-> ```
+```Powershell
+Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
+```
-
-
-| Package name | App name | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? |
-|----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
-| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | x | | | | Yes |
-| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App |
-| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | | x | x | x | No |
-| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | | | x | No |
-| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | | | x | No |
-| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | x | No |
-| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | | | x | No |
-| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No |
-| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.VP9VideoExtensions | | | | | x | No |
-| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | | | x | x | No |
-| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | | | x | No |
-| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No |
-| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | | x | x | x | No |
-| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | | | x | x | No |
-| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No |
-| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | | | x | No |
-| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No |
+Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, and 1909.
+| Package name | App name | 1803 | 1809 | 1903 | 1909 | Uninstall through UI? |
+|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
+| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | Yes |
+| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App |
+| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | |
+| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No |
+| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.VP9VideoExtensions | | | x | x | x | No |
+| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No |
+| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No |
+| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No |
>[!NOTE]
>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
@@ -97,13 +94,11 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1709, 1803, and 1809.
-> [!TIP]
-> You can list all system apps with this PowerShell command:
-> ```
-> Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
-> ```
+You can list all system apps with this PowerShell command:
-
+```Powershell
+Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
+```
| Name | Package Name | 1709 | 1803 | 1809 |Uninstall through UI? |
|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------|
@@ -149,7 +144,7 @@ System apps are integral to the operating system. Here are the typical system ap
> [!NOTE]
-> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
+> The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
## Installed Windows apps
diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md
index fdb6834a7a..e7e6041a1d 100644
--- a/windows/application-management/change-history-for-application-management.md
+++ b/windows/application-management/change-history-for-application-management.md
@@ -1,6 +1,6 @@
---
title: Change history for Application management in Windows 10 (Windows 10)
-description: View changes to documentation for application management in Windows 10.
+description: View new release information and updated topics in the documentation for application management in Windows 10.
keywords:
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md
index d176e86059..cab2bb9669 100644
--- a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md
+++ b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md
@@ -16,7 +16,7 @@ ms.topic: article
> Applies to: Windows 10
-When you have a new version of an application, how do you get that to the Windows 10 Mobile devices in your environment? With [application supersedence in System Center Configuration Manager](/sccm/apps/deploy-use/revise-and-supersede-applications#application-supersedence).
+When you have a new version of an application, how do you get that to the Windows 10 Mobile devices in your environment? With [application supersedence in Microsoft Endpoint Configuration Manager](/configmgr/apps/deploy-use/revise-and-supersede-applications#application-supersedence).
There are two steps to deploy an app upgrade:
@@ -58,4 +58,4 @@ You don't need to delete the deployment associated with the older version of the
-If you haven't deployed an app through Configuration Manager before, check out [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). You can also see how to delete deployments (although you don't have to) and notify users about the upgraded app.
+If you haven't deployed an app through Configuration Manager before, check out [Deploy applications with Microsoft Endoint Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). You can also see how to delete deployments (although you don't have to) and notify users about the upgraded app.
diff --git a/windows/application-management/media/app-upgrade-cm-console.png b/windows/application-management/media/app-upgrade-cm-console.png
index 8681e2fb39..2ce9cd411e 100644
Binary files a/windows/application-management/media/app-upgrade-cm-console.png and b/windows/application-management/media/app-upgrade-cm-console.png differ
diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index 267386adc6..124846eb32 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -59,7 +59,7 @@ First, validate the type of EAP method being used:
-If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu:
+If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication Methods** section.
@@ -118,4 +118,3 @@ Even if audit policy appears to be fully enabled, it sometimes helps to disable
[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/library/cc766215%28v=ws.10%29.aspx)
[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/library/cc749352%28v=ws.10%29.aspx)
-
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index a7c0f2f152..54f8565c87 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -65,11 +65,11 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
## Supported configurations
-In organizations that have integrated Active Directory and Azure AD, you can connect from a domain-joined PC to an Azure AD-joined PC using:
+In organizations that have integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC using:
- Password
- Smartcards
-- Windows Hello for Business, if the domain is managed by System Center Configuration Manager
+- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager
In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network using:
diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md
index 6601e238eb..52a10357c5 100644
--- a/windows/client-management/generate-kernel-or-complete-crash-dump.md
+++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
ms.author: delhan
ms.date: 8/28/2019
ms.reviewer:
-manager: dcscontentpm
+manager: willchen
---
# Generate a kernel or complete crash dump
@@ -61,7 +61,7 @@ If you can log on while the problem is occurring, you can use the Microsoft Sysi
2. Select **Start**, and then select **Command Prompt**.
3. At the command line, run the following command:
- ```cmd
+ ```console
notMyfault.exe /crash
```
@@ -80,6 +80,7 @@ To do this, follow these steps:
> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
1. In Registry Editor, locate the following registry subkey:
+
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl**
2. Right-click **CrashControl**, point to **New**, and then click **DWORD Value**.
@@ -101,6 +102,8 @@ To do this, follow these steps:
9. Test this method on the server by using the NMI switch to generate a dump file. You will see a STOP 0x00000080 hardware malfunction.
+If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](https://docs.microsoft.com/azure/virtual-machines/linux/serial-console-nmi-sysrq).
+
### Use the keyboard
[Forcing a System Crash from the Keyboard](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard)
@@ -108,4 +111,3 @@ To do this, follow these steps:
### Use Debugger
[Forcing a System Crash from the Debugger](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-debugger)
-
diff --git a/windows/client-management/images/windows-10-management-range-of-options.png b/windows/client-management/images/windows-10-management-range-of-options.png
index e4de546709..c37b489954 100644
Binary files a/windows/client-management/images/windows-10-management-range-of-options.png and b/windows/client-management/images/windows-10-management-range-of-options.png differ
diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
index 688b2e776c..0511eea424 100644
--- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
@@ -31,7 +31,7 @@ When a device running Windows 10 Mobile is joined to Azure AD, the device can e
- Single sign-on (SSO) in applications like Mail, Word, and OneDrive using resources backed by Azure AD.
-- SSO in Microsoft Edge browser to Azure AD-connected web applications like Office 365 Portal, Visual Studio, and more than [2500 non-Microsoft apps](https://go.microsoft.com/fwlink/p/?LinkID=746211).
+- SSO in Microsoft Edge browser to Azure AD-connected web applications like Microsoft 365 admin center, Visual Studio, and more than [2500 non-Microsoft apps](https://go.microsoft.com/fwlink/p/?LinkID=746211).
- SSO to resources on-premises.
@@ -177,7 +177,7 @@ The OneDrive application also uses SSO, showing you all your documents and enabl
-In addition to application SSO, Azure AD joined devices also get SSO for browser applications which trust Azure AD, such as web applications, Visual Studio, Office 365 portal, and OneDrive for Business.
+In addition to application SSO, Azure AD joined devices also get SSO for browser applications which trust Azure AD, such as web applications, Visual Studio, Microsoft 365 admin center, and OneDrive for Business.
diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md
index fad72959e6..7d344924f1 100644
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@@ -42,7 +42,7 @@ You can use the same management tools to manage all device types running Windows
## Learn more
-[How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx)
+[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx)
[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/)
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index c6fe7134c8..45de1ade9b 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -21,7 +21,7 @@ Use of personal devices for work, as well as employees working outside the offic
Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist.
-Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as System Center Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
+Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
@@ -46,7 +46,7 @@ Windows 10 offers a range of management options, as shown in the following diagr
-As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and Microsoft Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
## Deployment and Provisioning
@@ -57,7 +57,7 @@ With Windows 10, you can continue to use traditional OS deployment, but you can
- Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages).
-- Use traditional imaging techniques such as deploying custom images using [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction).
+- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/understand/introduction).
You have multiple options for [upgrading to Windows 10](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
@@ -86,7 +86,7 @@ You can envision user and device management as falling into these two categories
- Windows Hello
- Domain joined PCs and tablets can continue to be managed with the [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) client or Group Policy.
+ Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](https://docs.microsoft.com/configmgr/core/understand/introduction) client or Group Policy.
For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/).
@@ -100,7 +100,7 @@ Your configuration requirements are defined by multiple factors, including the l
**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go.
-**Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices:
+**Group Policy** and **Microsoft Endpoint Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and Configuration Manager continue to be excellent management choices:
- Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
@@ -128,10 +128,10 @@ There are a variety of steps you can take to begin the process of modernizing de
**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Starting with Configuration Manager 1710, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details:
-- [Co-management for Windows 10 devices](https://docs.microsoft.com/sccm/core/clients/manage/co-management-overview)
-- [Prepare Windows 10 devices for co-management](https://docs.microsoft.com/sccm/core/clients/manage/co-management-prepare)
-- [Switch Configuration Manager workloads to Intune](https://docs.microsoft.com/sccm/core/clients/manage/co-management-switch-workloads)
-- [Co-management dashboard in System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/co-management-dashboard)
+- [Co-management for Windows 10 devices](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-overview)
+- [Prepare Windows 10 devices for co-management](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-prepare)
+- [Switch Configuration Manager workloads to Intune](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-switch-workloads)
+- [Co-management dashboard in Configuration Manager](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-dashboard)
## Related topics
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 9241a7fdf7..476d73c694 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -159,15 +159,15 @@
#### [Personalization DDF file](personalization-ddf.md)
### [Policy CSP](policy-configuration-service-provider.md)
#### [Policy DDF file](policy-ddf-file.md)
-#### [Policies supported by Group Policy](policies-supported-by-group-policy.md)
-#### [ADMX-backed policies](policies-admx-backed.md)
-#### [Policies supported by HoloLens 2](policies-supported-by-hololens2.md)
-#### [Policies supported by HoloLens (1st gen) Commercial Suite](policies-supported-by-hololens-1st-gen-commercial-suite.md)
-#### [Policies supported by HoloLens (1st gen) Development Edition](policies-supported-by-hololens-1st-gen-development-edition.md)
-#### [Policies supported by Windows 10 IoT Enterprise](policies-supported-by-iot-enterprise.md)
-#### [Policies supported by Windows 10 IoT Core](policies-supported-by-iot-core.md)
-#### [Policies supported by Microsoft Surface Hub](policies-supported-by-surface-hub.md)
-#### [Policies that can be set using Exchange Active Sync (EAS)](policies-that-can-be-set-using-eas.md)
+#### [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md)
+#### [ADMX-backed policy CSPs](policy-csps-admx-backed.md)
+#### [Policy CSPs supported by HoloLens 2](policy-csps-supported-by-hololens2.md)
+#### [Policy CSPs supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
+#### [Policy CSPs supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
+#### [Policy CSPs supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
+#### [Policy CSPs supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
+#### [Policy CSPs supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md)
+#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md)
#### [AboveLock](policy-csp-abovelock.md)
#### [Accounts](policy-csp-accounts.md)
#### [ActiveXControls](policy-csp-activexcontrols.md)
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index d6d6a9fc16..40de22d2b3 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: lomayor
-ms.date: 04/17/2018
+ms.date: 03/27/2020
ms.reviewer:
manager: dansimp
---
@@ -39,6 +39,9 @@ Available naming macros:
Supported operation is Add.
+> [!Note]
+> For desktop PCs on the next major release of Windows 10 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md).
+
**Users**
Interior node for the user account information.
diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
index 1eae18e33a..79b168c90e 100644
--- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
+++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
@@ -45,7 +45,7 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a
-7. In the Office 365 portal, select **Purchase Services** from the left nagivation.
+7. In the Microsoft 365 admin center, select **Purchase Services** from the left nagivation.
@@ -67,7 +67,7 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a
If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription.
-1. Sign in to the Office 365 portal at using your organization's account.
+1. Sign in to the Microsoft 365 admin center at using your organization's account.
diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md
index 7c1c0a5050..cd4c993d17 100644
--- a/windows/client-management/mdm/appv-deploy-and-config.md
+++ b/windows/client-management/mdm/appv-deploy-and-config.md
@@ -15,7 +15,7 @@ manager: dansimp
## Executive summary
-Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.
+Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Configuration Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.
MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index 0a9fa5c02f..413f6d9c1e 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -9,7 +9,6 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: lomayor
-ms.date: 09/05/2017
---
# Azure Active Directory integration with MDM
@@ -31,13 +30,14 @@ For personal devices (BYOD):
### Azure AD Join
-Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as System Center Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM.
+Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Endpoint Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM.
Windows 10 introduces a new way to configure and deploy corporate owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller.
Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device will not be joined to Azure AD.
-> **Important** Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license.
+> [!IMPORTANT]
+> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license.
### BYOD scenario
@@ -60,7 +60,8 @@ For Azure AD enrollment to work for an Active Directory Federated Services (AD F
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar.
-> **Note** Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
+> [!NOTE]
+> Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
### MDM endpoints involved in Azure AD integrated enrollment
@@ -80,7 +81,7 @@ To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use
**Terms of Use endpoint**
Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user’s consent before the actual enrollment phase begins.
-It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g. users in certain geographies may be subject to stricter device management policies).
+It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies).
The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. It’s not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
@@ -103,7 +104,8 @@ A cloud-based MDM is a SaaS application that provides device management capabili
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661).
-> **Note** For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
+> [!NOTE]
+> For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
The keys used by the MDM application to request access tokens from Azure AD are managed within the tenant of the MDM vendor and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, regardless of the customer tenent to which the device being managed belongs.
@@ -136,7 +138,7 @@ For more information about how to register a sample application with Azure AD, s
An on-premises MDM application is inherently different that a cloud MDM. It is a single-tenant application that is present uniquely within the tenant of the customer. Therefore, customers must add the application directly within their own tenant. Additionally, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD.
-The customer experience for adding an on-premises MDM to their tenant is similar to that as the cloud-based MDM. There is an entry in the Azure AD app gallery to add an on-premises MDN to the tenant and administrators can configure the required URLs for enrollment and Terms of Use.
+To add an on-premises MDM application to the tenant, there is an entry under the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use.
Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance.
@@ -236,7 +238,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is
-> Note There is no device ID claim in the access token because the device may not yet be enrolled at this time.
+> [!NOTE]
+> There is no device ID claim in the access token because the device may not yet be enrolled at this time.
-
To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654).
Here's an example URL.
-``` syntax
+```console
https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
Authorization: Bearer eyJ0eXAiOi
```
@@ -390,7 +392,7 @@ If an error was encountered during the terms of use processing, the MDM can retu
Here is the URL format:
-``` syntax
+```console
HTTP/1.1 302
Location:
?error=access_denied&error_description=Access%20is%20denied%2E
@@ -426,7 +428,7 @@ The following table shows the error codes.
unsupported version |
-Tenant or user data are missingor other required prerequisites for device enrollment are not met |
+Tenant or user data are missing or other required prerequisites for device enrollment are not met |
302 |
unauthorized_client |
unauthorized user or tenant |
@@ -601,7 +603,7 @@ In this scenario, the MDM enrollment applies to a single user who initially adde
**Evaluating Azure AD user tokens**
The Azure AD token is in the HTTP Authorization header in the following format:
-``` syntax
+```console
Authorization:Bearer
```
@@ -621,7 +623,7 @@ Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is
An alert is sent when the DM session starts and there is an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
-``` syntax
+```xml
Alert Type: com.microsoft/MDM/AADUserToken
Alert sample:
@@ -636,7 +638,7 @@ Alert sample:
UserToken inserted here
- … other xml tags …
+ … other XML tags …
```
@@ -665,7 +667,7 @@ Here's an example.
user
- … other xml tags …
+ … other XML tags …
```
@@ -682,9 +684,10 @@ For a sample that illustrates how an MDM can obtain an access token using OAuth
The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device currently being managed by it.
-> **Note** This is only applicable for approved MDM apps on Windows 10 devices.
+> [!NOTE]
+> This is only applicable for approved MDM apps on Windows 10 devices.
-``` syntax
+```console
Sample Graph API Request:
PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1
@@ -713,7 +716,7 @@ Response:
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
-
+
## Error codes
@@ -921,4 +924,3 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di
-
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 82139a98a6..8611ab72a1 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -7,15 +7,12 @@ ms.prod: w10
ms.technology: windows
author: lomayor
ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 04/16/2020
ms.reviewer:
manager: dansimp
---
# BitLocker CSP
-> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
> [!NOTE]
@@ -25,18 +22,21 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to
A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns
the setting configured by the admin.
-For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if TPM protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
+For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
The following diagram shows the BitLocker configuration service provider in tree format.
+
**./Device/Vendor/MSFT/BitLocker**
Defines the root node for the BitLocker configuration service provider.
-
+
**RequireStorageCardEncryption**
+
Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.
-
+
+
| Home |
@@ -57,12 +57,13 @@ Allows the administrator to require storage card encryption on the device. This
 |
+
Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.
-
+
- 0 (default) – Storage cards do not need to be encrypted.
- 1 – Require storage cards to be encrypted.
-
+
Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.
If you want to disable this policy use the following SyncML:
@@ -87,11 +88,13 @@ If you want to disable this policy use the following SyncML:
```
Data type is integer. Supported operations are Add, Get, Replace, and Delete.
-
+
+
**RequireDeviceEncryption**
-
+
Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.
-
+
+
| Home |
@@ -112,7 +115,7 @@ Allows the administrator to require encryption to be turned on by using BitLocke
|
-
+
Data type is integer. Sample value for this node to enable this policy: 1.
Supported operations are Add, Get, Replace, and Delete.
@@ -126,12 +129,12 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix
- It must not be a system partition.
- It must not be backed by virtual storage.
- It must not have a reference in the BCD store.
-
+
The following list shows the supported values:
- 0 (default) — Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes.
- 1 – Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).
-
+
If you want to disable this policy, use the following SyncML:
```xml
@@ -152,10 +155,13 @@ If you want to disable this policy, use the following SyncML:
```
-
+
+
**EncryptionMethodByDriveType**
-
-Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
+
+Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
+
+
| Home |
@@ -176,6 +182,8 @@ Allows you to set the default encryption method for each of the different drive
 |
+
+
ADMX Info:
- GP English name: Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
@@ -183,6 +191,7 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption
- GP ADMX file name: VolumeEncryption.admx
+
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@@ -202,14 +211,14 @@ If you disable or do not configure this policy setting, BitLocker will use the d
EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives
EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
-
- The possible values for 'xx' are:
+
+ The possible values for 'xx' are:
- 3 = AES-CBC 128
- 4 = AES-CBC 256
- 6 = XTS-AES 128
- 7 = XTS-AES 256
-
+
> [!NOTE]
> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.
@@ -225,15 +234,19 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov
chr
- <disabled/>
+
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
-
+
+
**SystemDrivesRequireStartupAuthentication**
-This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".
+
+This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".
+
+
| Home |
@@ -254,6 +267,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Require add
|
+
+
ADMX Info:
- GP English name: Require additional authentication at startup
@@ -261,16 +276,17 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
+
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
-This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.
+This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.
> [!NOTE]
> Only one of the additional authentication options can be required at startup, otherwise an error occurs.
-If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
+If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
@@ -297,40 +313,44 @@ Data id:
ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.
ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.
-
-The possible values for 'xx' are:
+
+The possible values for 'xx' are:
- true = Explicitly allow
- false = Policy not set
-The possible values for 'yy' are:
+The possible values for 'yy' are:
- 2 = Optional
- 1 = Required
- 0 = Disallowed
-
+
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
-
- $CmdID$
- -
-
- ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication
-
-
- chr
-
- <disabled/>
-
-
+
+ $CmdID$
+ -
+
+ ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication
+
+
+ chr
+
+
+
+
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
-
+
+
**SystemDrivesMinimumPINLength**
-This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".
+
+This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".
+
+
| Home |
@@ -351,6 +371,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure m
|
+
+
ADMX Info:
- GP English name:Configure minimum PIN length for startup
@@ -358,6 +380,7 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
+
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@@ -382,24 +405,29 @@ Sample value for this node to enable this policy is:
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
-
- $CmdID$
- -
-
- ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength
-
-
- chr
-
- <disabled/>
-
-
+
+ $CmdID$
+ -
+
+ ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength
+
+
+ chr
+
+
+
+
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
-
-**SystemDrivesRecoveryMessage**
-This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).
+
+
+**SystemDrivesRecoveryMessage**
+
+This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL"
+(PrebootRecoveryInfo_Name).
+
+
| Home |
@@ -420,6 +448,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure p
|
+
+
ADMX Info:
- GP English name: Configure pre-boot recovery message and URL
@@ -427,6 +457,7 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
+
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@@ -434,18 +465,19 @@ ADMX Info:
This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
-If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).
+If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).
-If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
+If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
-If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
+If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
Sample value for this node to enable this policy is:
```xml
```
-The possible values for 'xx' are:
+
+The possible values for 'xx' are:
- 0 = Empty
- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input").
@@ -453,34 +485,38 @@ The possible values for 'xx' are:
- 3 = Custom recovery URL is set.
- 'yy' = string of max length 900.
- 'zz' = string of max length 500.
-
+
> [!NOTE]
> When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
-
- $CmdID$
- -
-
- ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage
-
-
- chr
-
- <disabled/>
-
-
+
+ $CmdID$
+ -
+
+ ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage
+
+
+ chr
+
+
+
+
```
> [!NOTE]
> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
Data type is string. Supported operations are Add, Get, Replace, and Delete.
-
+
+
**SystemDrivesRecoveryOptions**
-This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
+
+This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
+
+
| Home |
@@ -501,6 +537,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how
|
+
+
ADMX Info:
- GP English name: Choose how BitLocker-protected operating system drives can be recovered
@@ -508,24 +546,25 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
+
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.
-The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
+The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
-In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
+In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
-Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
-Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
+Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
-Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
-> [!Note]
-> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
+> [!NOTE]
+> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
@@ -536,41 +575,45 @@ Sample value for this node to enable this policy is:
```xml
```
-
-The possible values for 'xx' are:
+
+The possible values for 'xx' are:
- true = Explicitly allow
- false = Policy not set
-The possible values for 'yy' are:
+The possible values for 'yy' are:
- 2 = Allowed
- 1 = Required
- 0 = Disallowed
-The possible values for 'zz' are:
+The possible values for 'zz' are:
- 2 = Store recovery passwords only
- 1 = Store recovery passwords and key packages
-
+
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
-
- $CmdID$
- -
-
- ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions
-
-
- chr
-
- <disabled/>
-
-
+
+ $CmdID$
+ -
+
+ ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions
+
+
+ chr
+
+
+
+
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
-
+
+
**FixedDrivesRecoveryOptions**
-This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
+
+This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
+
+
| Home |
@@ -591,6 +634,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how
|
+
+
ADMX Info:
- GP English name: Choose how BitLocker-protected fixed drives can be recovered
@@ -598,25 +643,27 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
- GP ADMX file name: VolumeEncryption.admx
+
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
-The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
+The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
-In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
+In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
-Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
-Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
+Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
-Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
-Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
+Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
-> [!Note]
> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
+> [!NOTE]
+> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
@@ -627,14 +674,14 @@ Sample value for this node to enable this policy is:
```xml
```
-
-The possible values for 'xx' are:
+
+The possible values for 'xx' are:
- true = Explicitly allow
- false = Policy not set
-The possible values for 'yy' are:
+The possible values for 'yy' are:
- 2 = Allowed
- 1 = Required
@@ -642,33 +689,37 @@ The possible values for 'yy' are:
-The possible values for 'zz' are:
+The possible values for 'zz' are:
- 2 = Store recovery passwords only
- 1 = Store recovery passwords and key packages
-
+
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
-
- $CmdID$
- -
-
- ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions
-
-
- chr
-
- <disabled/>
-
-
+
+ $CmdID$
+ -
+
+ ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions
+
+
+ chr
+
+
+
+
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
-
+
+
**FixedDrivesRequireEncryption**
-This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
+
+This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
+
+
| Home |
@@ -689,6 +740,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write
|
+
+
ADMX Info:
- GP English name: Deny write access to fixed drives not protected by BitLocker
@@ -696,6 +749,7 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
- GP ADMX file name: VolumeEncryption.admx
+
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@@ -713,24 +767,28 @@ Sample value for this node to enable this policy is:
If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:
```xml
-
- $CmdID$
- -
-
- ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption
-
-
- chr
-
- <disabled/>
-
-
+
+ $CmdID$
+ -
+
+ ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption
+
+
+ chr
+
+
+
+
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
-
+
+
**RemovableDrivesRequireEncryption**
-This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
+
+This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
+
+
| Home |
@@ -751,6 +809,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write
|
+
+
ADMX Info:
- GP English name: Deny write access to removable drives not protected by BitLocker
@@ -758,6 +818,7 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption/Removeable Drives
- GP ADMX file name: VolumeEncryption.admx
+
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@@ -766,51 +827,53 @@ This setting configures whether BitLocker protection is required for a computer
If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
-If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
+If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
-> [!Note]
> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
+> [!NOTE]
+> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
Sample value for this node to enable this policy is:
```xml
```
-
-The possible values for 'xx' are:
+
+The possible values for 'xx' are:
- true = Explicitly allow
- false = Policy not set
-
+
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
-
- $CmdID$
- -
-
- ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption
-
-
- chr
-
- <disabled/>
-
-
+
+ $CmdID$
+ -
+
+ ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption
+
+
+ chr
+
+
+
+
```
-
+
+
**AllowWarningForOtherDiskEncryption**
-
+
Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.
-
+
> [!IMPORTANT]
> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview).
> [!Warning]
> When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows.
-
+
| Home |
@@ -831,12 +894,13 @@ Allows the admin to disable the warning prompt for other disk encryption on the
|
-
+
+
The following list shows the supported values:
- 0 – Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.
- 1 (default) – Warning prompt allowed.
-
+
```xml
110
@@ -846,7 +910,6 @@ The following list shows the supported values:
int
-
0
@@ -861,22 +924,24 @@ The following list shows the supported values:
>3. The user's personal OneDrive (MDM/MAM only).
>
>Encryption will wait until one of these three locations backs up successfully.
-
-**AllowStandardUserEncryption**
+
+
+**AllowStandardUserEncryption**
+
Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
-
+
> [!NOTE]
> This policy is only supported in Azure AD accounts.
"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced.
If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.
-
+
The expected values for this policy are:
- 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
- 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive.
-
+
If you want to disable this policy use the following SyncML:
```xml
@@ -893,9 +958,18 @@ If you want to disable this policy use the following SyncML:
```
+
+
+
**ConfigureRecoveryPasswordRotation**
+
+
This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting will refresh the specific recovery password that was used, and other unused passwords on the volume will remain unchanged. If the initialization of the refresh fails, the device will retry the refresh during the next reboot. When password refresh is initiated, the client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed. This setting refreshes only the used key and retains other unused keys.
+
+
+
+
| Home |
@@ -916,15 +990,28 @@ This setting initiates a client-driven recovery password refresh after an OS dri
|
+
+
Value type is int. Supported operations are Add, Delete, Get, and Replace.
+
+
Supported values are:
- 0 – Refresh off (default)
- 1 – Refresh on for Azure AD-joined devices
- 2 – Refresh on for both Azure AD-joined and hybrid-joined devices
+
+
+
+
+
**RotateRecoveryPasswords**
+
+
+
This setting refreshes all recovery passwords for OS and fixed drives (removable drives are not included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. In case of errors, an error code will be returned so that server can take appropriate action to remediate.
+
The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure.
@@ -937,6 +1024,7 @@ Recovery password refresh will only occur for devices that are joined to Azure A
Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request.
- RotateRecoveryPasswordsRequestID: Returns request ID of last request processed.
- RotateRecoveryPasswordsRotationStatus: Returns status of last request processed.
+
| Home |
@@ -957,14 +1045,21 @@ Each server-side recovery key rotation is represented by a request ID. The serve
|
+
+
Value type is string. Supported operation is Execute. Request ID is expected as a parameter.
**Status**
Interior node. Supported operation is Get.
-**Status/DeviceEncryptionStatus**
-This node reports compliance state of device encryption on the system.
+
+
+**Status/DeviceEncryptionStatus**
+
+This node reports compliance state of device encryption on the system.
+
+
| Home |
@@ -985,15 +1080,46 @@ This node reports compliance state of device encryption on the system.
|
+
+
+
+Value type is int. Supported operation is Get.
Supported values:
- 0 - Indicates that the device is compliant.
-- Any other value represents a non-compliant device.
+- Any non-zero value - Indicates that the device is not compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table:
-Value type is int. Supported operation is Get.
+| Bit | Error Code |
+|-----|------------|
+| 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.|
+| 1 |The encryption method of the OS volume doesn't match the BitLocker policy.|
+| 2 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.|
+| 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.|
+| 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.|
+| 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.|
+| 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.|
+| 7 |The OS volume is unprotected.|
+| 8 |Recovery key backup failed.|
+| 9 |A fixed drive is unprotected.|
+| 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.|
+| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.|
+| 12 |Windows Recovery Environment (WinRE) isn't configured.|
+| 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. |
+| 14 |The TPM isn't ready for BitLocker.|
+| 15 |The network isn't available, which is required for recovery key backup. |
+| 16-31 |For future use.|
+
+
+
+
+
+
**Status/RotateRecoveryPasswordsStatus**
+
+
This node reports the status of RotateRecoveryPasswords request.
+
Status code can be one of the following:
@@ -1001,6 +1127,7 @@ Status code can be one of the following:
- 1 - Pending
- 0 - Pass
- Any other code - Failure HRESULT
+
| Home |
@@ -1021,11 +1148,21 @@ Status code can be one of the following:
|
+
+
Value type is int. Supported operation is Get.
+
+
+
+
**Status/RotateRecoveryPasswordsRequestID**
+
+
This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID.
+
+
| Home |
@@ -1046,6 +1183,9 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta
|
+
+
+
Value type is string. Supported operation is Get.
### SyncML example
@@ -1091,10 +1231,10 @@ The following example is provided to show proper format and should not be taken
./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType
- <enabled/>
- <data id="EncryptionMethodWithXtsOsDropDown_Name" value="4"/>
- <data id="EncryptionMethodWithXtsFdvDropDown_Name" value="7"/>
- <data id="EncryptionMethodWithXtsRdvDropDown_Name" value="4"/>
+
+
+
+
@@ -1106,12 +1246,12 @@ The following example is provided to show proper format and should not be taken
./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication
- <enabled/>
- <data id="ConfigureNonTPMStartupKeyUsage_Name" value="true"/>
- <data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="2"/>
- <data id="ConfigurePINUsageDropDown_Name" value="2"/>
- <data id="ConfigureTPMPINKeyUsageDropDown_Name" value="2"/>
- <data id="ConfigureTPMUsageDropDown_Name" value="2"/>
+
+
+
+
+
+
@@ -1123,8 +1263,8 @@ The following example is provided to show proper format and should not be taken
./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength
- <enabled/>
- <data id="MinPINLength" value="6"/>
+
+
@@ -1136,10 +1276,10 @@ The following example is provided to show proper format and should not be taken
./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage
- <enabled/>
- <data id="RecoveryMessage_Input" value="blablablabla"/>
- <data id="PrebootRecoveryInfoDropDown_Name" value="2"/>
- <data id="RecoveryUrl_Input" value="blablabla"/>
+
+
+
+
@@ -1151,14 +1291,14 @@ The following example is provided to show proper format and should not be taken
./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions
- <enabled/>
- <data id="OSAllowDRA_Name" value="true"/>
- <data id="OSRecoveryPasswordUsageDropDown_Name" value="2"/>
- <data id="OSRecoveryKeyUsageDropDown_Name" value="2"/>
- <data id="OSHideRecoveryPage_Name" value="true"/>
- <data id="OSActiveDirectoryBackup_Name" value="true"/>
- <data id="OSActiveDirectoryBackupDropDown_Name" value="2"/>
- <data id="OSRequireActiveDirectoryBackup_Name" value="true"/>
+
+
+
+
+
+
+
+
@@ -1170,14 +1310,14 @@ The following example is provided to show proper format and should not be taken
./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions
- <enabled/>
- <data id="FDVAllowDRA_Name" value="true"/>
- <data id="FDVRecoveryPasswordUsageDropDown_Name" value="2"/>
- <data id="FDVRecoveryKeyUsageDropDown_Name" value="2"/>
- <data id="FDVHideRecoveryPage_Name" value="true"/>
- <data id="FDVActiveDirectoryBackup_Name" value="true"/>
- <data id="FDVActiveDirectoryBackupDropDown_Name" value="2"/>
- <data id="FDVRequireActiveDirectoryBackup_Name" value="true"/>
+
+
+
+
+
+
+
+
@@ -1189,7 +1329,7 @@ The following example is provided to show proper format and should not be taken
./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption
- <enabled/>
+
@@ -1201,8 +1341,8 @@ The following example is provided to show proper format and should not be taken
./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption
- <enabled/>
- <data id="RDVCrossOrg" value="true"/>
+
+
@@ -1210,4 +1350,6 @@ The following example is provided to show proper format and should not be taken
-```
\ No newline at end of file
+```
+
+
diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md
index aab7f8755b..1ed78230d4 100644
--- a/windows/client-management/mdm/certificatestore-csp.md
+++ b/windows/client-management/mdm/certificatestore-csp.md
@@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: lomayor
-ms.date: 06/26/2017
+ms.date: 02/28/2020
---
# CertificateStore CSP
@@ -144,7 +144,13 @@ Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) f
Supported operations are Get, Add, Delete, and Replace.
**My/SCEP/*UniqueID*/Install/SubjectName**
-Required. Specifies the subject name. Value type is chr.
+Required. Specifies the subject name.
+
+The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ).
+
+For more details, see [CertNameToStrA function](https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
+
+Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 41612181c5..8837ad757e 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 10/16/2018
+ms.date: 02/28/2020
---
# ClientCertificateInstall CSP
@@ -29,32 +29,32 @@ The following image shows the ClientCertificateInstall configuration service pro
-**Device or User**
-For device certificates, use ./Device/Vendor/MSFT path and for user certificates use ./User/Vendor/MSFT path.
+**Device or User**
+For device certificates, use ./Device/Vendor/MSFT path and for user certificates use ./User/Vendor/MSFT path.
-**ClientCertificateInstall**
-
The root node for the ClientCertificateInstaller configuration service provider.
+**ClientCertificateInstall**
+The root node for the ClientCertificateInstaller configuration service provider.
-**ClientCertificateInstall/PFXCertInstall**
-
Required for PFX certificate installation. The parent node grouping the PFX certificate related settings.
+**ClientCertificateInstall/PFXCertInstall**
+Required for PFX certificate installation. The parent node grouping the PFX certificate related settings.
-
Supported operation is Get.
+Supported operation is Get.
-**ClientCertificateInstall/PFXCertInstall/***UniqueID*
-
Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
+**ClientCertificateInstall/PFXCertInstall/***UniqueID*
+Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
-
The data type format is node.
+The data type format is node.
-
Supported operations are Get, Add, and Replace.
+Supported operations are Get, Add, and Replace.
-
Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob.
+Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation**
-
Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation**
+Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
-
Supported operations are Get, Add, and Replace.
+Supported operations are Get, Add, and Replace.
-
The data type is an integer corresponding to one of the following values:
+The data type is an integer corresponding to one of the following values:
| Value | Description |
|-------|---------------------------------------------------------------------------------------------------------------|
@@ -64,225 +64,229 @@ The following image shows the ClientCertificateInstall configuration service pro
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
-
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
+Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
-
Date type is string.
+Date type is string.
-
Supported operations are Get, Add, Delete, and Replace.
+Supported operations are Get, Add, Delete, and Replace.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
-
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation.
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
+CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation.
-
The data type format is binary.
+The data type format is binary.
-
Supported operations are Get, Add, and Replace.
+Supported operations are Get, Add, and Replace.
-
If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten.
+If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten.
-
If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail.
+If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail.
-
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB.
+In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
-
Password that protects the PFX blob. This is required if the PFX is password protected.
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
+Password that protects the PFX blob. This is required if the PFX is password protected.
-
Data Type is a string.
+Data Type is a string.
-
Supported operations are Get, Add, and Replace.
+Supported operations are Get, Add, and Replace.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**
-
Optional. Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server.
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**
+Optional. Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server.
-
The data type is int. Valid values:
+The data type is int. Valid values:
- 0 - Password is not encrypted.
- 1 - Password is encrypted with the MDM certificate.
- 2 - Password is encrypted with custom certificate.
-
When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting.
+When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting.
-
Supported operations are Get, Add, and Replace.
+Supported operations are Get, Add, and Replace.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
-
Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM.
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
+Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM.
> **Note** You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
-
The data type bool.
+The data type bool.
-
Supported operations are Get, Add, and Replace.
+Supported operations are Get, Add, and Replace.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint**
-
Returns the thumbprint of the installed PFX certificate.
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint**
+Returns the thumbprint of the installed PFX certificate.
-
The datatype is a string.
+The datatype is a string.
-
Supported operation is Get.
+Supported operation is Get.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status**
-
Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status**
+Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
-
Data type is an integer.
+Data type is an integer.
-
Supported operation is Get.
+Supported operation is Get.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore**
-
Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword.
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore**
+Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword.
-
Data type is string.
+Data type is string.
-
Supported operations are Add, Get, and Replace.
+Supported operations are Add, Get, and Replace.
-**ClientCertificateInstall/SCEP**
-
Node for SCEP.
+**ClientCertificateInstall/SCEP**
+Node for SCEP.
> **Note** An alert is sent after the SCEP certificate is installed.
-**ClientCertificateInstall/SCEP/***UniqueID*
-
A unique ID to differentiate different certificate installation requests.
+**ClientCertificateInstall/SCEP/***UniqueID*
+A unique ID to differentiate different certificate installation requests.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install**
-
A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install**
+A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
-
Supported operations are Get, Add, Replace, and Delete.
+Supported operations are Get, Add, Replace, and Delete.
> **Note** Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
-
Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
-
-
Data type is string.
-
-
Supported operations are Get, Add, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
-
Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.
-
-
Data type is string.
-
-
Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
-
Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus +. For example, OID1+OID2+OID3.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
+Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
Data type is string.
-
Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesn’t have those bits set, the configuration will fail.
-
Data type is int.
+Supported operations are Get, Add, Delete, and Replace.
-
Supported operations are Add, Get, Delete, and Replace.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
+Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
-
Required. Specifies the subject name.
+Data type is string.
-
Data type is string.
+Supported operations are Add, Get, Delete, and Replace.
-
Supported operations are Add, Get, and Replace.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
+Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus +. For example, OID1+OID2+OID3.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
-
Optional. Specifies where to keep the private key.
+Data type is string.
+Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesn’t have those bits set, the configuration will fail.
+
+Data type is int.
+
+Supported operations are Add, Get, Delete, and Replace.
+
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
+Required. Specifies the subject name.
+
+The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ).
+
+For more details, see [CertNameToStrA function](https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
+
+Data type is string.
+
+Supported operations are Add, Get, and Replace.
+
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
+Optional. Specifies where to keep the private key.
> **Note** Even if the private key is protected by TPM, it is not protected with a TPM PIN.
-
The data type is an integer corresponding to one of the following values:
+The data type is an integer corresponding to one of the following values:
| Value | Description |
|-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | Private key protected by TPM. |
| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. |
| 3 | (Default) Private key saved in software KSP. |
-| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specifed, otherwise enrollment will fail. |
+| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
-
Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
+Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
-
Supported operations are Add, Get, Delete, and Replace. Value type is integer.
+ Supported operations are Add, Get, Delete, and Replace. Value type is integer.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
-
Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
+Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
-
Data type format is an integer.
+Data type format is an integer.
-
The default value is 5.
+The default value is 5.
-
The minimum value is 1.
+The minimum value is 1.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
-
Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
+Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status.
-
Data type is integer.
+Data type is integer.
-
Default value is 3.
+Default value is 3.
-
Maximum value is 30. If the value is larger than 30, the device will use 30.
+Maximum value is 30. If the value is larger than 30, the device will use 30.
-
Minimum value is 0, which indicates no retry.
+Minimum value is 0, which indicates no retry.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
-
Optional. OID of certificate template name.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
+Optional. OID of certificate template name.
> **Note** This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it.
-
Data type is string.
+Data type is string.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
-
Required for enrollment. Specify private key length (RSA).
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
+Required for enrollment. Specify private key length (RSA).
-
Data type is integer.
+Data type is integer.
-
Valid values are 1024, 2048, and 4096.
+Valid values are 1024, 2048, and 4096.
-
For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length.
+For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
-
Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with +.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
+Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with +.
-
For Windows Hello for Business, only SHA256 is the supported algorithm.
+For Windows Hello for Business, only SHA256 is the supported algorithm.
-
Data type is string.
+Data type is string.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
-
Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
+Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.
-
Data type is string.
+Data type is string.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
-
Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
+Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.
-
Each pair is separated by semicolon. For example, multiple SANs are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2].
+Each pair is separated by semicolon. For example, multiple SANs are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2].
-
Data type is string.
+Data type is string.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
-
Optional. Specifies the units for the valid certificate period.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
+Optional. Specifies the units for the valid certificate period.
-
Data type is string.
+Data type is string.
-
Valid values are:
+Valid values are:
- Days (Default)
- Months
@@ -291,61 +295,61 @@ Data type is string.
> **Note** The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
-
Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
+Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
-
Data type is string.
+Data type is string.
>**Note** The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
-
Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
+Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
-
Data type is string.
+Data type is string.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
-
Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
+Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.
-
Data type is string.
+Data type is string.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
-
Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
+Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
-
The date type format is Null, meaning this node doesn’t contain a value.
+The date type format is Null, meaning this node doesn’t contain a value.
-
The only supported operation is Execute.
+The only supported operation is Execute.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
-
Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
+Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
-
Data type is string.
+Data type is string.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
-
Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
+**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
+Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
-
If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string.
+If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string.
-
Data type is string.
+Data type is string.
-
The only supported operation is Get.
+The only supported operation is Get.
-**ClientCertificateInstall/SCEP/*UniqueID*/Status**
-
Required. Specifies latest status of the certificated during the enrollment request.
+**ClientCertificateInstall/SCEP/*UniqueID*/Status**
+Required. Specifies latest status of the certificated during the enrollment request.
-
Data type is string. Valid values:
+Data type is string. Valid values:
-
The only supported operation is Get.
+The only supported operation is Get.
| Value | Description |
|-------|---------------------------------------------------------------------------------------------------|
@@ -355,17 +359,17 @@ Data type is string.
| 32 | Unknown |
-**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
-
Optional. An integer value that indicates the HRESULT of the last enrollment error code.
+**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
+Optional. An integer value that indicates the HRESULT of the last enrollment error code.
-
The only supported operation is Get.
+The only supported operation is Get.
**ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl**
-
Required. Returns the URL of the SCEP server that responded to the enrollment request.
+Required. Returns the URL of the SCEP server that responded to the enrollment request.
-
Data type is string.
+Data type is string.
-
The only supported operation is Get.
+The only supported operation is Get.
## Example
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 746d5b282e..99080ed5f3 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -272,6 +272,8 @@ Supported operation is Get.
**Health/QuickScanOverdue**
Indicates whether a Windows Defender quick scan is overdue for the device.
+A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default)
+
The data type is a boolean.
Supported operation is Get.
@@ -279,6 +281,8 @@ Supported operation is Get.
**Health/FullScanOverdue**
Indicates whether a Windows Defender full scan is overdue for the device.
+A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default)
+
The data type is a boolean.
Supported operation is Get.
@@ -422,4 +426,4 @@ Supported operations are Get and Execute.
## Related topics
-[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index 9292eb002c..859ffd1672 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 07/11/2018
+ms.date: 03/27/2020
---
# DevDetail CSP
@@ -29,121 +29,136 @@ The following diagram shows the DevDetail configuration service provider managem
**DevTyp**
-
Required. Returns the device model name /SystemProductName as a string.
+Required. Returns the device model name /SystemProductName as a string.
-
Supported operation is Get.
+Supported operation is Get.
**OEM**
-
Required. Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2.
+Required. Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2.
-
Supported operation is Get.
+Supported operation is Get.
**FwV**
-
Required. Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision.
+Required. Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision.
-
For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
+For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
-
Supported operation is Get.
+Supported operation is Get.
**SwV**
-
Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
+Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
-
Supported operation is Get.
+Supported operation is Get.
**HwV**
-
Required. Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision.
+Required. Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision.
-
For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
+For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
-
Supported operation is Get.
+Supported operation is Get.
**LrgObj**
-
Required. Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2.
+Required. Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2.
-
Supported operation is Get.
+Supported operation is Get.
**URI/MaxDepth**
-
Required. Returns the maximum depth of the management tree that the device supports. The default is zero (0).
+Required. Returns the maximum depth of the management tree that the device supports. The default is zero (0).
-
Supported operation is Get.
+Supported operation is Get.
-
This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
+This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
**URI/MaxTotLen**
-
Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0).
+Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0).
-
Supported operation is Get.
+Supported operation is Get.
-
This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
+This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
**URI/MaxSegLen**
-
Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0).
+Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0).
-
Supported operation is Get.
+Supported operation is Get.
-
This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
+This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
**Ext/Microsoft/MobileID**
-
Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support.
+Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support.
-
Supported operation is Get.
+Supported operation is Get.
-
The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element.
-
-**Ext/Microsoft/LocalTime**
-
Required. Returns the client local time in ISO 8601 format.
-
-
Supported operation is Get.
-
-**Ext/Microsoft/OSPlatform**
-
Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName.
-
-
Supported operation is Get.
-
-**Ext/Microsoft/ProcessorType**
-
Required. Returns the processor type of the device as documented in SYSTEM_INFO.
-
-
Supported operation is Get.
+The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element.
**Ext/Microsoft/RadioSwV**
-
Required. Returns the radio stack software version number.
+Required. Returns the radio stack software version number.
-
Supported operation is Get.
+Supported operation is Get.
**Ext/Microsoft/Resolution**
-
Required. Returns the UI screen resolution of the device (example: "480x800").
+Required. Returns the UI screen resolution of the device (example: "480x800").
-
Supported operation is Get.
+Supported operation is Get.
**Ext/Microsoft/CommercializationOperator**
-
Required. Returns the name of the mobile operator if it exists; otherwise it returns 404..
+Required. Returns the name of the mobile operator if it exists; otherwise it returns 404..
-
Supported operation is Get.
+Supported operation is Get.
**Ext/Microsoft/ProcessorArchitecture**
-
Required. Returns the processor architecture of the device as "arm" or "x86".
+Required. Returns the processor architecture of the device as "arm" or "x86".
-
Supported operation is Get.
+Supported operation is Get.
+
+**Ext/Microsoft/ProcessorType**
+Required. Returns the processor type of the device as documented in SYSTEM_INFO.
+
+Supported operation is Get.
+
+**Ext/Microsoft/OSPlatform**
+Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName.
+
+Supported operation is Get.
+
+**Ext/Microsoft/LocalTime**
+Required. Returns the client local time in ISO 8601 format.
+
+Supported operation is Get.
**Ext/Microsoft/DeviceName**
-
Required. Contains the user-specified device name.
+Required. Contains the user-specified device name.
-
Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
+Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
-
Value type is string.
+Value type is string.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
+
+**Ext/Microsoft/DNSComputerName**
+Added in the next major release of Windows 10. This node specifies the DNS computer name for a device. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 63 characters. This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md).
+
+The following are the available naming macros:
+
+| Macro | Description | Example | Generated Name |
+| -------| -------| -------| -------|
+| %RAND:<# of digits> | Generates the specified number of random digits. | Test%RAND:6% | Test123456|
+| %SERIAL% | Generates the serial number derived from the device. If the serial number causes the new name to exceed the 63 character limit, the serial number will be truncated from the beginning of the sequence.| Test-Device-%SERIAL% | Test-Device-456|
+
+Value type is string. Supported operations are Get and Replace.
+
+> [!Note]
+> On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer"s` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
**Ext/Microsoft/TotalStorage**
-
Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
+Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
-
Supported operation is Get.
+Supported operation is Get.
> [!NOTE]
> This is only supported in Windows 10 Mobile.
**Ext/Microsoft/TotalRAM**
-
Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory).
+Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory).
Supported operation is Get.
@@ -153,45 +168,45 @@ Added in Windows 10, version 1809. SMBIOS Serial Number of the device.
Value type is string. Supported operation is Get.
**Ext/WLANMACAddress**
-
The MAC address of the active WLAN connection, as a 12-digit hexadecimal number.
+The MAC address of the active WLAN connection, as a 12-digit hexadecimal number.
-
Supported operation is Get.
+Supported operation is Get.
> [!NOTE]
> This is not supported in Windows 10 for desktop editions.
**Ext/VoLTEServiceSetting**
-
Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
+Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
-
Supported operation is Get.
+Supported operation is Get.
**Ext/WlanIPv4Address**
-
Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
+Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
-
Supported operation is Get.
+Supported operation is Get.
**Ext/WlanIPv6Address**
-
Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
-
Supported operation is Get.
+Supported operation is Get.
**Ext/WlanDnsSuffix**
-
Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
-
Supported operation is Get.
+Supported operation is Get.
**Ext/WlanSubnetMask**
-
Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
-
Supported operation is Get.
+Supported operation is Get.
**Ext/DeviceHardwareData**
-
Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
+Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
> [!NOTE]
> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
-
Supported operation is Get.
+Supported operation is Get.
## Related topics
diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md
index b313ad3605..47df0219d5 100644
--- a/windows/client-management/mdm/devdetail-ddf-file.md
+++ b/windows/client-management/mdm/devdetail-ddf-file.md
@@ -21,7 +21,7 @@ This topic shows the OMA DM device description framework (DDF) for the **DevDeta
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, version 1809.
+The XML below is the current version for this CSP.
```xml
@@ -488,6 +488,28 @@ The XML below is for Windows 10, version 1809.
+
+ DNSComputerName
+
+
+
+
+
+ This node specifies the DNS name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:<# of digits>% and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. If both macros are in the string, the RANDOM macro will take priority over the SERIAL macro (SERIAL will be ignored). The server must explicitly reboot the device for this value to take effect. This value has a maximum allowed length of 63 characters as per DNS standards.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
TotalStorage
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 4767766c8c..9469f12408 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -1,6 +1,6 @@
---
title: DMClient CSP
-description: Understand how the DMClient configuration service provider works. It is used to specify enterprise-specific mobile device management configuration settings.
+description: Understand how the DMClient configuration service provider (CSP) is used to specify enterprise-specific mobile device management (MDM) configuration settings.
ms.assetid: a5cf35d9-ced0-4087-a247-225f102f2544
ms.reviewer:
manager: dansimp
@@ -15,9 +15,9 @@ ms.date: 11/01/2017
# DMClient CSP
-The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment.
+The DMClient configuration service provider (CSP) is used to specify additional enterprise-specific mobile device management (MDM) configuration settings for identifying the device in the enterprise domain, for security mitigation for certificate renewal, and for server-triggered enterprise unenrollment.
-The following diagram shows the DMClient configuration service provider in tree format.
+The following diagram shows the DMClient CSP in tree format.
@@ -25,7 +25,7 @@ The following diagram shows the DMClient configuration service provider in tree
Root node for the CSP.
**UpdateManagementServiceAddress**
-For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semi-colon delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
+For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
**HWDevID**
Added in Windows 10, version 1703. Returns the hardware device ID.
@@ -45,16 +45,17 @@ For Intune, use **MS DM Server** for Windows desktop or **SCConfigMgr** for Wind
Supported operations are Get and Add.
**Provider/*ProviderID*/EntDeviceName**
-Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient configuration service provider. You can retrieve it later during an OMA DM session.
+Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
**Provider/*ProviderID*/EntDMID**
-Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient configuration service provider. You can retrieve it later during an OMA DM session.
+Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
-> **Note** Although hardware device IDs are guaranteed to be unique, there is a concern that this is not ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION configuration service provider’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
+> [!NOTE]
+> Although hardware device IDs are guaranteed to be unique, there is a concern that this is not ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
This node is required and must be set by the server before the client certificate renewal is triggered.
@@ -62,7 +63,8 @@ This node is required and must be set by the server before the client certificat
**Provider/*ProviderID*/ExchangeID**
Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server.
-> **Note** In some cases for the desktop, this node will return "not found" until the user sets up their email.
+> [!NOTE]
+> In some cases for the desktop, this node will return "not found" until the user sets up their email.
@@ -87,7 +89,7 @@ The following is a Get command example.
Supported operation is Get.
**Provider/*ProviderID*/SignedEntDMID**
-Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the mobile device management server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
+Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
Supported operation is Get.
@@ -99,11 +101,12 @@ Supported operation is Get.
**Provider/*ProviderID*/ManagementServiceAddress**
Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server to allow the server to load balance to another server in situations where too many devices are connected to the server.
-> **Note** When the ManagementServerAddressList value is set, the device ignores the value in ManagementServiceAddress.
+> [!NOTE]
+> When the **ManagementServerAddressList** value is set, the device ignores the value.
-The DMClient configuration service provider will save the address to the same location as the w7 and DMS configuration service providers to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION configuration service provider](w7-application-csp.md).
+The DMClient CSP will save the address to the same location as the w7 and DMS CSPs to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION configuration service provider](w7-application-csp.md).
Starting in Windows 10, version 1511, this node supports multiple server addresses in the format <URL1><URL2><URL3>. If there is only a single URL, then the <> are not required. This is supported for both desktop and mobile devices.
@@ -132,7 +135,7 @@ Optional. The character string that allows the user experience to include a cust
Supported operations are Get, Replace, and Delete.
**Provider/*ProviderID*/RequireMessageSigning**
-Boolean type. Primarly used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature.
+Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature.
Default value is false, where the device management client does not include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header.
@@ -143,8 +146,8 @@ Supported operations are Get, Replace, and Delete.
**Provider/*ProviderID*/SyncApplicationVersion**
Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0.
-> **Note**
-This node is only supported in Windows 10 and later.
+> [!NOTE]
+> This node is only supported in Windows 10 and later.
Once you set the value to 2.0, it will not go back to 1.0.
@@ -160,9 +163,9 @@ When you query this node, a Windows 10 client will return 2.0 and a Windows 8.
Supported operation is Get.
**Provider/*ProviderID*/AADResourceID**
-Optional. This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory enrollments (AAD Join or Add Accounts). The token is audience specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
+Optional. This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
-For more information about Azure Active Directory enrollment, see [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
+For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage**
Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow.
@@ -203,7 +206,7 @@ Here is an example of DM message sent by the device when it is in pending state:
```
**Provider/*ProviderID*/AADDeviceID**
-Added in Windows 10, version 1607. Returns the device ID for the Azure Active Directory device registration.
+Added in Windows 10, version 1607. Returns the device ID for the Azure AD device registration.
Supported operation is Get.
@@ -223,9 +226,10 @@ Added in Windows 10, version 1607. Configures the identifier used to uniquely a
Supported operations are Add, Get, Replace, and Delete.
**Provider/*ProviderID*/ManagementServerAddressList**
-Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, etc... If there is only one, the angle brackets (<>) are not required.
+Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, and so on. If there is only one, the angle brackets (<>) are not required.
-> **Note** The < and > should be escaped.
+> [!NOTE]
+> The < and > should be escaped.
@@ -255,12 +259,13 @@ Optional. Added in Windows 10, version 1703. Specify the Discovery server URL o
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/NumberOfDaysAfterLostContactToUnenroll**
-Optional. Number of days after last sucessful sync to unenroll.
+Optional. Number of days after last successful sync to unenroll.
Supported operations are Add, Delete, Get, and Replace. Value type is integer.
**Provider/*ProviderID*/AADSendDeviceToken**
-Device. Added in Windows 10 version 1803. For AZure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained.
+
+Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
@@ -377,7 +382,8 @@ If there is no infinite schedule set, then a 24-hour schedule is created and sch
**Invalid poll schedule: disable all poll schedules**
-> **Note** Disabling poll schedules results in UNDEFINED behavior and enrollment may fail if poll schedules are all set to zero.
+> [!NOTE]
+> Disabling poll schedules results in UNDEFINED behavior and enrollment may fail if poll schedules are all set to zero.
@@ -552,12 +558,12 @@ Optional. Boolean value that allows the IT admin to require the device to start
Supported operations are Add, Get, and Replace.
**Provider/*ProviderID*/Push**
-Optional. Not configurable during WAP Provisioining XML. If removed, DM sessions triggered by Push will no longer be supported.
+Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported.
Supported operations are Add and Delete.
**Provider/*ProviderID*/Push/PFN**
-Required. A string provided by the Windows 10 ecosystem for a Mobile Device Management solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing.
+Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing.
Supported operations are Add, Get, and Replace.
@@ -665,7 +671,7 @@ Required. Added in Windows 10, version 1709. This node contains a list of LocURI
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing 4 apps, and ProductID2 containing 2 apps.
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We will not verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@@ -677,7 +683,7 @@ Required. Added in Windows 10, version 1709. This node contains a list of LocURI
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2
```
-This represents App Package PackageFullName containing 4 apps, and PackageFullName2 containing 2 apps.
+This represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index f687502610..7ccca3fe88 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -1,6 +1,6 @@
---
title: EAP configuration
-description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, plus info about EAP certificate filtering in Windows 10.
+description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10.
ms.assetid: DD3F2292-4B4C-4430-A57F-922FED2A8FAE
ms.reviewer:
manager: dansimp
@@ -15,46 +15,46 @@ ms.date: 06/26/2017
# EAP configuration
-The topic provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile and information about EAP certificate filtering in Windows 10.
+This article provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including information about EAP certificate filtering in Windows 10.
-## Create an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile
+## Create an EAP configuration XML for a VPN profile
-Here is an easy way to get the EAP configuration from your desktop using the rasphone tool that is shipped in the box.
+To get the EAP configuration from your desktop using the rasphone tool that is shipped in the box:
1. Run rasphone.exe.
-2. If you don't currently have any VPN connections and you see the following message, click **OK**.
+1. If you don't currently have a VPN connection and you see the following message, select **OK**.
-3. Select **Workplace network** in the wizard.
+1. In the wizard, select **Workplace network**.
-4. Enter any dummy information for the internet address and connection name. These can be fake since it does not impact the authentication parameters.
+1. Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters.
-5. Create a fake VPN connection. In the UI shown below, click **Properties**.
+1. Create a fake VPN connection. In the UI shown here, select **Properties**.
-6. In the **Test Properties** dialog, click the **Security** tab.
+1. In the **Test Properties** dialog, select the **Security** tab.
-7. In the **Security** tab, select **Use Extensible Authentication Protocol (EAP)** radio button.
+1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**.
-8. From the drop down menu, select the EAP method that you want to configure. Then click **Properties** to configure as needed.
+1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed.
-9. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
+1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
```powershell
Get-VpnConnection -Name Test
@@ -88,7 +88,7 @@ Here is an easy way to get the EAP configuration from your desktop using the ras
$a.EapConfigXmlStream.InnerXml
```
- Here is an example output
+ Here is an example output.
```xml
1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or
> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or
> 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
-> 2. Install the package on the Primary Domain Controller (PDC).
+> 2. Install the package on the Domain Controller.
> 3. Navigate, depending on the version to the folder:
> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or
> 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or
@@ -178,14 +179,13 @@ Requirements:
> 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
> 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**.
> (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain).
-> 6. Restart the Primary Domain Controller for the policy to be available.
+> 6. Restart the Domain Controller for the policy to be available.
> This procedure will work for any future version as well.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
2. Create a Security Group for the PCs.
3. Link the GPO.
4. Filter using Security Groups.
-5. Enforce a GPO link.
## Troubleshoot auto-enrollment of devices
@@ -245,6 +245,7 @@ To collect Event Viewer logs:
### Useful Links
+- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880)
diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md
index 70759a6c03..8cc8149b7f 100644
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@@ -14,17 +14,17 @@ ms.date: 08/09/2017
# EnterpriseDataProtection CSP
-The EnterpriseDataProtection configuration service provider (CSP) is used to configure Windows Information Protection (WIP) (formerly known as Enterprise Data Protection) specific settings. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip).
+The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip).
-> **Note**
->- To make WIP functional the AppLocker CSP and the network isolation specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
->- This CSP was added in Windows 10, version 1607.
+> [!Note]
+> To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
+> - This CSP was added in Windows 10, version 1607.
While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md).
-To learn more about WIP, see the following TechNet topics:
+To learn more about WIP, see the following articles:
- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy)
- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip)
@@ -34,79 +34,82 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.
**./Device/Vendor/MSFT/EnterpriseDataProtection**
-The root node for the CSP.
+The root node for the CSP.
**Settings**
-
The root node for the Windows Information Protection (WIP) configuration settings.
+The root node for the Windows Information Protection (WIP) configuration settings.
**Settings/EDPEnforcementLevel**
-
Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running.
+Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – Off / No protection (decrypts previously protected data).
- 1 – Silent mode (encrypt and audit only).
- 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
- 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
-
Supported operations are Add, Get, Replace and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/EnterpriseProtectedDomainNames**
-
A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
+A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
-
Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client.
+Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client.
-> **Note** The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
+> [!Note]
+> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
-
Here are the steps to create canonical domain names:
+Here are the steps to create canonical domain names:
-1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com.
+1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com.
2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0).
-
Supported operations are Add, Get, Replace and Delete. Value type is string.
+Supported operations are Add, Get, Replace, and Delete. Value type is string.
**Settings/AllowUserDecryption**
-
Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences.
+Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences.
> [!IMPORTANT]
> Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
Most restricted value is 0.
+Most restricted value is 0.
-
Supported operations are Add, Get, Replace and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/RequireProtectionUnderLockConfig**
-
Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy.
+Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – Not required.
- 1 – Required.
-
Most restricted value is 1.
+Most restricted value is 1.
-
The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware.
+The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware.
-> **Note** This setting is only supported in Windows 10 Mobile.
+> [!Note]
+> This setting is only supported in Windows 10 Mobile.
-
Supported operations are Add, Get, Replace and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/DataRecoveryCertificate**
-
Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through MDM instead of Group Policy.
+Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy.
-> **Note** If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced.
+> [!Note]
+> If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced.
-
DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP.
+DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP.
The binary blob is the serialized version of following structure:
``` syntax
@@ -231,60 +234,59 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {
```
-
For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate.
+For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate.
-
Supported operations are Add, Get, Replace and Delete. Value type is base-64 encoded certificate.
+Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate.
**Settings/RevokeOnUnenroll**
-
This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1.
+This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 – Don't revoke keys.
- 1 (default) – Revoke keys.
-
Supported operations are Add, Get, Replace and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/RevokeOnMDMHandoff**
-
Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from MAM to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
+Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
- 0 - Don't revoke keys
- 1 (default) - Revoke keys
-
Supported operations are Add, Get, Replace and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/RMSTemplateIDForEDP**
-
TemplateID GUID to use for RMS encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access.
+TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access.
-
Supported operations are Add, Get, Replace and Delete. Value type is string (GUID).
+Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID).
**Settings/AllowAzureRMSForEDP**
-
Specifies whether to allow Azure RMS encryption for WIP.
+Specifies whether to allow Azure RMS encryption for WIP.
- 0 (default) – Don't use RMS.
- 1 – Use RMS.
-
Supported operations are Add, Get, Replace and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/SMBAutoEncryptedFileExtensions**
-
Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an SMB share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list.
-
When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted.
-
Supported operations are Add, Get, Replace and Delete. Value type is string.
+Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list.
+When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted.
+Supported operations are Add, Get, Replace and Delete. Value type is string.
**Settings/EDPShowIcons**
-
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles in the Start menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
-
-
The following list shows the supported values:
+Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
+The following list shows the supported values:
- 0 (default) - No WIP overlays on icons or tiles.
- 1 - Show WIP overlays on protected files and apps that can only create enterprise content.
-
Supported operations are Add, Get, Replace and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Status**
-
A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
+A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
-
Suggested values:
+Suggested values:
@@ -319,13 +321,13 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {
-Bit 0 indicates whether WIP is on or off.
+Bit 0 indicates whether WIP is on or off.
-
Bit 1 indicates whether AppLocker WIP policies are set.
+Bit 1 indicates whether AppLocker WIP policies are set.
-
Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero).
+Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero).
-
Here's the list of mandatory WIP policies:
+Here's the list of mandatory WIP policies:
- EDPEnforcementLevel in EnterpriseDataProtection CSP
- DataRecoveryCertificate in EnterpriseDataProtection CSP
@@ -333,9 +335,9 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {
- NetworkIsolation/EnterpriseIPRange in Policy CSP
- NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP
-
Bits 2 and 4 are reserved for future use.
+Bits 2 and 4 are reserved for future use.
-
Supported operation is Get. Value type is integer.
+Supported operation is Get. Value type is integer.
diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md
index 772d402b87..87699a8b11 100644
--- a/windows/client-management/mdm/get-offline-license.md
+++ b/windows/client-management/mdm/get-offline-license.md
@@ -1,6 +1,6 @@
---
title: Get offline license
-description: The Get offline license operation retrieves the offline license information of a product from the Micosoft Store for Business.
+description: The Get offline license operation retrieves the offline license information of a product from the Microsoft Store for Business.
ms.assetid: 08DAD813-CF4D-42D6-A783-994A03AEE051
ms.reviewer:
manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 09/18/2017
# Get offline license
-The **Get offline license** operation retrieves the offline license information of a product from the Micosoft Store for Business.
+The **Get offline license** operation retrieves the offline license information of a product from the Microsoft Store for Business.
## Request
diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md
index 394b64e58c..5ad2851bc5 100644
--- a/windows/client-management/mdm/get-product-packages.md
+++ b/windows/client-management/mdm/get-product-packages.md
@@ -1,6 +1,6 @@
---
title: Get product packages
-description: The Get product packages operation retrieves the information about applications in the Micosoft Store for Business.
+description: The Get product packages operation retrieves the information about applications in the Microsoft Store for Business.
ms.assetid: 039468BF-B9EE-4E1C-810C-9ACDD55C0835
ms.reviewer:
manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 09/18/2017
# Get product packages
-The **Get product packages** operation retrieves the information about applications in the Micosoft Store for Business.
+The **Get product packages** operation retrieves the information about applications in the Microsoft Store for Business.
## Request
diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md
index 21d8f631c1..a510b2460c 100644
--- a/windows/client-management/mdm/get-seats.md
+++ b/windows/client-management/mdm/get-seats.md
@@ -1,6 +1,6 @@
---
title: Get seats
-description: The Get seats operation retrieves the information about active seats in the Micosoft Store for Business.
+description: The Get seats operation retrieves the information about active seats in the Micorsoft Store for Business.
ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F
ms.reviewer:
manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 09/18/2017
# Get seats
-The **Get seats** operation retrieves the information about active seats in the Micosoft Store for Business.
+The **Get seats** operation retrieves the information about active seats in the Microsoft Store for Business.
## Request
diff --git a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png
index 6926801241..6ece851369 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png and b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png differ
diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
index 481d57ea45..57d1c57718 100644
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@@ -1,6 +1,6 @@
---
-title: Provide server-side support for mobile app management on Windows
-description: The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices.
+title: Implement server-side support for mobile application management on Windows
+description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -16,21 +16,21 @@ manager: dansimp
The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703.
-## Integration with Azure Active Directory
+## Integration with Azure AD
MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
-MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
+MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
-On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings>Accounts>Access work or school**.
+On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
Regular non-admin users can enroll to MAM.
## Integration with Windows Information Protection
-MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip) and WIP-aware applications. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf.
+MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf.
-To make applications WIP-aware, app developers need to include the following data in the app resource file:
+To make applications WIP-aware, app developers need to include the following data in the app resource file.
``` syntax
// Mark this binary as Allowed for WIP (EDP) purpose
@@ -42,20 +42,20 @@ To make applications WIP-aware, app developers need to include the following dat
## Configuring an Azure AD tenant for MAM enrollment
-MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the Management app for an IT admin configuration.
+MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.
MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.
-## MAM enrollment
+## MAM enrollment
MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](https://msdn.microsoft.com/library/mt221945.aspx). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.
Below are protocol changes for MAM enrollment:
-- MDM discovery is not supported
-- APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional
-- MAM enrollment variation of [MS-MDE2] protocol does not support the client authentication certificate, and therefore, does not support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication.
+- MDM discovery is not supported.
+- APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional.
+- MAM enrollment variation of [MS-MDE2] protocol does not support the client authentication certificate, and therefore does not support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication.
Here is an example provisioning XML for MAM enrollment.
@@ -73,39 +73,36 @@ Here is an example provisioning XML for MAM enrollment.
Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isn’t provided above, the device would default to once every 24 hours.
-## Supported Configuration Service Providers (CSPs)
+## Supported CSPs
-MAM on Windows support the following CSPs. All other CSPs will be blocked. Note the list may change later based on customer feedback.
+MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback:
-- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps
-- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs
-- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703)
-- [DevInfo CSP](devinfo-csp.md)
-- [DMAcc CSP](dmacc-csp.md)
-- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL
-- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies
-- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703)
-- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management
-- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas
-- [Reporting CSP](reporting-csp.md) for retrieving WIP logs
-- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md)
-- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM
-- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM
+- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps.
+- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
+- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
+- [DevInfo CSP](devinfo-csp.md).
+- [DMAcc CSP](dmacc-csp.md).
+- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL.
+- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies.
+- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
+- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management.
+- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas.
+- [Reporting CSP](reporting-csp.md) for retrieving WIP logs.
+- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md).
+- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
+- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
## Device lock policies and EAS
MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP.
-We do not recommend configuring both Exchange Active Sync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows:
+We do not recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows:
-
-- When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies and reports compliance to EAS:
-- If the device is found to be compliant, EAS will report compliance to the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance does not require device admin rights.
-- If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights.
-
-- If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM, EAS, and the resultant set of policies will be a superset of both.
-
+- When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies and reports compliance to EAS.
+- If the device is found to be compliant, EAS will report compliance to the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance does not require device admin rights.
+- If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights.
+- If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM and EAS, and the resultant set of policies will be a superset of both.
## Policy sync
@@ -115,20 +112,18 @@ MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to
Windows does not support applying both MAM and MDM policies to the same devices. If configured by the admin, a user can change his MAM enrollment to MDM.
-> [!Note]
-> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On the Home edition, we do not recommend pushing MDM policies to enable users to upgrade.
+> [!NOTE]
+> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we do not recommend pushing MDM policies to enable users to upgrade.
To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment.
In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when WIP policies are removed from the device, the user’s access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
-
-- Both MAM and MDM policies for the organization support WIP
-- EDP CSP Enterprise ID is the same for both MAM and MDM
-- EDP CSP RevokeOnMDMHandoff is set to FALSE
-
+- Both MAM and MDM policies for the organization support WIP.
+- EDP CSP Enterprise ID is the same for both MAM and MDM.
+- EDP CSP RevokeOnMDMHandoff is set to false.
-If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings>Accounts>Access work or school**. The user can click on this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account will not be affected.
+If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account will not be affected.
## Skype for Business compliance with MAM
@@ -156,15 +151,15 @@ We have updated Skype for Business to work with MAM. The following table explain
March 9 2017 |
Visio Pro for Office 365
Project Desktop Client
-Office 365 Business (the version of Office that comes with some Office 365 plans, such as Business Premium.) |
+Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)
| Deferred channel |
Provide users with new features of Office only a few times a year. |
October 10 2017 |
-Office 365 ProPlus |
+Microsoft 365 Apps for enterprise |
-| First release for deferred channel |
+First release for Deferred channel |
Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. |
June 13 2017 |
|
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index b1c7501096..ad7b6964a4 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [What is dmwappushsvc?](#what-is-dmwappushsvc)
- **Change history in MDM documentation**
+ - [February 2020](#february-2020)
- [January 2020](#january-2020)
- [November 2019](#november-2019)
- [October 2019](#october-2019)
@@ -1936,6 +1937,11 @@ How do I turn if off? | The service can be stopped from the "Services" console o
## Change history in MDM documentation
+### February 2020
+|New or updated topic | Description|
+|--- | ---|
+|[CertificateStore CSP](certificatestore-csp.md)
[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)|Added details about SubjectName value.|
+
### January 2020
|New or updated topic | Description|
|--- | ---|
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index ec46006921..58e1e0a8e9 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -65,7 +65,7 @@ The only supported operation is Get.
## Examples
-Sample SyncML to install Office 365 Business Retail from current channel.
+Sample SyncML to install Microsoft 365 Apps for business Retail from current channel.
```xml
diff --git a/windows/client-management/mdm/policies-admx-backed.md b/windows/client-management/mdm/policies-admx-backed.md
deleted file mode 100644
index 6e6b86877e..0000000000
--- a/windows/client-management/mdm/policies-admx-backed.md
+++ /dev/null
@@ -1,420 +0,0 @@
----
-title: ADMX-backed policies
-description: ADMX-backed policies
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.localizationpriority: medium
-ms.date: 07/18/2019
----
-
-# ADMX-backed policies
-
-> [!div class="op_single_selector"]
->
-> - [Policies supported by Group Policy](policies-supported-by-group-policy.md)
-> - [ADMX-backed policies](policies-admx-backed.md)
->
-
-- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
-- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional)
-- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
-- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
-- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup)
-- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts)
-- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux)
-- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver)
-- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions)
-- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions)
-- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload)
-- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode)
-- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal)
-- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser)
-- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1)
-- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2)
-- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3)
-- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4)
-- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5)
-- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl)
-- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch)
-- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider)
-- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot)
-- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot)
-- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval)
-- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries)
-- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode)
-- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache)
-- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist)
-- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist)
-- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation)
-- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism)
-- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms)
-- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices)
-- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
-- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
-- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
-- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp)
-- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
-- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
-- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
-- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
-- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
-- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
-- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials)
-- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
-- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
-- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
-- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
-- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
-- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses)
-- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork)
-- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
-- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera)
-- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
-- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings)
-- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting)
-- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification)
-- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata)
-- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay)
-- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior)
-- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog)
-- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog)
-- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog)
-- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer)
-- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption)
-- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider)
-- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering)
-- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist)
-- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete)
-- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning)
-- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit)
-- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
-- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
-- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
-- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
-- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3)
-- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist)
-- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode)
-- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate)
-- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate)
-- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate)
-- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate)
-- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate)
-- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate)
-- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate)
-- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry)
-- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist)
-- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid)
-- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites)
-- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate)
-- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate)
-- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate)
-- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation)
-- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
-- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
-- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
-- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
-- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
-- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
-- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
-- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
-- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection)
-- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
-- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites)
-- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
-- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
-- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
-- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
-- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
-- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
-- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
-- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors)
-- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing)
-- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode)
-- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange)
-- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange)
-- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
-- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck)
-- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
-- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
-- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode)
-- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
-- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
-- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols)
-- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains)
-- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites)
-- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths)
-- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources)
-- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript)
-- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles)
-- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads)
-- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites)
-- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles)
-- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols)
-- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol)
-- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows)
-- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols)
-- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets)
-- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie)
-- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript)
-- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence)
-- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer)
-- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols)
-- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols)
-- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter)
-- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
-- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows)
-- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing)
-- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode)
-- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver)
-- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions)
-- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe)
-- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions)
-- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
-- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode)
-- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles)
-- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker)
-- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
-- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads)
-- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites)
-- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets)
-- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie)
-- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
-- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions)
-- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
-- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
-- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads)
-- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites)
-- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets)
-- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie)
-- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence)
-- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions)
-- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads)
-- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets)
-- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie)
-- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions)
-- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions)
-- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads)
-- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets)
-- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie)
-- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions)
-- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions)
-- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions)
-- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses)
-- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses)
-- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
-- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses)
-- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter)
-- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols)
-- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses)
-- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols)
-- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses)
-- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses)
-- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting)
-- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors)
-- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript)
-- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles)
-- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads)
-- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads)
-- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles)
-- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh)
-- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol)
-- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows)
-- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols)
-- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets)
-- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie)
-- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript)
-- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer)
-- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter)
-- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
-- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows)
-- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing)
-- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver)
-- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions)
-- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe)
-- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions)
-- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins)
-- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode)
-- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting)
-- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets)
-- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles)
-- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode)
-- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker)
-- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses)
-- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist)
-- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings)
-- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice)
-- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads)
-- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets)
-- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
-- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions)
-- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
-- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
-- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor)
-- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring)
-- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation)
-- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize)
-- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes)
-- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers)
-- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel)
-- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel)
-- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon)
-- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver)
-- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server)
-- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection)
-- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications)
-- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication)
-- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery)
-- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin)
-- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
-- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
-- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery)
-- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin)
-- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery)
-- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin)
-- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
-- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
-- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
-- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user)
-- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
-- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages)
-- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging)
-- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance)
-- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance)
-- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely)
-- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel)
-- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection)
-- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving)
-- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection)
-- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication)
-- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client)
-- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service)
-- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient)
-- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice)
-- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement)
-- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client)
-- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service)
-- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication)
-- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient)
-- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice)
-- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials)
-- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel)
-- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts)
-- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener)
-- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener)
-- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication)
-- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients)
-- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess)
-- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers)
-- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout)
-- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory)
-- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses)
-- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
-- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
-- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
-- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
-- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
-- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
-- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork)
-- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
-- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
-- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
-- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
-- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers)
-- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging)
-
-## Related topics
-[Policy CSP](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policies-supported-by-group-policy.md b/windows/client-management/mdm/policies-supported-by-group-policy.md
deleted file mode 100644
index 97ea0d7de0..0000000000
--- a/windows/client-management/mdm/policies-supported-by-group-policy.md
+++ /dev/null
@@ -1,911 +0,0 @@
----
-title: Policies supported by Group Policy
-description: Policies supported by Group Policy
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.localizationpriority: medium
-ms.date: 07/18/2019
----
-
-# Policies supported by Group Policy
-
-> [!div class="op_single_selector"]
->
-> - [Policies supported by Group Policy](policies-supported-by-group-policy.md)
-> - [ADMX-backed policies](policies-admx-backed.md)
->
-
-- [AboveLock/AllowCortanaAboveLock](./policy-csp-abovelock.md#abovelock-allowcortanaabovelock)
-- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
-- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional)
-- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
-- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
-- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup)
-- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts)
-- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux)
-- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver)
-- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions)
-- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions)
-- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload)
-- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode)
-- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal)
-- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser)
-- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1)
-- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2)
-- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3)
-- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4)
-- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5)
-- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl)
-- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch)
-- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider)
-- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot)
-- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot)
-- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval)
-- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries)
-- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode)
-- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache)
-- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist)
-- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist)
-- [ApplicationDefaults/DefaultAssociationsConfiguration](./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration)
-- [ApplicationDefaults/EnableAppUriHandlers](./policy-csp-applicationdefaults.md#applicationdefaults-enableappurihandlers)
-- [ApplicationManagement/AllowAllTrustedApps](./policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps)
-- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate)
-- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock)
-- [ApplicationManagement/AllowGameDVR](./policy-csp-applicationmanagement.md#applicationmanagement-allowgamedvr)
-- [ApplicationManagement/AllowSharedUserAppData](./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata)
-- [ApplicationManagement/DisableStoreOriginatedApps](./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps)
-- [ApplicationManagement/MSIAllowUserControlOverInstall](./policy-csp-applicationmanagement.md#applicationmanagement-msiallowusercontroloverinstall)
-- [ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges](./policy-csp-applicationmanagement.md#applicationmanagement-msialwaysinstallwithelevatedprivileges)
-- [ApplicationManagement/RequirePrivateStoreOnly](./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly)
-- [ApplicationManagement/RestrictAppDataToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictappdatatosystemvolume)
-- [ApplicationManagement/RestrictAppToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictapptosystemvolume)
-- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation)
-- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism)
-- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms)
-- [Authentication/AllowSecondaryAuthenticationDevice](./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice)
-- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices)
-- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
-- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
-- [BITS/BandwidthThrottlingEndTime](./policy-csp-bits.md#bits-bandwidththrottlingendtime)
-- [BITS/BandwidthThrottlingStartTime](./policy-csp-bits.md#bits-bandwidththrottlingstarttime)
-- [BITS/BandwidthThrottlingTransferRate](./policy-csp-bits.md#bits-bandwidththrottlingtransferrate)
-- [BITS/CostedNetworkBehaviorBackgroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority)
-- [BITS/CostedNetworkBehaviorForegroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority)
-- [BITS/JobInactivityTimeout](./policy-csp-bits.md#bits-jobinactivitytimeout)
-- [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown)
-- [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill)
-- [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies)
-- [Browser/AllowDeveloperTools](./policy-csp-browser.md#browser-allowdevelopertools)
-- [Browser/AllowDoNotTrack](./policy-csp-browser.md#browser-allowdonottrack)
-- [Browser/AllowExtensions](./policy-csp-browser.md#browser-allowextensions)
-- [Browser/AllowFlash](./policy-csp-browser.md#browser-allowflash)
-- [Browser/AllowFlashClickToRun](./policy-csp-browser.md#browser-allowflashclicktorun)
-- [Browser/AllowFullScreenMode](./policy-csp-browser.md#browser-allowfullscreenmode)
-- [Browser/AllowInPrivate](./policy-csp-browser.md#browser-allowinprivate)
-- [Browser/AllowMicrosoftCompatibilityList](./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist)
-- [Browser/AllowPasswordManager](./policy-csp-browser.md#browser-allowpasswordmanager)
-- [Browser/AllowPopups](./policy-csp-browser.md#browser-allowpopups)
-- [Browser/AllowPrelaunch](./policy-csp-browser.md#browser-allowprelaunch)
-- [Browser/AllowPrinting](./policy-csp-browser.md#browser-allowprinting)
-- [Browser/AllowSavingHistory](./policy-csp-browser.md#browser-allowsavinghistory)
-- [Browser/AllowSearchEngineCustomization](./policy-csp-browser.md#browser-allowsearchenginecustomization)
-- [Browser/AllowSearchSuggestionsinAddressBar](./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
-- [Browser/AllowSideloadingOfExtensions](./policy-csp-browser.md#browser-allowsideloadingofextensions)
-- [Browser/AllowSmartScreen](./policy-csp-browser.md#browser-allowsmartscreen)
-- [Browser/AllowTabPreloading](./policy-csp-browser.md#browser-allowtabpreloading)
-- [Browser/AllowWebContentOnNewTabPage](./policy-csp-browser.md#browser-allowwebcontentonnewtabpage)
-- [Browser/AlwaysEnableBooksLibrary](./policy-csp-browser.md#browser-alwaysenablebookslibrary)
-- [Browser/ClearBrowsingDataOnExit](./policy-csp-browser.md#browser-clearbrowsingdataonexit)
-- [Browser/ConfigureAdditionalSearchEngines](./policy-csp-browser.md#browser-configureadditionalsearchengines)
-- [Browser/ConfigureFavoritesBar](./policy-csp-browser.md#browser-configurefavoritesbar)
-- [Browser/ConfigureHomeButton](./policy-csp-browser.md#browser-configurehomebutton)
-- [Browser/ConfigureKioskMode](./policy-csp-browser.md#browser-configurekioskmode)
-- [Browser/ConfigureKioskResetAfterIdleTimeout](./policy-csp-browser.md#browser-configurekioskresetafteridletimeout)
-- [Browser/ConfigureOpenMicrosoftEdgeWith](./policy-csp-browser.md#browser-configureopenmicrosoftedgewith)
-- [Browser/ConfigureTelemetryForMicrosoft365Analytics](./policy-csp-browser.md#browser-configuretelemetryformicrosoft365analytics)
-- [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages)
-- [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry)
-- [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist)
-- [Browser/HomePages](./policy-csp-browser.md#browser-homepages)
-- [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites)
-- [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge)
-- [Browser/PreventCertErrorOverrides](./policy-csp-browser.md#browser-preventcerterroroverrides)
-- [Browser/PreventFirstRunPage](./policy-csp-browser.md#browser-preventfirstrunpage)
-- [Browser/PreventLiveTileDataCollection](./policy-csp-browser.md#browser-preventlivetiledatacollection)
-- [Browser/PreventSmartScreenPromptOverride](./policy-csp-browser.md#browser-preventsmartscreenpromptoverride)
-- [Browser/PreventSmartScreenPromptOverrideForFiles](./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles)
-- [Browser/PreventUsingLocalHostIPAddressForWebRTC](./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc)
-- [Browser/ProvisionFavorites](./policy-csp-browser.md#browser-provisionfavorites)
-- [Browser/SendIntranetTraffictoInternetExplorer](./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer)
-- [Browser/SetDefaultSearchEngine](./policy-csp-browser.md#browser-setdefaultsearchengine)
-- [Browser/SetHomeButtonURL](./policy-csp-browser.md#browser-sethomebuttonurl)
-- [Browser/SetNewTabPageURL](./policy-csp-browser.md#browser-setnewtabpageurl)
-- [Browser/ShowMessageWhenOpeningSitesInInternetExplorer](./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer)
-- [Browser/SyncFavoritesBetweenIEAndMicrosoftEdge](./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge)
-- [Browser/UnlockHomeButton](./policy-csp-browser.md#browser-unlockhomebutton)
-- [Browser/UseSharedFolderForBooks](./policy-csp-browser.md#browser-usesharedfolderforbooks)
-- [Camera/AllowCamera](./policy-csp-camera.md#camera-allowcamera)
-- [Cellular/LetAppsAccessCellularData](./policy-csp-cellular.md#cellular-letappsaccesscellulardata)
-- [Cellular/LetAppsAccessCellularData_ForceAllowTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forceallowtheseapps)
-- [Cellular/LetAppsAccessCellularData_ForceDenyTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forcedenytheseapps)
-- [Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-userincontroloftheseapps)
-- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
-- [Connectivity/AllowCellularDataRoaming](./policy-csp-connectivity.md#connectivity-allowcellulardataroaming)
-- [Connectivity/AllowPhonePCLinking](./policy-csp-connectivity.md#connectivity-allowphonepclinking)
-- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp)
-- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
-- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
-- [Connectivity/DisallowNetworkConnectivityActiveTests](./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests)
-- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
-- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
-- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
-- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
-- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials)
-- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
-- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
-- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
-- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
-- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning)
-- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring)
-- [Defender/AllowCloudProtection](./policy-csp-defender.md#defender-allowcloudprotection)
-- [Defender/AllowEmailScanning](./policy-csp-defender.md#defender-allowemailscanning)
-- [Defender/AllowFullScanOnMappedNetworkDrives](./policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
-- [Defender/AllowFullScanRemovableDriveScanning](./policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
-- [Defender/AllowIOAVProtection](./policy-csp-defender.md#defender-allowioavprotection)
-- [Defender/AllowOnAccessProtection](./policy-csp-defender.md#defender-allowonaccessprotection)
-- [Defender/AllowRealtimeMonitoring](./policy-csp-defender.md#defender-allowrealtimemonitoring)
-- [Defender/AllowScanningNetworkFiles](./policy-csp-defender.md#defender-allowscanningnetworkfiles)
-- [Defender/AllowUserUIAccess](./policy-csp-defender.md#defender-allowuseruiaccess)
-- [Defender/AttackSurfaceReductionOnlyExclusions](./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions)
-- [Defender/AttackSurfaceReductionRules](./policy-csp-defender.md#defender-attacksurfacereductionrules)
-- [Defender/AvgCPULoadFactor](./policy-csp-defender.md#defender-avgcpuloadfactor)
-- [Defender/CheckForSignaturesBeforeRunningScan](./policy-csp-defender.md#defender-checkforsignaturesbeforerunningscan)
-- [Defender/CloudBlockLevel](./policy-csp-defender.md#defender-cloudblocklevel)
-- [Defender/CloudExtendedTimeout](./policy-csp-defender.md#defender-cloudextendedtimeout)
-- [Defender/ControlledFolderAccessAllowedApplications](./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications)
-- [Defender/ControlledFolderAccessProtectedFolders](./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders)
-- [Defender/DaysToRetainCleanedMalware](./policy-csp-defender.md#defender-daystoretaincleanedmalware)
-- [Defender/DisableCatchupFullScan](./policy-csp-defender.md#defender-disablecatchupfullscan)
-- [Defender/DisableCatchupQuickScan](./policy-csp-defender.md#defender-disablecatchupquickscan)
-- [Defender/EnableControlledFolderAccess](./policy-csp-defender.md#defender-enablecontrolledfolderaccess)
-- [Defender/EnableLowCPUPriority](./policy-csp-defender.md#defender-enablelowcpupriority)
-- [Defender/EnableNetworkProtection](./policy-csp-defender.md#defender-enablenetworkprotection)
-- [Defender/ExcludedExtensions](./policy-csp-defender.md#defender-excludedextensions)
-- [Defender/ExcludedPaths](./policy-csp-defender.md#defender-excludedpaths)
-- [Defender/ExcludedProcesses](./policy-csp-defender.md#defender-excludedprocesses)
-- [Defender/RealTimeScanDirection](./policy-csp-defender.md#defender-realtimescandirection)
-- [Defender/ScanParameter](./policy-csp-defender.md#defender-scanparameter)
-- [Defender/ScheduleQuickScanTime](./policy-csp-defender.md#defender-schedulequickscantime)
-- [Defender/ScheduleScanDay](./policy-csp-defender.md#defender-schedulescanday)
-- [Defender/ScheduleScanTime](./policy-csp-defender.md#defender-schedulescantime)
-- [Defender/SignatureUpdateFallbackOrder](./policy-csp-defender.md#defender-signatureupdatefallbackorder)
-- [Defender/SignatureUpdateFileSharesSources](./policy-csp-defender.md#defender-signatureupdatefilesharessources)
-- [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval)
-- [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent)
-- [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction)
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
-- [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
-- [DeliveryOptimization/DOCacheHost](./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
-- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayCacheServerFallbackBackground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
-- [DeliveryOptimization/DODelayCacheServerFallbackForeground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
-- [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
-- [DeliveryOptimization/DOGroupId](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
-- [DeliveryOptimization/DOGroupIdSource](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
-- [DeliveryOptimization/DOMaxCacheAge](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
-- [DeliveryOptimization/DOMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
-- [DeliveryOptimization/DOMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
-- [DeliveryOptimization/DOMaxUploadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
-- [DeliveryOptimization/DOMinBackgroundQos](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
-- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
-- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
-- [DeliveryOptimization/DOMinFileSizeToCache](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
-- [DeliveryOptimization/DOMinRAMAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
-- [DeliveryOptimization/DOModifyCacheDrive](./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
-- [DeliveryOptimization/DOMonthlyUploadDataCap](./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
-- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
-- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
-- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
-- [DeliveryOptimization/DORestrictPeerSelectionBy](./policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
-- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
-- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
-- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
-- [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch)
-- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity)
-- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags)
-- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses)
-- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork)
-- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
-- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage)
-- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera)
-- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
-- [Display/DisablePerProcessDpiForApps](./policy-csp-display.md#display-disableperprocessdpiforapps)
-- [Display/EnablePerProcessDpi](./policy-csp-display.md#display-enableperprocessdpi)
-- [Display/EnablePerProcessDpiForApps](./policy-csp-display.md#display-enableperprocessdpiforapps)
-- [Display/TurnOffGdiDPIScalingForApps](./policy-csp-display.md#display-turnoffgdidpiscalingforapps)
-- [Display/TurnOnGdiDPIScalingForApps](./policy-csp-display.md#display-turnongdidpiscalingforapps)
-- [DmaGuard/DeviceEnumerationPolicy](./policy-csp-dmaguard.md#dmaguard-deviceenumerationpolicy)
-- [Education/PreventAddingNewPrinters](./policy-csp-education.md#education-preventaddingnewprinters)
-- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings)
-- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting)
-- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification)
-- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata)
-- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay)
-- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior)
-- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog)
-- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog)
-- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog)
-- [Experience/AllowClipboardHistory](./policy-csp-experience.md#experience-allowclipboardhistory)
-- [Experience/AllowCortana](./policy-csp-experience.md#experience-allowcortana)
-- [Experience/AllowFindMyDevice](./policy-csp-experience.md#experience-allowfindmydevice)
-- [Experience/AllowTailoredExperiencesWithDiagnosticData](./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata)
-- [Experience/AllowThirdPartySuggestionsInWindowsSpotlight](./policy-csp-experience.md#experience-allowthirdpartysuggestionsinwindowsspotlight)
-- [Experience/AllowWindowsConsumerFeatures](./policy-csp-experience.md#experience-allowwindowsconsumerfeatures)
-- [Experience/AllowWindowsSpotlight](./policy-csp-experience.md#experience-allowwindowsspotlight)
-- [Experience/AllowWindowsSpotlightOnActionCenter](./policy-csp-experience.md#experience-allowwindowsspotlightonactioncenter)
-- [Experience/AllowWindowsSpotlightOnSettings](./policy-csp-experience.md#experience-allowwindowsspotlightonsettings)
-- [Experience/AllowWindowsSpotlightWindowsWelcomeExperience](./policy-csp-experience.md#experience-allowwindowsspotlightwindowswelcomeexperience)
-- [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips)
-- [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen)
-- [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications)
-- [Experience/DoNotSyncBrowserSettings](./policy-csp-experience.md#experience-donotsyncbrowsersetting)
-- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing)
-- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
-- [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings)
-- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer)
-- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption)
-- [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked)
-- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider)
-- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering)
-- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist)
-- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete)
-- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning)
-- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit)
-- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
-- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
-- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
-- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
-- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3)
-- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist)
-- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode)
-- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate)
-- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate)
-- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate)
-- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate)
-- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate)
-- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate)
-- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate)
-- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry)
-- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist)
-- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid)
-- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites)
-- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate)
-- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate)
-- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate)
-- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation)
-- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
-- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
-- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
-- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
-- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
-- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
-- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
-- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
-- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection)
-- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
-- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites)
-- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
-- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
-- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
-- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
-- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
-- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
-- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
-- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors)
-- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing)
-- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode)
-- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange)
-- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange)
-- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
-- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck)
-- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
-- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
-- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode)
-- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
-- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
-- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols)
-- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains)
-- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites)
-- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths)
-- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources)
-- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript)
-- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles)
-- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads)
-- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites)
-- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles)
-- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols)
-- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol)
-- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows)
-- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols)
-- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets)
-- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie)
-- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript)
-- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence)
-- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer)
-- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols)
-- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols)
-- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter)
-- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
-- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows)
-- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing)
-- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode)
-- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver)
-- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions)
-- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe)
-- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions)
-- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
-- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode)
-- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles)
-- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker)
-- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
-- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads)
-- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites)
-- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets)
-- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie)
-- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
-- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions)
-- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
-- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
-- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads)
-- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites)
-- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets)
-- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie)
-- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence)
-- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions)
-- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads)
-- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets)
-- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie)
-- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions)
-- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions)
-- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads)
-- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets)
-- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie)
-- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions)
-- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions)
-- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions)
-- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses)
-- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses)
-- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
-- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses)
-- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter)
-- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols)
-- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses)
-- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols)
-- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses)
-- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses)
-- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting)
-- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors)
-- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript)
-- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles)
-- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads)
-- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads)
-- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles)
-- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh)
-- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol)
-- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows)
-- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols)
-- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets)
-- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie)
-- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript)
-- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer)
-- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter)
-- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
-- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows)
-- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing)
-- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver)
-- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions)
-- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe)
-- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions)
-- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins)
-- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode)
-- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting)
-- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets)
-- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles)
-- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode)
-- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker)
-- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses)
-- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist)
-- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings)
-- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice)
-- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads)
-- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets)
-- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
-- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions)
-- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
-- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
-- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor)
-- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring)
-- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation)
-- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize)
-- [LanmanWorkstation/EnableInsecureGuestLogons](./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons)
-- [Licensing/AllowWindowsEntitlementReactivation](./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation)
-- [Licensing/DisallowKMSClientOnlineAVSValidation](./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation)
-- [LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts)
-- [LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly)
-- [LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount)
-- [LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount)
-- [LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowundockwithouthavingtologon)
-- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia)
-- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters)
-- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly)
-- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways)
-- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible)
-- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior)
-- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees)
-- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers)
-- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways)
-- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees)
-- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts)
-- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares)
-- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares)
-- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers)
-- [LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon)
-- [LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile)
-- [LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation)
-- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators)
-- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers)
-- [LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-detectapplicationinstallationsandpromptforelevation)
-- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated)
-- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations)
-- [LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode)
-- [LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation)
-- [LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode)
-- [LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations)
-- [LockDown/AllowEdgeSwipe](./policy-csp-lockdown.md#lockdown-allowedgeswipe)
-- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes)
-- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers)
-- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel)
-- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel)
-- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon)
-- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver)
-- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server)
-- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection)
-- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications)
-- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication)
-- [Maps/EnableOfflineMapsAutoUpdate](./policy-csp-maps.md#maps-enableofflinemapsautoupdate)
-- [Messaging/AllowMessageSync](./policy-csp-messaging.md#messaging-allowmessagesync)
-- [NetworkIsolation/EnterpriseCloudResources](./policy-csp-networkisolation.md#networkisolation-enterprisecloudresources)
-- [NetworkIsolation/EnterpriseIPRange](./policy-csp-networkisolation.md#networkisolation-enterpriseiprange)
-- [NetworkIsolation/EnterpriseIPRangesAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseiprangesareauthoritative)
-- [NetworkIsolation/EnterpriseInternalProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseinternalproxyservers)
-- [NetworkIsolation/EnterpriseProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyservers)
-- [NetworkIsolation/EnterpriseProxyServersAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyserversareauthoritative)
-- [NetworkIsolation/NeutralResources](./policy-csp-networkisolation.md#networkisolation-neutralresources)
-- [Notifications/DisallowCloudNotification](./policy-csp-notifications.md#notifications-disallowcloudnotification)
-- [Notifications/DisallowNotificationMirroring](./policy-csp-notifications.md#notifications-disallownotificationmirroring)
-- [Notifications/DisallowTileNotification](./policy-csp-notifications.md#notifications-disallowtilenotification)
-- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery)
-- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin)
-- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
-- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
-- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery)
-- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
-- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery)
-- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin)
-- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery)
-- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin)
-- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery)
-- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin)
-- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery)
-- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
-- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery)
-- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
-- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
-- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
-- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery)
-- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin)
-- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
-- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
-- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
-- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user)
-- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
-- [Privacy/AllowCrossDeviceClipboard](./policy-csp-privacy.md#privacy-allowcrossdeviceclipboard)
-- [Privacy/AllowInputPersonalization](./policy-csp-privacy.md#privacy-allowinputpersonalization)
-- [Privacy/DisableAdvertisingId](./policy-csp-privacy.md#privacy-disableadvertisingid)
-- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience)
-- [Privacy/EnableActivityFeed](./policy-csp-privacy.md#privacy-enableactivityfeed)
-- [Privacy/LetAppsAccessAccountInfo](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo)
-- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps)
-- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps)
-- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps)
-- [Privacy/LetAppsAccessCalendar](./policy-csp-privacy.md#privacy-letappsaccesscalendar)
-- [Privacy/LetAppsAccessCalendar_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forceallowtheseapps)
-- [Privacy/LetAppsAccessCalendar_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forcedenytheseapps)
-- [Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-userincontroloftheseapps)
-- [Privacy/LetAppsAccessCallHistory](./policy-csp-privacy.md#privacy-letappsaccesscallhistory)
-- [Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forceallowtheseapps)
-- [Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forcedenytheseapps)
-- [Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-userincontroloftheseapps)
-- [Privacy/LetAppsAccessCamera](./policy-csp-privacy.md#privacy-letappsaccesscamera)
-- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps)
-- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps)
-- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps)
-- [Privacy/LetAppsAccessContacts](./policy-csp-privacy.md#privacy-letappsaccesscontacts)
-- [Privacy/LetAppsAccessContacts_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forceallowtheseapps)
-- [Privacy/LetAppsAccessContacts_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forcedenytheseapps)
-- [Privacy/LetAppsAccessContacts_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-userincontroloftheseapps)
-- [Privacy/LetAppsAccessEmail](./policy-csp-privacy.md#privacy-letappsaccessemail)
-- [Privacy/LetAppsAccessEmail_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forceallowtheseapps)
-- [Privacy/LetAppsAccessEmail_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forcedenytheseapps)
-- [Privacy/LetAppsAccessEmail_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-userincontroloftheseapps)
-- [Privacy/LetAppsAccessLocation](./policy-csp-privacy.md#privacy-letappsaccesslocation)
-- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forceallowtheseapps)
-- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forcedenytheseapps)
-- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-userincontroloftheseapps)
-- [Privacy/LetAppsAccessMessaging](./policy-csp-privacy.md#privacy-letappsaccessmessaging)
-- [Privacy/LetAppsAccessMessaging_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forceallowtheseapps)
-- [Privacy/LetAppsAccessMessaging_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forcedenytheseapps)
-- [Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-userincontroloftheseapps)
-- [Privacy/LetAppsAccessMicrophone](./policy-csp-privacy.md#privacy-letappsaccessmicrophone)
-- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps)
-- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps)
-- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps)
-- [Privacy/LetAppsAccessMotion](./policy-csp-privacy.md#privacy-letappsaccessmotion)
-- [Privacy/LetAppsAccessMotion_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forceallowtheseapps)
-- [Privacy/LetAppsAccessMotion_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forcedenytheseapps)
-- [Privacy/LetAppsAccessMotion_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-userincontroloftheseapps)
-- [Privacy/LetAppsAccessNotifications](./policy-csp-privacy.md#privacy-letappsaccessnotifications)
-- [Privacy/LetAppsAccessNotifications_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forceallowtheseapps)
-- [Privacy/LetAppsAccessNotifications_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forcedenytheseapps)
-- [Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-userincontroloftheseapps)
-- [Privacy/LetAppsAccessPhone](./policy-csp-privacy.md#privacy-letappsaccessphone)
-- [Privacy/LetAppsAccessPhone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forceallowtheseapps)
-- [Privacy/LetAppsAccessPhone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forcedenytheseapps)
-- [Privacy/LetAppsAccessPhone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-userincontroloftheseapps)
-- [Privacy/LetAppsAccessRadios](./policy-csp-privacy.md#privacy-letappsaccessradios)
-- [Privacy/LetAppsAccessRadios_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forceallowtheseapps)
-- [Privacy/LetAppsAccessRadios_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forcedenytheseapps)
-- [Privacy/LetAppsAccessRadios_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-userincontroloftheseapps)
-- [Privacy/LetAppsAccessTasks](./policy-csp-privacy.md#privacy-letappsaccesstasks)
-- [Privacy/LetAppsAccessTasks_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forceallowtheseapps)
-- [Privacy/LetAppsAccessTasks_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forcedenytheseapps)
-- [Privacy/LetAppsAccessTasks_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-userincontroloftheseapps)
-- [Privacy/LetAppsAccessTrustedDevices](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices)
-- [Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forceallowtheseapps)
-- [Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forcedenytheseapps)
-- [Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-userincontroloftheseapps)
-- [Privacy/LetAppsGetDiagnosticInfo](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo)
-- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
-- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
-- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
-- [Privacy/LetAppsRunInBackground](./policy-csp-privacy.md#privacy-letappsruninbackground)
-- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forceallowtheseapps)
-- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forcedenytheseapps)
-- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-userincontroloftheseapps)
-- [Privacy/LetAppsSyncWithDevices](./policy-csp-privacy.md#privacy-letappssyncwithdevices)
-- [Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forceallowtheseapps)
-- [Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forcedenytheseapps)
-- [Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps)
-- [Privacy/PublishUserActivities](./policy-csp-privacy.md#privacy-publishuseractivities)
-- [Privacy/UploadUserActivities](./policy-csp-privacy.md#privacy-uploaduseractivities)
-- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages)
-- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging)
-- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance)
-- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance)
-- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely)
-- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel)
-- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection)
-- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving)
-- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection)
-- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication)
-- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client)
-- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service)
-- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient)
-- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice)
-- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement)
-- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client)
-- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service)
-- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication)
-- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient)
-- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice)
-- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials)
-- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel)
-- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts)
-- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener)
-- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener)
-- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication)
-- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients)
-- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess)
-- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers)
-- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout)
-- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory)
-- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses)
-- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
-- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
-- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch)
-- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad)
-- [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles)
-- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems)
-- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation)
-- [Search/AllowUsingDiacritics](./policy-csp-search.md#search-allowusingdiacritics)
-- [Search/AlwaysUseAutoLangDetection](./policy-csp-search.md#search-alwaysuseautolangdetection)
-- [Search/DisableBackoff](./policy-csp-search.md#search-disablebackoff)
-- [Search/DisableRemovableDriveIndexing](./policy-csp-search.md#search-disableremovabledriveindexing)
-- [Search/DoNotUseWebResults](./policy-csp-search.md#search-donotusewebresults)
-- [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb)
-- [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries)
-- [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready)
-- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
-- [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips)
-- [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar)
-- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist)
-- [SmartScreen/EnableAppInstallControl](./policy-csp-smartscreen.md#smartscreen-enableappinstallcontrol)
-- [SmartScreen/EnableSmartScreenInShell](./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell)
-- [SmartScreen/PreventOverrideForFilesInShell](./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell)
-- [Speech/AllowSpeechModelUpdate](./policy-csp-speech.md#speech-allowspeechmodelupdate)
-- [Start/DisableContextMenus](./policy-csp-start.md#start-disablecontextmenus)
-- [Start/HidePeopleBar](./policy-csp-start.md#start-hidepeoplebar)
-- [Start/HideRecentlyAddedApps](./policy-csp-start.md#start-hiderecentlyaddedapps)
-- [Start/StartLayout](./policy-csp-start.md#start-startlayout)
-- [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates)
-- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
-- [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview)
-- [System/AllowCommercialDataPipeline](./policy-csp-system.md#system-allowcommercialdatapipeline)
-- [System/AllowDeviceNameInDiagnosticData](./policy-csp-system.md#system-allowdevicenameindiagnosticdata)
-- [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders)
-- [System/AllowLocation](./policy-csp-system.md#system-allowlocation)
-- [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry)
-- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
-- [System/ConfigureMicrosoft365UploadEndpoint](./policy-csp-system.md#system-configuremicrosoft365uploadendpoint)
-- [System/ConfigureTelemetryOptInChangeNotification](./policy-csp-system.md#system-configuretelemetryoptinchangenotification)
-- [System/ConfigureTelemetryOptInSettingsUx](./policy-csp-system.md#system-configuretelemetryoptinsettingsux)
-- [System/DisableDeviceDelete](./policy-csp-system.md#system-disabledevicedelete)
-- [System/DisableDiagnosticDataViewer](./policy-csp-system.md#system-disablediagnosticdataviewer)
-- [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy)
-- [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync)
-- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
-- [System/LimitEnhancedDiagnosticDataWindowsAnalytics](./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics)
-- [System/TelemetryProxy](./policy-csp-system.md#system-telemetryproxy)
-- [System/TurnOffFileHistory](./policy-csp-system.md#system-turnofffilehistory)
-- [SystemServices/ConfigureHomeGroupListenerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegrouplistenerservicestartupmode)
-- [SystemServices/ConfigureHomeGroupProviderServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegroupproviderservicestartupmode)
-- [SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxaccessorymanagementservicestartupmode)
-- [SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxliveauthmanagerservicestartupmode)
-- [SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivegamesaveservicestartupmode)
-- [SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivenetworkingservicestartupmode)
-- [TextInput/AllowLanguageFeaturesUninstall](./policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall)
-- [TextInput/AllowLinguisticDataCollection](./policy-csp-textinput.md#textinput-allowlinguisticdatacollection)
-- [Troubleshooting/AllowRecommendations](./policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
-- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend)
-- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange)
-- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart)
-- [Update/AllowAutoUpdate](./policy-csp-update.md#update-allowautoupdate)
-- [Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork](./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork)
-- [Update/AllowMUUpdateService](./policy-csp-update.md#update-allowmuupdateservice)
-- [Update/AllowUpdateService](./policy-csp-update.md#update-allowupdateservice)
-- [Update/AutoRestartDeadlinePeriodInDays](./policy-csp-update.md#update-autorestartdeadlineperiodindays)
-- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates)
-- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule)
-- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal)
-- [Update/AutomaticMaintenanceWakeUp](./policy-csp-update.md#update-automaticmaintenancewakeup)
-- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel)
-- [Update/ConfigureDeadlineForFeatureUpdates](./policy-csp-update.md#update-configuredeadlineforfeatureupdates)
-- [Update/ConfigureDeadlineForQualityUpdates](./policy-csp-update.md#update-configuredeadlineforqualityupdates)
-- [Update/ConfigureDeadlineGracePeriod](./policy-csp-update.md#update-configuredeadlinegraceperiod)
-- [Update/ConfigureDeadlineNoAutoReboot](./policy-csp-update.md#update-configuredeadlinenoautoreboot)
-- [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays)
-- [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays)
-- [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod)
-- [Update/DeferUpgradePeriod](./policy-csp-update.md#update-deferupgradeperiod)
-- [Update/DetectionFrequency](./policy-csp-update.md#update-detectionfrequency)
-- [Update/DisableDualScan](./policy-csp-update.md#update-disabledualscan)
-- [Update/EngagedRestartDeadline](./policy-csp-update.md#update-engagedrestartdeadline)
-- [Update/EngagedRestartDeadlineForFeatureUpdates](./policy-csp-update.md#update-engagedrestartdeadlineforfeatureupdates)
-- [Update/EngagedRestartSnoozeSchedule](./policy-csp-update.md#update-engagedrestartsnoozeschedule)
-- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestartsnoozescheduleforfeatureupdates)
-- [Update/EngagedRestartTransitionSchedule](./policy-csp-update.md#update-engagedrestarttransitionschedule)
-- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestarttransitionscheduleforfeatureupdates)
-- [Update/ExcludeWUDriversInQualityUpdate](./policy-csp-update.md#update-excludewudriversinqualityupdate)
-- [Update/FillEmptyContentUrls](./policy-csp-update.md#update-fillemptycontenturls)
-- [Update/ManagePreviewBuilds](./policy-csp-update.md#update-managepreviewbuilds)
-- [Update/PauseDeferrals](./policy-csp-update.md#update-pausedeferrals)
-- [Update/PauseFeatureUpdates](./policy-csp-update.md#update-pausefeatureupdates)
-- [Update/PauseFeatureUpdatesStartTime](./policy-csp-update.md#update-pausefeatureupdatesstarttime)
-- [Update/PauseQualityUpdates](./policy-csp-update.md#update-pausequalityupdates)
-- [Update/PauseQualityUpdatesStartTime](./policy-csp-update.md#update-pausequalityupdatesstarttime)
-- [Update/RequireDeferUpgrade](./policy-csp-update.md#update-requiredeferupgrade)
-- [Update/ScheduleImminentRestartWarning](./policy-csp-update.md#update-scheduleimminentrestartwarning)
-- [Update/ScheduleRestartWarning](./policy-csp-update.md#update-schedulerestartwarning)
-- [Update/ScheduledInstallDay](./policy-csp-update.md#update-scheduledinstallday)
-- [Update/ScheduledInstallEveryWeek](./policy-csp-update.md#update-scheduledinstalleveryweek)
-- [Update/ScheduledInstallFirstWeek](./policy-csp-update.md#update-scheduledinstallfirstweek)
-- [Update/ScheduledInstallFourthWeek](./policy-csp-update.md#update-scheduledinstallfourthweek)
-- [Update/ScheduledInstallSecondWeek](./policy-csp-update.md#update-scheduledinstallsecondweek)
-- [Update/ScheduledInstallThirdWeek](./policy-csp-update.md#update-scheduledinstallthirdweek)
-- [Update/ScheduledInstallTime](./policy-csp-update.md#update-scheduledinstalltime)
-- [Update/SetAutoRestartNotificationDisable](./policy-csp-update.md#update-setautorestartnotificationdisable)
-- [Update/SetDisablePauseUXAccess](./policy-csp-update.md#update-setdisablepauseuxaccess)
-- [Update/SetDisableUXWUAccess](./policy-csp-update.md#update-setdisableuxwuaccess)
-- [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart)
-- [Update/UpdateNotificationLevel](./policy-csp-update.md#update-updatenotificationlevel)
-- [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl)
-- [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate)
-- [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller)
-- [UserRights/AccessFromNetwork](./policy-csp-userrights.md#userrights-accessfromnetwork)
-- [UserRights/ActAsPartOfTheOperatingSystem](./policy-csp-userrights.md#userrights-actaspartoftheoperatingsystem)
-- [UserRights/AllowLocalLogOn](./policy-csp-userrights.md#userrights-allowlocallogon)
-- [UserRights/BackupFilesAndDirectories](./policy-csp-userrights.md#userrights-backupfilesanddirectories)
-- [UserRights/ChangeSystemTime](./policy-csp-userrights.md#userrights-changesystemtime)
-- [UserRights/CreateGlobalObjects](./policy-csp-userrights.md#userrights-createglobalobjects)
-- [UserRights/CreatePageFile](./policy-csp-userrights.md#userrights-createpagefile)
-- [UserRights/CreatePermanentSharedObjects](./policy-csp-userrights.md#userrights-createpermanentsharedobjects)
-- [UserRights/CreateSymbolicLinks](./policy-csp-userrights.md#userrights-createsymboliclinks)
-- [UserRights/CreateToken](./policy-csp-userrights.md#userrights-createtoken)
-- [UserRights/DebugPrograms](./policy-csp-userrights.md#userrights-debugprograms)
-- [UserRights/DenyAccessFromNetwork](./policy-csp-userrights.md#userrights-denyaccessfromnetwork)
-- [UserRights/DenyLocalLogOn](./policy-csp-userrights.md#userrights-denylocallogon)
-- [UserRights/DenyRemoteDesktopServicesLogOn](./policy-csp-userrights.md#userrights-denyremotedesktopserviceslogon)
-- [UserRights/EnableDelegation](./policy-csp-userrights.md#userrights-enabledelegation)
-- [UserRights/GenerateSecurityAudits](./policy-csp-userrights.md#userrights-generatesecurityaudits)
-- [UserRights/ImpersonateClient](./policy-csp-userrights.md#userrights-impersonateclient)
-- [UserRights/IncreaseSchedulingPriority](./policy-csp-userrights.md#userrights-increaseschedulingpriority)
-- [UserRights/LoadUnloadDeviceDrivers](./policy-csp-userrights.md#userrights-loadunloaddevicedrivers)
-- [UserRights/LockMemory](./policy-csp-userrights.md#userrights-lockmemory)
-- [UserRights/ManageAuditingAndSecurityLog](./policy-csp-userrights.md#userrights-manageauditingandsecuritylog)
-- [UserRights/ManageVolume](./policy-csp-userrights.md#userrights-managevolume)
-- [UserRights/ModifyFirmwareEnvironment](./policy-csp-userrights.md#userrights-modifyfirmwareenvironment)
-- [UserRights/ModifyObjectLabel](./policy-csp-userrights.md#userrights-modifyobjectlabel)
-- [UserRights/ProfileSingleProcess](./policy-csp-userrights.md#userrights-profilesingleprocess)
-- [UserRights/RemoteShutdown](./policy-csp-userrights.md#userrights-remoteshutdown)
-- [UserRights/RestoreFilesAndDirectories](./policy-csp-userrights.md#userrights-restorefilesanddirectories)
-- [UserRights/TakeOwnership](./policy-csp-userrights.md#userrights-takeownership)
-- [Wifi/AllowAutoConnectToWiFiSenseHotspots](./policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots)
-- [Wifi/AllowInternetSharing](./policy-csp-wifi.md#wifi-allowinternetsharing)
-- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork)
-- [WindowsDefenderSecurityCenter/CompanyName](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname)
-- [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableaccountprotectionui)
-- [WindowsDefenderSecurityCenter/DisableAppBrowserUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui)
-- [WindowsDefenderSecurityCenter/DisableClearTpmButton](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablecleartpmbutton)
-- [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabledevicesecurityui)
-- [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications)
-- [WindowsDefenderSecurityCenter/DisableFamilyUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui)
-- [WindowsDefenderSecurityCenter/DisableHealthUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui)
-- [WindowsDefenderSecurityCenter/DisableNetworkUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui)
-- [WindowsDefenderSecurityCenter/DisableNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications)
-- [WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabletpmfirmwareupdatewarning)
-- [WindowsDefenderSecurityCenter/DisableVirusUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui)
-- [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride)
-- [WindowsDefenderSecurityCenter/Email](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email)
-- [WindowsDefenderSecurityCenter/EnableCustomizedToasts](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts)
-- [WindowsDefenderSecurityCenter/EnableInAppCustomization](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization)
-- [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hideransomwaredatarecovery)
-- [WindowsDefenderSecurityCenter/HideSecureBoot](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidesecureboot)
-- [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidetpmtroubleshooting)
-- [WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidewindowssecuritynotificationareacontrol)
-- [WindowsDefenderSecurityCenter/Phone](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone)
-- [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url)
-- [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace)
-- [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace)
-- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
-- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
-- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
-- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
-- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)
-- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers)
-- [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching)
-- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging)
-- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc)
-- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing)
-## Related topics
-[Policy CSP](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policies-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-supported-by-hololens-1st-gen-commercial-suite.md
deleted file mode 100644
index 7e2622844c..0000000000
--- a/windows/client-management/mdm/policies-supported-by-hololens-1st-gen-commercial-suite.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-title: Policies supported by HoloLens (1st gen) Commercial Suite
-description: Policies supported by HoloLens (1st gen) Commercial Suite
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.localizationpriority: medium
-ms.date: 09/17/2019
----
-
-# Policies supported by HoloLens (1st gen) Commercial Suite
-
-> [!div class="op_single_selector"]
->
-> - [HoloLens 2](policies-supported-by-hololens2.md)
-> - [HoloLens (1st gen) Commercial Suite](policies-supported-by-hololens-1st-gen-commercial-suite.md)
-> - [HoloLens (1st gen) Development Edition](policies-supported-by-hololens-1st-gen-development-edition.md)
->
-- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection)
-- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps)
-- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate)
-- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock)
-- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect)
-- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname)
-- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising)
-- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode)
-- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename)
-- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill)
-- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies)
-- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack)
-- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager)
-- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups)
-- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
-- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen)
-- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth)
-- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection)
-- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword)
-- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword)
-- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired)
-- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled)
-- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory)
-- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts)
-- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock)
-- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters)
-- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
-- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
-- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization)
-- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
-- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption)
-- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime)
-- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
-- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
-- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
-- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
-- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
-- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
-- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade)
-- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval)
-- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
-- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
-- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl)
-- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
-
-## Related topics
-[Policy CSP](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policies-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-supported-by-hololens-1st-gen-development-edition.md
deleted file mode 100644
index 4aefceaece..0000000000
--- a/windows/client-management/mdm/policies-supported-by-hololens-1st-gen-development-edition.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Policies supported by HoloLens (1st gen) Development Edition
-description: Policies supported by HoloLens (1st gen) Development Edition
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.localizationpriority: medium
-ms.date: 07/18/2019
----
-
-# Policies supported by HoloLens (1st gen) Development Edition
-
-> [!div class="op_single_selector"]
->
-> - [HoloLens 2](policies-supported-by-hololens2.md)
-> - [HoloLens (1st gen) Commercial Suite](policies-supported-by-hololens-1st-gen-commercial-suite.md)
-> - [HoloLens (1st gen) Development Edition](policies-supported-by-hololens-1st-gen-development-edition.md)
->
-
-- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection)
-- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate)
-- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock)
-- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps)
-- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect)
-- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising)
-- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode)
-- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename)
-- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack)
-- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager)
-- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups)
-- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
-- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen)
-- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies)
-- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth)
-- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection)
-- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword)
-- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts)
-- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock)
-- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
-- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory)
-- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired)
-- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters)
-- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword)
-- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled)
-- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
-- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization)
-- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
-- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption)
-- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime)
-- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
-- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
-- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
-- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
-- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
-- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
-- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval)
-- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
-- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
-- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl)
-- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade)
-- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
-
-## Related topics
-[Policy CSP](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policies-supported-by-hololens2.md b/windows/client-management/mdm/policies-supported-by-hololens2.md
deleted file mode 100644
index 4fa3a7f423..0000000000
--- a/windows/client-management/mdm/policies-supported-by-hololens2.md
+++ /dev/null
@@ -1,87 +0,0 @@
----
-title: Policies supported by HoloLens 2
-description: Policies supported by HoloLens 2
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.localizationpriority: medium
-ms.date: 07/18/2019
----
-
-# Policies supported by HoloLens 2
-
-> [!div class="op_single_selector"]
->
-> - [HoloLens 2](policies-supported-by-hololens2.md)
-> - [HoloLens (1st gen) Commercial Suite](policies-supported-by-hololens-1st-gen-commercial-suite.md)
-> - [HoloLens (1st gen) Development Edition](policies-supported-by-hololens-1st-gen-development-edition.md)
->
-- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection)
-- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps)
-- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate)
-- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock)
-- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect)
-- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname)
-- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode)
-- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename)
-- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill)
-- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies)
-- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack)
-- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager)
-- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups)
-- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
-- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen)
-- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth)
-- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection)
-- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword)
-- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword)
-- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired)
-- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled)
-- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicelock-devicepasswordexpiration)
-- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory)
-- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts)
-- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock)
-- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters)
-- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
-- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
-- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
-- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization)
-- [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo)
-- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps)
-- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps)
-- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps)
-- [Privacy/LetAppsAccessBackgroundSpatialPerception](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception)
-- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forceallowtheseapps)
-- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forcedenytheseapps)
-- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-userincontroloftheseapps)
-- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#privacy-letappsaccesscamera)
-- [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#privacy-letappsaccesslocation)
-- [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#privacy-letappsaccessmicrophone)
-- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
-- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption)
-- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime)
-- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
-- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
-- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
-- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
-- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
-- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
-- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
-- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
-- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel)
-- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays)
-- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays)
-- [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds)
-- [Update/PauseFeatureUpdates](policy-csp-update.md#update-pausefeatureupdates)
-- [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates)
-- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
-- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
-- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl)
-- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
-
-## Related topics
-[Policy CSP](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policies-supported-by-iot-core.md b/windows/client-management/mdm/policies-supported-by-iot-core.md
deleted file mode 100644
index 8e2efa62c5..0000000000
--- a/windows/client-management/mdm/policies-supported-by-iot-core.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: Policies supported by Windows 10 IoT Core
-description: Policies supported by Windows 10 IoT Core
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.localizationpriority: medium
-ms.date: 09/16/2019
----
-
-# Policies supported by Windows 10 IoT Core
-
-> [!div class="op_single_selector"]
->
-> - [IoT Enterprise](policies-supported-by-iot-enterprise.md)
-> - [IoT Core](policies-supported-by-iot-core.md)
->
-
-- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera)
-- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui)
-- [CredentialProviders/AllowPINLogon](policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
-- [CredentialProviders/BlockPicturePassword](policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
-- [DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md#dataprotection-allowdirectmemoryaccess)
-- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
-- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
-- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
-- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
-- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
-- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
-- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
-- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
-- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
-- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
-- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
-- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
-- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
-- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
-- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
-- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
-- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
-- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
-- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
-- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
-- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
-- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
-- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
-- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
-- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
-- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
-- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
-- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
-- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
-- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
-- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
-- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
-- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
-- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
-- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
-- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
-- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot)
-- [Wifi/AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots)
-- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing)
-- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi)
-- [Wifi/WLANScanMode](policy-csp-wifi.md#wifi-wlanscanmode)
-
-## Related topics
-[Policy CSP](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policies-supported-by-iot-enterprise.md b/windows/client-management/mdm/policies-supported-by-iot-enterprise.md
deleted file mode 100644
index 4602e64513..0000000000
--- a/windows/client-management/mdm/policies-supported-by-iot-enterprise.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Policies supported by Windows 10 IoT Enterprise
-description: Policies supported by Windows 10 IoT Enterprise
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.localizationpriority: medium
-ms.date: 07/18/2019
----
-
-# Policies supported by Windows 10 IoT Enterprise
-
-> [!div class="op_single_selector"]
->
-> - [IoT Enterprise](policies-supported-by-iot-enterprise.md)
-> - [IoT Core](policies-supported-by-iot-core.md)
->
-
-- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
-- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
-- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
-- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
-- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
-- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
-- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
-- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
-- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
-- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
-- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
-- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
-- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
-- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
-- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
-- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
-- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
-- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
-- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
-- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
-- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
-- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
-- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
-- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
-- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
-- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
-- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
-- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
-- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
-- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
-- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
-- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
-- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
-- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
-- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
-- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
-- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
-- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
-- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
-- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
-- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot)
-
-## Related topics
-[Policy CSP](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policies-supported-by-surface-hub.md b/windows/client-management/mdm/policies-supported-by-surface-hub.md
deleted file mode 100644
index 778ff39d58..0000000000
--- a/windows/client-management/mdm/policies-supported-by-surface-hub.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: Policies supported by Microsoft Surface Hub
-description: Policies supported by Microsoft Surface Hub
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.localizationpriority: medium
-ms.date: 07/18/2019
----
-
-# Policies supported by Microsoft Surface Hub
-
-- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera)
-- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui)
-- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
-- [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#cryptography-tlsciphersuites)
-- [Defender/AllowArchiveScanning](policy-csp-defender.md#defender-allowarchivescanning)
-- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#defender-allowbehaviormonitoring)
-- [Defender/AllowCloudProtection](policy-csp-defender.md#defender-allowcloudprotection)
-- [Defender/AllowEmailScanning](policy-csp-defender.md#defender-allowemailscanning)
-- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
-- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
-- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection)
-- [Defender/AllowIntrusionPreventionSystem](policy-csp-defender.md#defender-allowintrusionpreventionsystem)
-- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection)
-- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring)
-- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles)
-- [Defender/AllowScriptScanning](policy-csp-defender.md#defender-allowscriptscanning)
-- [Defender/AllowUserUIAccess](policy-csp-defender.md#defender-allowuseruiaccess)
-- [Defender/AvgCPULoadFactor](policy-csp-defender.md#defender-avgcpuloadfactor)
-- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#defender-daystoretaincleanedmalware)
-- [Defender/ExcludedExtensions](policy-csp-defender.md#defender-excludedextensions)
-- [Defender/ExcludedPaths](policy-csp-defender.md#defender-excludedpaths)
-- [Defender/ExcludedProcesses](policy-csp-defender.md#defender-excludedprocesses)
-- [Defender/PUAProtection](policy-csp-defender.md#defender-puaprotection)
-- [Defender/RealTimeScanDirection](policy-csp-defender.md#defender-realtimescandirection)
-- [Defender/ScanParameter](policy-csp-defender.md#defender-scanparameter)
-- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#defender-schedulequickscantime)
-- [Defender/ScheduleScanDay](policy-csp-defender.md#defender-schedulescanday)
-- [Defender/ScheduleScanTime](policy-csp-defender.md#defender-schedulescantime)
-- [Defender/SignatureUpdateInterval](policy-csp-defender.md#defender-signatureupdateinterval)
-- [Defender/SubmitSamplesConsent](policy-csp-defender.md#defender-submitsamplesconsent)
-- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#defender-threatseveritydefaultaction)
-- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
-- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
-- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
-- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
-- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
-- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
-- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
-- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
-- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
-- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
-- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
-- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
-- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
-- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
-- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
-- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
-- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging)
-- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess)
-- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel)
-- [TextInput/AllowJapaneseIMESurrogatePairCharacters](policy-csp-textinput.md#textinput-allowjapaneseimesurrogatepaircharacters)
-- [TextInput/AllowJapaneseIVSCharacters](policy-csp-textinput.md#textinput-allowjapaneseivscharacters)
-- [TextInput/AllowJapaneseNonPublishingStandardGlyph](policy-csp-textinput.md#textinput-allowjapanesenonpublishingstandardglyph)
-- [TextInput/AllowJapaneseUserDictionary](policy-csp-textinput.md#textinput-allowjapaneseuserdictionary)
-- [TextInput/AllowLanguageFeaturesUninstall](policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall)
-- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208)
-- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208andeudc)
-- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#textinput-excludejapaneseimeexceptshiftjis)
-- [WiFi/AllowWiFiHotSpotReporting](policy-csp-wifi.md#wifi-allowwifihotspotreporting)
-
-## Related topics
-[Policy CSP](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 9d72af8a49..4f6316b7c7 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -15,6 +15,8 @@ ms.date: 07/18/2019
# Policy CSP
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies.
@@ -198,6 +200,9 @@ The following diagram shows the Policy configuration service provider in tree fo
ApplicationManagement/AllowSharedUserAppData
+
+ ApplicationManagement/BlockNonAdminUserInstall
+
ApplicationManagement/DisableStoreOriginatedApps
@@ -612,6 +617,9 @@ The following diagram shows the Policy configuration service provider in tree fo
Bluetooth/ServicesAllowedList
+
+ Bluetooth/SetMinimumEncryptionKeySize
+
### Browser policies
@@ -3325,6 +3333,23 @@ The following diagram shows the Policy configuration service provider in tree fo
Storage/AllowDiskHealthModelUpdates
+
+ Storage/AllowStorageSenseGlobal
+
+
+ Storage/AllowStorageSenseTemporaryFilesCleanup
+
+
+ Storage/ConfigStorageSenseCloudContentDehydrationThreshold
+
+
+ Storage/ConfigStorageSenseDownloadsCleanupThreshold
+
+
+ Storage/ConfigStorageSenseGlobalCadence
+
+
+ Storage/ConfigStorageSenseRecycleBinCleanupThreshold
Storage/EnhancedStorageDevices
@@ -4004,24 +4029,24 @@ The following diagram shows the Policy configuration service provider in tree fo
-## Policies supported by Group Policy and ADMX-backed policies
-- [Policies supported by Group Policy](policies-supported-by-group-policy.md)
-- [ADMX-backed policies](policies-admx-backed.md)
+## Policy CSPs supported by Group Policy and ADMX-backed policy CSPs
+- [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md)
+- [ADMX-backed policy CSPs](policy-csps-admx-backed.md)
-## Policies supported by HoloLens devices
-- [Policies supported by HoloLens 2](policies-supported-by-hololens2.md)
-- [Policies supported by HoloLens (1st gen) Commercial Suite](policies-supported-by-hololens-1st-gen-commercial-suite.md)
-- [Policies supported by HoloLens (1st gen) Development Edition](policies-supported-by-hololens-1st-gen-development-edition.md)
+## Policy CSPs supported by HoloLens devices
+- [Policy CSPs supported by HoloLens 2](policy-csps-supported-by-hololens2.md)
+- [Policy CSPs supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
+- [Policy CSPs supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
-## Policies supported by Windows 10 IoT
-- [Policies supported by Windows 10 IoT Enterprise](policies-supported-by-iot-enterprise.md)
-- [Policies supported by Windows 10 IoT Core](policies-supported-by-iot-core.md)
+## Policy CSPs supported by Windows 10 IoT
+- [Policy CSPs supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
+- [Policy CSPs supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
-## Policies supported by Microsoft Surface Hub
-- [Policies supported by Microsoft Surface Hub](policies-supported-by-surface-hub.md)
+## Policy CSPs supported by Microsoft Surface Hub
+- [Policy CSPs supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md)
-## Policies that can be set using Exchange Active Sync (EAS)
-- [Policies that can be set using Exchange Active Sync (EAS)](policies-that-can-be-set-using-eas.md)
+## Policy CSPs that can be set using Exchange Active Sync (EAS)
+- [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md)
## Related topics
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index e978cc82da..f097cc7b37 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -232,6 +232,9 @@ Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "
> [!NOTE]
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
+> [!NOTE]
+> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index a7680a8600..798bbae111 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 02/11/2020
ms.reviewer:
manager: dansimp
---
@@ -39,6 +39,9 @@ manager: dansimp
ApplicationManagement/AllowSharedUserAppData
+
+ ApplicationManagement/BlockNonAdminUserInstall
+
ApplicationManagement/DisableStoreOriginatedApps
@@ -414,6 +417,83 @@ Most restricted value: 0
+
+**ApplicationManagement/BlockNonAdminUserInstall**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ 7 |
+
+
+ | Enterprise |
+ 7 |
+
+
+ | Education |
+ 7 |
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in the next major release of Windows 10.
+
+Manages non-administrator users' ability to install Windows app packages.
+
+If you enable this policy, non-administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies.
+
+If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages.
+
+
+
+ADMX Info:
+- GP English name: *Prevent non-admin users from installing packaged Windows apps*
+- GP name: *BlockNonAdminUserInstall*
+- GP path: *Windows Components/App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
+The following list shows the supported values:
+- 0 (default) - Disabled. All users will be able to initiate installation of Windows app packages.
+- 1 - Enabled. Non-administrator users will not be able to initiate installation of Windows app packages.
+
+
+
+
+
+
+
+
+
+
+
**ApplicationManagement/DisableStoreOriginatedApps**
@@ -1032,6 +1112,7 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+- 7 - Added in the next major release of Windows 10.
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 225de9c9ca..40e770a691 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -7,14 +7,15 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 02/12/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - Bluetooth
-
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -40,6 +41,9 @@ manager: dansimp
Bluetooth/ServicesAllowedList
+
+ Bluetooth/SetMinimumEncryptionKeySize
+
@@ -390,6 +394,72 @@ The default value is an empty string. For more information, see [ServicesAllowed
+
+
+
+
+**Bluetooth/SetMinimumEncryptionKeySize**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ 7 |
+
+
+ | Business |
+ 7 |
+
+
+ | Enterprise |
+ 7 |
+
+
+ | Education |
+ 7 |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in the next major release of Windows 10.
+There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments.
+
+
+
+The following list shows the supported values:
+- 0 (default) - All Bluetooth traffic is allowed.
+- N - A number from 1 through 16 representing the bytes that must be used in the encryption process. Currently, 16 is the largest allowed value for N and 16 bytes is the largest key size that Bluetooth supports. If you want to enforce Windows to always use Bluetooth encryption, ignoring the precise encryption key strength, use 1 as the value for N.
+
+For more information on allowed key sizes, refer to Bluetooth Core Specification v5.1.
+
+
+
+
+
+
+
+
+
Footnotes:
@@ -400,6 +470,7 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+- 7 - Added in the next major release of Windows 10.
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 1539c913c4..d691487aa2 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1725,9 +1725,9 @@ Valid values: 0–90
This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
-If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
+If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
-If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off.
+If you enable this setting, catch-up scans for scheduled full scans will be disabled.
Supported values:
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index f32917cdbc..adf4eb44d5 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -74,7 +74,7 @@ manager: dansimp
-Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
+Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
The system settings require a reboot; the application settings do not require a reboot.
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index adff5f8a8b..8053b57d73 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -7,7 +7,8 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 04/07/2020
+
ms.reviewer:
manager: dansimp
---
@@ -74,9 +75,16 @@ manager: dansimp
-This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
+This security setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed, except for the built-in administrator in the built-in Administrators group. Any user on the Members list who is not currently a member of the restricted group is added. An empty Members list means that the restricted group has no members. The membership configuration is based on SIDS, therefore renaming these built-in groups does not affect retention of this special membership.
-Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
+For example, you can create a Restricted Groups policy to allow only specified users, Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group and all other members will be removed.
+
+> [!CAUTION]
+> Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error:
+>
+> | Error Code | Symbolic Name | Error Description | Header |
+> |----------|----------|----------|----------|
+> | 0x55b (Hex)
1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h |
Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution.
@@ -121,25 +129,28 @@ Starting in Windows 10, version 1809, you can use this schema for retrieval and
-Here is an example:
+Here's an example:
```
-
-
-
-
+
+
+
-
-
-
+
+
+
```
+where:
+- `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``.
+- `` contains the members to add to the group in ``. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for ``. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure.
+The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
+- In this example, `Group1` and `Group2` are local groups on the device being configured.
> [!Note]
-> * You should include the local administrator while modifying the administrators group to prevent accidental loss of access
-> * Include the entire UPN after AzureAD
+> Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a local group as a member to another local group by using the member portion, as shown in the above example.
@@ -157,4 +168,3 @@ Footnotes:
- 6 - Added in Windows 10, version 1903.
-
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 205d51bff6..83b2b4ee01 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -83,7 +83,7 @@ manager: dansimp
Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
> [!Note]
-> This policy will block installation only while the device is online. To block offline installation too, **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** policies should also be enabled.
+> This policy will block installation only while the device is online. To block offline installation too, **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** policies should also be enabled.This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index a55e6716ff..c5e74893fc 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -1025,6 +1025,7 @@ To validate on Desktop, do the following:
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
+> * User
> * Device
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index ff54e474bf..7cb986c7fd 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -307,6 +307,10 @@ ADMX Info:
+The following list shows the supported values:
+
+- 0 (default) – Disabled.
+- 1 – Allowed.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 9d98a92f10..52098ee14c 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1233,8 +1233,8 @@ The following list shows the supported values:
-Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
+Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
ADMX Info:
@@ -1304,7 +1304,8 @@ Default value is 7.
-Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
+
+Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
ADMX Info:
@@ -1374,7 +1375,9 @@ Default value is 7.
-Added in Windows 10, version 1903. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
+
+Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
+
ADMX Info:
@@ -1444,7 +1447,8 @@ Default value is 2.
-Added in Windows 10, version 1903. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
+
+Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline.
@@ -4170,7 +4174,7 @@ The following list shows the supported values:
-Display options for update notifications. This policy allows you to define what Windows Update notifications users see. This policy doesn’t control how and when updates are downloaded and installed.
+Display options for update notifications. This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed.
Options:
@@ -4179,7 +4183,7 @@ Options:
- 2 – Turn off all notifications, including restart warnings
> [!IMPORTANT]
-> If you choose not to get update notifications and also define other Group policies so that devices aren’t automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk.
+> If you choose not to get update notifications and also define other Group policies so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk.
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index c485382b9e..25159c3271 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -53,17 +53,17 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s
- Grant an user right to multiple groups (Administrators, Authenticated Users) via SID
```
- *S-1-5-32-544*S-1-5-11
+ *S-1-5-32-544*S-1-5-11
```
- Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings
```
- *S-1-5-32-544Authenticated Users
+ *S-1-5-32-544Authenticated Users
```
- Grant an user right to multiple groups (Authenticated Users, Administrators) via strings
```
- Authenticated UsersAdministrators
+ Authenticated UsersAdministrators
```
- Empty input indicates that there are no users configured to have that user right
diff --git a/windows/client-management/mdm/policy-csps-admx-backed.md b/windows/client-management/mdm/policy-csps-admx-backed.md
new file mode 100644
index 0000000000..f79f85154e
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-admx-backed.md
@@ -0,0 +1,421 @@
+---
+title: ADMX-backed policy CSPs
+description: ADMX-backed policy CSPs
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 07/18/2019
+---
+
+# ADMX-backed policy CSPs
+
+> [!div class="op_single_selector"]
+>
+> - [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md)
+> - [ADMX-backed policy-CSPs](policy-csps-admx-backed.md)
+>
+
+- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
+- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional)
+- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
+- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
+- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup)
+- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts)
+- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux)
+- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver)
+- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions)
+- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions)
+- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload)
+- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode)
+- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal)
+- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser)
+- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1)
+- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2)
+- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3)
+- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4)
+- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5)
+- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl)
+- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch)
+- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider)
+- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot)
+- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot)
+- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval)
+- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries)
+- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode)
+- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache)
+- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist)
+- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist)
+- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation)
+- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism)
+- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms)
+- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices)
+- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
+- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
+- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
+- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp)
+- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
+- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
+- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
+- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
+- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
+- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
+- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials)
+- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
+- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
+- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
+- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
+- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
+- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses)
+- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork)
+- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
+- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera)
+- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
+- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings)
+- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting)
+- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification)
+- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata)
+- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay)
+- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior)
+- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog)
+- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog)
+- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog)
+- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer)
+- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption)
+- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider)
+- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering)
+- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist)
+- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete)
+- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning)
+- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit)
+- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
+- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
+- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
+- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
+- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3)
+- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist)
+- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode)
+- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate)
+- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate)
+- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate)
+- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate)
+- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate)
+- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate)
+- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate)
+- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry)
+- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist)
+- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid)
+- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites)
+- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate)
+- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate)
+- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate)
+- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation)
+- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
+- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
+- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
+- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
+- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
+- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
+- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
+- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
+- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection)
+- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
+- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites)
+- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
+- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
+- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
+- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
+- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
+- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
+- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
+- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors)
+- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing)
+- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode)
+- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange)
+- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange)
+- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
+- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck)
+- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
+- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
+- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode)
+- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
+- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
+- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols)
+- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains)
+- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites)
+- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths)
+- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources)
+- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript)
+- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles)
+- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads)
+- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites)
+- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles)
+- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols)
+- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol)
+- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows)
+- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols)
+- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets)
+- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie)
+- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript)
+- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence)
+- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer)
+- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols)
+- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols)
+- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter)
+- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing)
+- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode)
+- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver)
+- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions)
+- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe)
+- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions)
+- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
+- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode)
+- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles)
+- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker)
+- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
+- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads)
+- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites)
+- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets)
+- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie)
+- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
+- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions)
+- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
+- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
+- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads)
+- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites)
+- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets)
+- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie)
+- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence)
+- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions)
+- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads)
+- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets)
+- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie)
+- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions)
+- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions)
+- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads)
+- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets)
+- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie)
+- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions)
+- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions)
+- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions)
+- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses)
+- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses)
+- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
+- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses)
+- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter)
+- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols)
+- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses)
+- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols)
+- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses)
+- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses)
+- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting)
+- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors)
+- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript)
+- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles)
+- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles)
+- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh)
+- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets)
+- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie)
+- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript)
+- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer)
+- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter)
+- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing)
+- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver)
+- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions)
+- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe)
+- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions)
+- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins)
+- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode)
+- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting)
+- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets)
+- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles)
+- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode)
+- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker)
+- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses)
+- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist)
+- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings)
+- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice)
+- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads)
+- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets)
+- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
+- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions)
+- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
+- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
+- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor)
+- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring)
+- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation)
+- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize)
+- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes)
+- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers)
+- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel)
+- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel)
+- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon)
+- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver)
+- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server)
+- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection)
+- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications)
+- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication)
+- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery)
+- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin)
+- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
+- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
+- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery)
+- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin)
+- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery)
+- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin)
+- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
+- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
+- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
+- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user)
+- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
+- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages)
+- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging)
+- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance)
+- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance)
+- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely)
+- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel)
+- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection)
+- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving)
+- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection)
+- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication)
+- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client)
+- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service)
+- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient)
+- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice)
+- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement)
+- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client)
+- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service)
+- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication)
+- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient)
+- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice)
+- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials)
+- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel)
+- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts)
+- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener)
+- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener)
+- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication)
+- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients)
+- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess)
+- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers)
+- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout)
+- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory)
+- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses)
+- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
+- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
+- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
+- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
+- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
+- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
+- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork)
+- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
+- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
+- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
+- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
+- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers)
+- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-group-policy.md b/windows/client-management/mdm/policy-csps-supported-by-group-policy.md
new file mode 100644
index 0000000000..328dfe2238
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-supported-by-group-policy.md
@@ -0,0 +1,913 @@
+---
+title: Policy CSPs supported by Group Policy
+description: Policy CSPs supported by Group Policy
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 07/18/2019
+---
+
+# Policy CSPs supported by Group Policy
+
+> [!div class="op_single_selector"]
+>
+> - [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md)
+> - [ADMX-backed policy CSPs](policy-csps-admx-backed.md)
+>
+
+- [AboveLock/AllowCortanaAboveLock](./policy-csp-abovelock.md#abovelock-allowcortanaabovelock)
+- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
+- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional)
+- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
+- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
+- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup)
+- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts)
+- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux)
+- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver)
+- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions)
+- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions)
+- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload)
+- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode)
+- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal)
+- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser)
+- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1)
+- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2)
+- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3)
+- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4)
+- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5)
+- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl)
+- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch)
+- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider)
+- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot)
+- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot)
+- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval)
+- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries)
+- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode)
+- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache)
+- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist)
+- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist)
+- [ApplicationDefaults/DefaultAssociationsConfiguration](./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration)
+- [ApplicationDefaults/EnableAppUriHandlers](./policy-csp-applicationdefaults.md#applicationdefaults-enableappurihandlers)
+- [ApplicationManagement/AllowAllTrustedApps](./policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps)
+- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock)
+- [ApplicationManagement/AllowGameDVR](./policy-csp-applicationmanagement.md#applicationmanagement-allowgamedvr)
+- [ApplicationManagement/AllowSharedUserAppData](./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata)
+- [ApplicationManagement/DisableStoreOriginatedApps](./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps)
+- [ApplicationManagement/MSIAllowUserControlOverInstall](./policy-csp-applicationmanagement.md#applicationmanagement-msiallowusercontroloverinstall)
+- [ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges](./policy-csp-applicationmanagement.md#applicationmanagement-msialwaysinstallwithelevatedprivileges)
+- [ApplicationManagement/RequirePrivateStoreOnly](./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly)
+- [ApplicationManagement/RestrictAppDataToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictappdatatosystemvolume)
+- [ApplicationManagement/RestrictAppToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictapptosystemvolume)
+- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation)
+- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism)
+- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms)
+- [Authentication/AllowSecondaryAuthenticationDevice](./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice)
+- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices)
+- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
+- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
+- [BITS/BandwidthThrottlingEndTime](./policy-csp-bits.md#bits-bandwidththrottlingendtime)
+- [BITS/BandwidthThrottlingStartTime](./policy-csp-bits.md#bits-bandwidththrottlingstarttime)
+- [BITS/BandwidthThrottlingTransferRate](./policy-csp-bits.md#bits-bandwidththrottlingtransferrate)
+- [BITS/CostedNetworkBehaviorBackgroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority)
+- [BITS/CostedNetworkBehaviorForegroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority)
+- [BITS/JobInactivityTimeout](./policy-csp-bits.md#bits-jobinactivitytimeout)
+- [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown)
+- [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill)
+- [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies)
+- [Browser/AllowDeveloperTools](./policy-csp-browser.md#browser-allowdevelopertools)
+- [Browser/AllowDoNotTrack](./policy-csp-browser.md#browser-allowdonottrack)
+- [Browser/AllowExtensions](./policy-csp-browser.md#browser-allowextensions)
+- [Browser/AllowFlash](./policy-csp-browser.md#browser-allowflash)
+- [Browser/AllowFlashClickToRun](./policy-csp-browser.md#browser-allowflashclicktorun)
+- [Browser/AllowFullScreenMode](./policy-csp-browser.md#browser-allowfullscreenmode)
+- [Browser/AllowInPrivate](./policy-csp-browser.md#browser-allowinprivate)
+- [Browser/AllowMicrosoftCompatibilityList](./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist)
+- [Browser/AllowPasswordManager](./policy-csp-browser.md#browser-allowpasswordmanager)
+- [Browser/AllowPopups](./policy-csp-browser.md#browser-allowpopups)
+- [Browser/AllowPrelaunch](./policy-csp-browser.md#browser-allowprelaunch)
+- [Browser/AllowPrinting](./policy-csp-browser.md#browser-allowprinting)
+- [Browser/AllowSavingHistory](./policy-csp-browser.md#browser-allowsavinghistory)
+- [Browser/AllowSearchEngineCustomization](./policy-csp-browser.md#browser-allowsearchenginecustomization)
+- [Browser/AllowSearchSuggestionsinAddressBar](./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSideloadingOfExtensions](./policy-csp-browser.md#browser-allowsideloadingofextensions)
+- [Browser/AllowSmartScreen](./policy-csp-browser.md#browser-allowsmartscreen)
+- [Browser/AllowTabPreloading](./policy-csp-browser.md#browser-allowtabpreloading)
+- [Browser/AllowWebContentOnNewTabPage](./policy-csp-browser.md#browser-allowwebcontentonnewtabpage)
+- [Browser/AlwaysEnableBooksLibrary](./policy-csp-browser.md#browser-alwaysenablebookslibrary)
+- [Browser/ClearBrowsingDataOnExit](./policy-csp-browser.md#browser-clearbrowsingdataonexit)
+- [Browser/ConfigureAdditionalSearchEngines](./policy-csp-browser.md#browser-configureadditionalsearchengines)
+- [Browser/ConfigureFavoritesBar](./policy-csp-browser.md#browser-configurefavoritesbar)
+- [Browser/ConfigureHomeButton](./policy-csp-browser.md#browser-configurehomebutton)
+- [Browser/ConfigureKioskMode](./policy-csp-browser.md#browser-configurekioskmode)
+- [Browser/ConfigureKioskResetAfterIdleTimeout](./policy-csp-browser.md#browser-configurekioskresetafteridletimeout)
+- [Browser/ConfigureOpenMicrosoftEdgeWith](./policy-csp-browser.md#browser-configureopenmicrosoftedgewith)
+- [Browser/ConfigureTelemetryForMicrosoft365Analytics](./policy-csp-browser.md#browser-configuretelemetryformicrosoft365analytics)
+- [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages)
+- [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry)
+- [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist)
+- [Browser/HomePages](./policy-csp-browser.md#browser-homepages)
+- [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites)
+- [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge)
+- [Browser/PreventCertErrorOverrides](./policy-csp-browser.md#browser-preventcerterroroverrides)
+- [Browser/PreventFirstRunPage](./policy-csp-browser.md#browser-preventfirstrunpage)
+- [Browser/PreventLiveTileDataCollection](./policy-csp-browser.md#browser-preventlivetiledatacollection)
+- [Browser/PreventSmartScreenPromptOverride](./policy-csp-browser.md#browser-preventsmartscreenpromptoverride)
+- [Browser/PreventSmartScreenPromptOverrideForFiles](./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles)
+- [Browser/PreventUsingLocalHostIPAddressForWebRTC](./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc)
+- [Browser/ProvisionFavorites](./policy-csp-browser.md#browser-provisionfavorites)
+- [Browser/SendIntranetTraffictoInternetExplorer](./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer)
+- [Browser/SetDefaultSearchEngine](./policy-csp-browser.md#browser-setdefaultsearchengine)
+- [Browser/SetHomeButtonURL](./policy-csp-browser.md#browser-sethomebuttonurl)
+- [Browser/SetNewTabPageURL](./policy-csp-browser.md#browser-setnewtabpageurl)
+- [Browser/ShowMessageWhenOpeningSitesInInternetExplorer](./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer)
+- [Browser/SyncFavoritesBetweenIEAndMicrosoftEdge](./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge)
+- [Browser/UnlockHomeButton](./policy-csp-browser.md#browser-unlockhomebutton)
+- [Browser/UseSharedFolderForBooks](./policy-csp-browser.md#browser-usesharedfolderforbooks)
+- [Camera/AllowCamera](./policy-csp-camera.md#camera-allowcamera)
+- [Cellular/LetAppsAccessCellularData](./policy-csp-cellular.md#cellular-letappsaccesscellulardata)
+- [Cellular/LetAppsAccessCellularData_ForceAllowTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forceallowtheseapps)
+- [Cellular/LetAppsAccessCellularData_ForceDenyTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forcedenytheseapps)
+- [Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-userincontroloftheseapps)
+- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
+- [Connectivity/AllowCellularDataRoaming](./policy-csp-connectivity.md#connectivity-allowcellulardataroaming)
+- [Connectivity/AllowPhonePCLinking](./policy-csp-connectivity.md#connectivity-allowphonepclinking)
+- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp)
+- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
+- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
+- [Connectivity/DisallowNetworkConnectivityActiveTests](./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests)
+- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
+- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
+- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
+- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
+- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials)
+- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
+- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
+- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
+- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
+- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning)
+- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring)
+- [Defender/AllowCloudProtection](./policy-csp-defender.md#defender-allowcloudprotection)
+- [Defender/AllowEmailScanning](./policy-csp-defender.md#defender-allowemailscanning)
+- [Defender/AllowFullScanOnMappedNetworkDrives](./policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
+- [Defender/AllowFullScanRemovableDriveScanning](./policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
+- [Defender/AllowIOAVProtection](./policy-csp-defender.md#defender-allowioavprotection)
+- [Defender/AllowOnAccessProtection](./policy-csp-defender.md#defender-allowonaccessprotection)
+- [Defender/AllowRealtimeMonitoring](./policy-csp-defender.md#defender-allowrealtimemonitoring)
+- [Defender/AllowScanningNetworkFiles](./policy-csp-defender.md#defender-allowscanningnetworkfiles)
+- [Defender/AllowUserUIAccess](./policy-csp-defender.md#defender-allowuseruiaccess)
+- [Defender/AttackSurfaceReductionOnlyExclusions](./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions)
+- [Defender/AttackSurfaceReductionRules](./policy-csp-defender.md#defender-attacksurfacereductionrules)
+- [Defender/AvgCPULoadFactor](./policy-csp-defender.md#defender-avgcpuloadfactor)
+- [Defender/CheckForSignaturesBeforeRunningScan](./policy-csp-defender.md#defender-checkforsignaturesbeforerunningscan)
+- [Defender/CloudBlockLevel](./policy-csp-defender.md#defender-cloudblocklevel)
+- [Defender/CloudExtendedTimeout](./policy-csp-defender.md#defender-cloudextendedtimeout)
+- [Defender/ControlledFolderAccessAllowedApplications](./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications)
+- [Defender/ControlledFolderAccessProtectedFolders](./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders)
+- [Defender/DaysToRetainCleanedMalware](./policy-csp-defender.md#defender-daystoretaincleanedmalware)
+- [Defender/DisableCatchupFullScan](./policy-csp-defender.md#defender-disablecatchupfullscan)
+- [Defender/DisableCatchupQuickScan](./policy-csp-defender.md#defender-disablecatchupquickscan)
+- [Defender/EnableControlledFolderAccess](./policy-csp-defender.md#defender-enablecontrolledfolderaccess)
+- [Defender/EnableLowCPUPriority](./policy-csp-defender.md#defender-enablelowcpupriority)
+- [Defender/EnableNetworkProtection](./policy-csp-defender.md#defender-enablenetworkprotection)
+- [Defender/ExcludedExtensions](./policy-csp-defender.md#defender-excludedextensions)
+- [Defender/ExcludedPaths](./policy-csp-defender.md#defender-excludedpaths)
+- [Defender/ExcludedProcesses](./policy-csp-defender.md#defender-excludedprocesses)
+- [Defender/RealTimeScanDirection](./policy-csp-defender.md#defender-realtimescandirection)
+- [Defender/ScanParameter](./policy-csp-defender.md#defender-scanparameter)
+- [Defender/ScheduleQuickScanTime](./policy-csp-defender.md#defender-schedulequickscantime)
+- [Defender/ScheduleScanDay](./policy-csp-defender.md#defender-schedulescanday)
+- [Defender/ScheduleScanTime](./policy-csp-defender.md#defender-schedulescantime)
+- [Defender/SignatureUpdateFallbackOrder](./policy-csp-defender.md#defender-signatureupdatefallbackorder)
+- [Defender/SignatureUpdateFileSharesSources](./policy-csp-defender.md#defender-signatureupdatefilesharessources)
+- [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval)
+- [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent)
+- [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction)
+- [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
+- [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
+- [DeliveryOptimization/DOCacheHost](./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
+- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
+- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
+- [DeliveryOptimization/DODelayCacheServerFallbackBackground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
+- [DeliveryOptimization/DODelayCacheServerFallbackForeground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
+- [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
+- [DeliveryOptimization/DOGroupId](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
+- [DeliveryOptimization/DOGroupIdSource](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
+- [DeliveryOptimization/DOMaxCacheAge](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
+- [DeliveryOptimization/DOMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
+- [DeliveryOptimization/DOMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
+- [DeliveryOptimization/DOMaxUploadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
+- [DeliveryOptimization/DOMinBackgroundQos](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
+- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
+- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
+- [DeliveryOptimization/DOMinFileSizeToCache](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
+- [DeliveryOptimization/DOMinRAMAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
+- [DeliveryOptimization/DOModifyCacheDrive](./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
+- [DeliveryOptimization/DOMonthlyUploadDataCap](./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
+- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
+- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
+- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
+- [DeliveryOptimization/DORestrictPeerSelectionBy](./policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
+- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
+- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
+- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
+- [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch)
+- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity)
+- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags)
+- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses)
+- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork)
+- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
+- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage)
+- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera)
+- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
+- [Display/DisablePerProcessDpiForApps](./policy-csp-display.md#display-disableperprocessdpiforapps)
+- [Display/EnablePerProcessDpi](./policy-csp-display.md#display-enableperprocessdpi)
+- [Display/EnablePerProcessDpiForApps](./policy-csp-display.md#display-enableperprocessdpiforapps)
+- [Display/TurnOffGdiDPIScalingForApps](./policy-csp-display.md#display-turnoffgdidpiscalingforapps)
+- [Display/TurnOnGdiDPIScalingForApps](./policy-csp-display.md#display-turnongdidpiscalingforapps)
+- [DmaGuard/DeviceEnumerationPolicy](./policy-csp-dmaguard.md#dmaguard-deviceenumerationpolicy)
+- [Education/PreventAddingNewPrinters](./policy-csp-education.md#education-preventaddingnewprinters)
+- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings)
+- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting)
+- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification)
+- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata)
+- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay)
+- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior)
+- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog)
+- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog)
+- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog)
+- [Experience/AllowClipboardHistory](./policy-csp-experience.md#experience-allowclipboardhistory)
+- [Experience/AllowCortana](./policy-csp-experience.md#experience-allowcortana)
+- [Experience/AllowFindMyDevice](./policy-csp-experience.md#experience-allowfindmydevice)
+- [Experience/AllowTailoredExperiencesWithDiagnosticData](./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata)
+- [Experience/AllowThirdPartySuggestionsInWindowsSpotlight](./policy-csp-experience.md#experience-allowthirdpartysuggestionsinwindowsspotlight)
+- [Experience/AllowWindowsConsumerFeatures](./policy-csp-experience.md#experience-allowwindowsconsumerfeatures)
+- [Experience/AllowWindowsSpotlight](./policy-csp-experience.md#experience-allowwindowsspotlight)
+- [Experience/AllowWindowsSpotlightOnActionCenter](./policy-csp-experience.md#experience-allowwindowsspotlightonactioncenter)
+- [Experience/AllowWindowsSpotlightOnSettings](./policy-csp-experience.md#experience-allowwindowsspotlightonsettings)
+- [Experience/AllowWindowsSpotlightWindowsWelcomeExperience](./policy-csp-experience.md#experience-allowwindowsspotlightwindowswelcomeexperience)
+- [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips)
+- [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen)
+- [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications)
+- [Experience/DoNotSyncBrowserSettings](./policy-csp-experience.md#experience-donotsyncbrowsersetting)
+- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing)
+- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
+- [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings)
+- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer)
+- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption)
+- [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked)
+- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider)
+- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering)
+- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist)
+- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete)
+- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning)
+- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit)
+- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
+- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
+- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
+- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
+- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3)
+- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist)
+- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode)
+- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate)
+- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate)
+- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate)
+- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate)
+- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate)
+- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate)
+- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate)
+- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry)
+- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist)
+- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid)
+- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites)
+- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate)
+- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate)
+- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate)
+- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation)
+- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
+- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
+- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
+- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
+- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
+- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
+- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
+- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
+- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection)
+- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
+- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites)
+- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
+- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
+- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
+- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
+- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
+- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
+- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
+- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors)
+- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing)
+- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode)
+- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange)
+- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange)
+- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
+- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck)
+- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
+- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
+- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode)
+- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
+- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
+- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols)
+- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains)
+- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites)
+- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths)
+- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources)
+- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript)
+- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles)
+- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads)
+- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites)
+- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles)
+- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols)
+- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol)
+- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows)
+- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols)
+- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets)
+- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie)
+- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript)
+- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence)
+- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer)
+- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols)
+- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols)
+- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter)
+- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing)
+- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode)
+- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver)
+- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions)
+- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe)
+- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions)
+- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
+- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode)
+- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles)
+- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker)
+- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
+- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads)
+- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites)
+- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets)
+- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie)
+- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
+- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions)
+- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
+- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
+- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads)
+- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites)
+- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets)
+- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie)
+- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence)
+- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions)
+- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads)
+- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets)
+- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie)
+- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions)
+- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions)
+- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads)
+- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets)
+- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie)
+- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions)
+- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions)
+- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions)
+- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses)
+- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses)
+- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
+- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses)
+- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter)
+- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols)
+- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses)
+- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols)
+- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses)
+- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses)
+- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting)
+- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors)
+- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript)
+- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles)
+- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles)
+- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh)
+- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets)
+- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie)
+- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript)
+- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer)
+- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter)
+- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing)
+- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver)
+- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions)
+- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe)
+- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions)
+- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins)
+- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode)
+- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting)
+- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets)
+- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles)
+- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode)
+- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker)
+- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses)
+- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist)
+- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings)
+- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice)
+- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads)
+- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets)
+- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
+- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions)
+- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
+- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
+- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor)
+- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring)
+- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation)
+- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize)
+- [LanmanWorkstation/EnableInsecureGuestLogons](./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons)
+- [Licensing/AllowWindowsEntitlementReactivation](./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation)
+- [Licensing/DisallowKMSClientOnlineAVSValidation](./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation)
+- [LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts)
+- [LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly)
+- [LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount)
+- [LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount)
+- [LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowundockwithouthavingtologon)
+- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia)
+- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters)
+- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly)
+- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways)
+- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible)
+- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees)
+- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts)
+- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares)
+- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares)
+- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers)
+- [LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon)
+- [LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile)
+- [LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation)
+- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators)
+- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers)
+- [LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-detectapplicationinstallationsandpromptforelevation)
+- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated)
+- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations)
+- [LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode)
+- [LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation)
+- [LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode)
+- [LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations)
+- [LockDown/AllowEdgeSwipe](./policy-csp-lockdown.md#lockdown-allowedgeswipe)
+- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes)
+- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers)
+- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel)
+- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel)
+- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon)
+- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver)
+- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server)
+- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection)
+- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications)
+- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication)
+- [Maps/EnableOfflineMapsAutoUpdate](./policy-csp-maps.md#maps-enableofflinemapsautoupdate)
+- [Messaging/AllowMessageSync](./policy-csp-messaging.md#messaging-allowmessagesync)
+- [NetworkIsolation/EnterpriseCloudResources](./policy-csp-networkisolation.md#networkisolation-enterprisecloudresources)
+- [NetworkIsolation/EnterpriseIPRange](./policy-csp-networkisolation.md#networkisolation-enterpriseiprange)
+- [NetworkIsolation/EnterpriseIPRangesAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseiprangesareauthoritative)
+- [NetworkIsolation/EnterpriseInternalProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseinternalproxyservers)
+- [NetworkIsolation/EnterpriseProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyservers)
+- [NetworkIsolation/EnterpriseProxyServersAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyserversareauthoritative)
+- [NetworkIsolation/NeutralResources](./policy-csp-networkisolation.md#networkisolation-neutralresources)
+- [Notifications/DisallowCloudNotification](./policy-csp-notifications.md#notifications-disallowcloudnotification)
+- [Notifications/DisallowNotificationMirroring](./policy-csp-notifications.md#notifications-disallownotificationmirroring)
+- [Notifications/DisallowTileNotification](./policy-csp-notifications.md#notifications-disallowtilenotification)
+- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery)
+- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin)
+- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
+- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
+- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery)
+- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
+- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery)
+- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin)
+- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery)
+- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin)
+- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery)
+- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin)
+- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery)
+- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
+- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery)
+- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
+- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
+- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
+- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery)
+- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin)
+- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
+- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
+- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
+- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user)
+- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
+- [Privacy/AllowCrossDeviceClipboard](./policy-csp-privacy.md#privacy-allowcrossdeviceclipboard)
+- [Privacy/AllowInputPersonalization](./policy-csp-privacy.md#privacy-allowinputpersonalization)
+- [Privacy/DisableAdvertisingId](./policy-csp-privacy.md#privacy-disableadvertisingid)
+- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience)
+- [Privacy/EnableActivityFeed](./policy-csp-privacy.md#privacy-enableactivityfeed)
+- [Privacy/LetAppsAccessAccountInfo](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo)
+- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps)
+- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps)
+- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps)
+- [Privacy/LetAppsAccessCalendar](./policy-csp-privacy.md#privacy-letappsaccesscalendar)
+- [Privacy/LetAppsAccessCalendar_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forceallowtheseapps)
+- [Privacy/LetAppsAccessCalendar_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forcedenytheseapps)
+- [Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-userincontroloftheseapps)
+- [Privacy/LetAppsAccessCallHistory](./policy-csp-privacy.md#privacy-letappsaccesscallhistory)
+- [Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forceallowtheseapps)
+- [Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forcedenytheseapps)
+- [Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-userincontroloftheseapps)
+- [Privacy/LetAppsAccessCamera](./policy-csp-privacy.md#privacy-letappsaccesscamera)
+- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps)
+- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps)
+- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps)
+- [Privacy/LetAppsAccessContacts](./policy-csp-privacy.md#privacy-letappsaccesscontacts)
+- [Privacy/LetAppsAccessContacts_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forceallowtheseapps)
+- [Privacy/LetAppsAccessContacts_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forcedenytheseapps)
+- [Privacy/LetAppsAccessContacts_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-userincontroloftheseapps)
+- [Privacy/LetAppsAccessEmail](./policy-csp-privacy.md#privacy-letappsaccessemail)
+- [Privacy/LetAppsAccessEmail_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forceallowtheseapps)
+- [Privacy/LetAppsAccessEmail_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forcedenytheseapps)
+- [Privacy/LetAppsAccessEmail_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-userincontroloftheseapps)
+- [Privacy/LetAppsAccessLocation](./policy-csp-privacy.md#privacy-letappsaccesslocation)
+- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forceallowtheseapps)
+- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forcedenytheseapps)
+- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-userincontroloftheseapps)
+- [Privacy/LetAppsAccessMessaging](./policy-csp-privacy.md#privacy-letappsaccessmessaging)
+- [Privacy/LetAppsAccessMessaging_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forceallowtheseapps)
+- [Privacy/LetAppsAccessMessaging_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forcedenytheseapps)
+- [Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-userincontroloftheseapps)
+- [Privacy/LetAppsAccessMicrophone](./policy-csp-privacy.md#privacy-letappsaccessmicrophone)
+- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps)
+- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps)
+- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps)
+- [Privacy/LetAppsAccessMotion](./policy-csp-privacy.md#privacy-letappsaccessmotion)
+- [Privacy/LetAppsAccessMotion_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forceallowtheseapps)
+- [Privacy/LetAppsAccessMotion_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forcedenytheseapps)
+- [Privacy/LetAppsAccessMotion_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-userincontroloftheseapps)
+- [Privacy/LetAppsAccessNotifications](./policy-csp-privacy.md#privacy-letappsaccessnotifications)
+- [Privacy/LetAppsAccessNotifications_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forceallowtheseapps)
+- [Privacy/LetAppsAccessNotifications_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forcedenytheseapps)
+- [Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-userincontroloftheseapps)
+- [Privacy/LetAppsAccessPhone](./policy-csp-privacy.md#privacy-letappsaccessphone)
+- [Privacy/LetAppsAccessPhone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forceallowtheseapps)
+- [Privacy/LetAppsAccessPhone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forcedenytheseapps)
+- [Privacy/LetAppsAccessPhone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-userincontroloftheseapps)
+- [Privacy/LetAppsAccessRadios](./policy-csp-privacy.md#privacy-letappsaccessradios)
+- [Privacy/LetAppsAccessRadios_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forceallowtheseapps)
+- [Privacy/LetAppsAccessRadios_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forcedenytheseapps)
+- [Privacy/LetAppsAccessRadios_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-userincontroloftheseapps)
+- [Privacy/LetAppsAccessTasks](./policy-csp-privacy.md#privacy-letappsaccesstasks)
+- [Privacy/LetAppsAccessTasks_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forceallowtheseapps)
+- [Privacy/LetAppsAccessTasks_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forcedenytheseapps)
+- [Privacy/LetAppsAccessTasks_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-userincontroloftheseapps)
+- [Privacy/LetAppsAccessTrustedDevices](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices)
+- [Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forceallowtheseapps)
+- [Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forcedenytheseapps)
+- [Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-userincontroloftheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
+- [Privacy/LetAppsRunInBackground](./policy-csp-privacy.md#privacy-letappsruninbackground)
+- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forceallowtheseapps)
+- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forcedenytheseapps)
+- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-userincontroloftheseapps)
+- [Privacy/LetAppsSyncWithDevices](./policy-csp-privacy.md#privacy-letappssyncwithdevices)
+- [Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forceallowtheseapps)
+- [Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forcedenytheseapps)
+- [Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps)
+- [Privacy/PublishUserActivities](./policy-csp-privacy.md#privacy-publishuseractivities)
+- [Privacy/UploadUserActivities](./policy-csp-privacy.md#privacy-uploaduseractivities)
+- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages)
+- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging)
+- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance)
+- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance)
+- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely)
+- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel)
+- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection)
+- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving)
+- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection)
+- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication)
+- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client)
+- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service)
+- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient)
+- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice)
+- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement)
+- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client)
+- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service)
+- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication)
+- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient)
+- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice)
+- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials)
+- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel)
+- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts)
+- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener)
+- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener)
+- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication)
+- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients)
+- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess)
+- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers)
+- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout)
+- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory)
+- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses)
+- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
+- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
+- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch)
+- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad)
+- [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles)
+- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems)
+- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation)
+- [Search/AllowUsingDiacritics](./policy-csp-search.md#search-allowusingdiacritics)
+- [Search/AlwaysUseAutoLangDetection](./policy-csp-search.md#search-alwaysuseautolangdetection)
+- [Search/DisableBackoff](./policy-csp-search.md#search-disablebackoff)
+- [Search/DisableRemovableDriveIndexing](./policy-csp-search.md#search-disableremovabledriveindexing)
+- [Search/DoNotUseWebResults](./policy-csp-search.md#search-donotusewebresults)
+- [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb)
+- [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries)
+- [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready)
+- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
+- [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips)
+- [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar)
+- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist)
+- [SmartScreen/EnableAppInstallControl](./policy-csp-smartscreen.md#smartscreen-enableappinstallcontrol)
+- [SmartScreen/EnableSmartScreenInShell](./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell)
+- [SmartScreen/PreventOverrideForFilesInShell](./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell)
+- [Speech/AllowSpeechModelUpdate](./policy-csp-speech.md#speech-allowspeechmodelupdate)
+- [Start/DisableContextMenus](./policy-csp-start.md#start-disablecontextmenus)
+- [Start/HidePeopleBar](./policy-csp-start.md#start-hidepeoplebar)
+- [Start/HideRecentlyAddedApps](./policy-csp-start.md#start-hiderecentlyaddedapps)
+- [Start/StartLayout](./policy-csp-start.md#start-startlayout)
+- [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates)
+- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
+- [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview)
+- [System/AllowCommercialDataPipeline](./policy-csp-system.md#system-allowcommercialdatapipeline)
+- [System/AllowDeviceNameInDiagnosticData](./policy-csp-system.md#system-allowdevicenameindiagnosticdata)
+- [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders)
+- [System/AllowLocation](./policy-csp-system.md#system-allowlocation)
+- [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry)
+- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
+- [System/ConfigureMicrosoft365UploadEndpoint](./policy-csp-system.md#system-configuremicrosoft365uploadendpoint)
+- [System/ConfigureTelemetryOptInChangeNotification](./policy-csp-system.md#system-configuretelemetryoptinchangenotification)
+- [System/ConfigureTelemetryOptInSettingsUx](./policy-csp-system.md#system-configuretelemetryoptinsettingsux)
+- [System/DisableDeviceDelete](./policy-csp-system.md#system-disabledevicedelete)
+- [System/DisableDiagnosticDataViewer](./policy-csp-system.md#system-disablediagnosticdataviewer)
+- [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy)
+- [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync)
+- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
+- [System/LimitEnhancedDiagnosticDataWindowsAnalytics](./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics)
+- [System/TelemetryProxy](./policy-csp-system.md#system-telemetryproxy)
+- [System/TurnOffFileHistory](./policy-csp-system.md#system-turnofffilehistory)
+- [SystemServices/ConfigureHomeGroupListenerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegrouplistenerservicestartupmode)
+- [SystemServices/ConfigureHomeGroupProviderServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegroupproviderservicestartupmode)
+- [SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxaccessorymanagementservicestartupmode)
+- [SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxliveauthmanagerservicestartupmode)
+- [SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivegamesaveservicestartupmode)
+- [SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivenetworkingservicestartupmode)
+- [TextInput/AllowLanguageFeaturesUninstall](./policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall)
+- [TextInput/AllowLinguisticDataCollection](./policy-csp-textinput.md#textinput-allowlinguisticdatacollection)
+- [Troubleshooting/AllowRecommendations](./policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
+- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend)
+- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange)
+- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart)
+- [Update/AllowAutoUpdate](./policy-csp-update.md#update-allowautoupdate)
+- [Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork](./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork)
+- [Update/AllowMUUpdateService](./policy-csp-update.md#update-allowmuupdateservice)
+- [Update/AllowUpdateService](./policy-csp-update.md#update-allowupdateservice)
+- [Update/AutoRestartDeadlinePeriodInDays](./policy-csp-update.md#update-autorestartdeadlineperiodindays)
+- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates)
+- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule)
+- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal)
+- [Update/AutomaticMaintenanceWakeUp](./policy-csp-update.md#update-automaticmaintenancewakeup)
+- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel)
+- [Update/ConfigureDeadlineForFeatureUpdates](./policy-csp-update.md#update-configuredeadlineforfeatureupdates)
+- [Update/ConfigureDeadlineForQualityUpdates](./policy-csp-update.md#update-configuredeadlineforqualityupdates)
+- [Update/ConfigureDeadlineGracePeriod](./policy-csp-update.md#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineNoAutoReboot](./policy-csp-update.md#update-configuredeadlinenoautoreboot)
+- [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays)
+- [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays)
+- [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod)
+- [Update/DeferUpgradePeriod](./policy-csp-update.md#update-deferupgradeperiod)
+- [Update/DetectionFrequency](./policy-csp-update.md#update-detectionfrequency)
+- [Update/DisableDualScan](./policy-csp-update.md#update-disabledualscan)
+- [Update/EngagedRestartDeadline](./policy-csp-update.md#update-engagedrestartdeadline)
+- [Update/EngagedRestartDeadlineForFeatureUpdates](./policy-csp-update.md#update-engagedrestartdeadlineforfeatureupdates)
+- [Update/EngagedRestartSnoozeSchedule](./policy-csp-update.md#update-engagedrestartsnoozeschedule)
+- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestartsnoozescheduleforfeatureupdates)
+- [Update/EngagedRestartTransitionSchedule](./policy-csp-update.md#update-engagedrestarttransitionschedule)
+- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestarttransitionscheduleforfeatureupdates)
+- [Update/ExcludeWUDriversInQualityUpdate](./policy-csp-update.md#update-excludewudriversinqualityupdate)
+- [Update/FillEmptyContentUrls](./policy-csp-update.md#update-fillemptycontenturls)
+- [Update/ManagePreviewBuilds](./policy-csp-update.md#update-managepreviewbuilds)
+- [Update/PauseDeferrals](./policy-csp-update.md#update-pausedeferrals)
+- [Update/PauseFeatureUpdates](./policy-csp-update.md#update-pausefeatureupdates)
+- [Update/PauseFeatureUpdatesStartTime](./policy-csp-update.md#update-pausefeatureupdatesstarttime)
+- [Update/PauseQualityUpdates](./policy-csp-update.md#update-pausequalityupdates)
+- [Update/PauseQualityUpdatesStartTime](./policy-csp-update.md#update-pausequalityupdatesstarttime)
+- [Update/RequireDeferUpgrade](./policy-csp-update.md#update-requiredeferupgrade)
+- [Update/ScheduleImminentRestartWarning](./policy-csp-update.md#update-scheduleimminentrestartwarning)
+- [Update/ScheduleRestartWarning](./policy-csp-update.md#update-schedulerestartwarning)
+- [Update/ScheduledInstallDay](./policy-csp-update.md#update-scheduledinstallday)
+- [Update/ScheduledInstallEveryWeek](./policy-csp-update.md#update-scheduledinstalleveryweek)
+- [Update/ScheduledInstallFirstWeek](./policy-csp-update.md#update-scheduledinstallfirstweek)
+- [Update/ScheduledInstallFourthWeek](./policy-csp-update.md#update-scheduledinstallfourthweek)
+- [Update/ScheduledInstallSecondWeek](./policy-csp-update.md#update-scheduledinstallsecondweek)
+- [Update/ScheduledInstallThirdWeek](./policy-csp-update.md#update-scheduledinstallthirdweek)
+- [Update/ScheduledInstallTime](./policy-csp-update.md#update-scheduledinstalltime)
+- [Update/SetAutoRestartNotificationDisable](./policy-csp-update.md#update-setautorestartnotificationdisable)
+- [Update/SetDisablePauseUXAccess](./policy-csp-update.md#update-setdisablepauseuxaccess)
+- [Update/SetDisableUXWUAccess](./policy-csp-update.md#update-setdisableuxwuaccess)
+- [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart)
+- [Update/UpdateNotificationLevel](./policy-csp-update.md#update-updatenotificationlevel)
+- [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl)
+- [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate)
+- [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller)
+- [UserRights/AccessFromNetwork](./policy-csp-userrights.md#userrights-accessfromnetwork)
+- [UserRights/ActAsPartOfTheOperatingSystem](./policy-csp-userrights.md#userrights-actaspartoftheoperatingsystem)
+- [UserRights/AllowLocalLogOn](./policy-csp-userrights.md#userrights-allowlocallogon)
+- [UserRights/BackupFilesAndDirectories](./policy-csp-userrights.md#userrights-backupfilesanddirectories)
+- [UserRights/ChangeSystemTime](./policy-csp-userrights.md#userrights-changesystemtime)
+- [UserRights/CreateGlobalObjects](./policy-csp-userrights.md#userrights-createglobalobjects)
+- [UserRights/CreatePageFile](./policy-csp-userrights.md#userrights-createpagefile)
+- [UserRights/CreatePermanentSharedObjects](./policy-csp-userrights.md#userrights-createpermanentsharedobjects)
+- [UserRights/CreateSymbolicLinks](./policy-csp-userrights.md#userrights-createsymboliclinks)
+- [UserRights/CreateToken](./policy-csp-userrights.md#userrights-createtoken)
+- [UserRights/DebugPrograms](./policy-csp-userrights.md#userrights-debugprograms)
+- [UserRights/DenyAccessFromNetwork](./policy-csp-userrights.md#userrights-denyaccessfromnetwork)
+- [UserRights/DenyLocalLogOn](./policy-csp-userrights.md#userrights-denylocallogon)
+- [UserRights/DenyRemoteDesktopServicesLogOn](./policy-csp-userrights.md#userrights-denyremotedesktopserviceslogon)
+- [UserRights/EnableDelegation](./policy-csp-userrights.md#userrights-enabledelegation)
+- [UserRights/GenerateSecurityAudits](./policy-csp-userrights.md#userrights-generatesecurityaudits)
+- [UserRights/ImpersonateClient](./policy-csp-userrights.md#userrights-impersonateclient)
+- [UserRights/IncreaseSchedulingPriority](./policy-csp-userrights.md#userrights-increaseschedulingpriority)
+- [UserRights/LoadUnloadDeviceDrivers](./policy-csp-userrights.md#userrights-loadunloaddevicedrivers)
+- [UserRights/LockMemory](./policy-csp-userrights.md#userrights-lockmemory)
+- [UserRights/ManageAuditingAndSecurityLog](./policy-csp-userrights.md#userrights-manageauditingandsecuritylog)
+- [UserRights/ManageVolume](./policy-csp-userrights.md#userrights-managevolume)
+- [UserRights/ModifyFirmwareEnvironment](./policy-csp-userrights.md#userrights-modifyfirmwareenvironment)
+- [UserRights/ModifyObjectLabel](./policy-csp-userrights.md#userrights-modifyobjectlabel)
+- [UserRights/ProfileSingleProcess](./policy-csp-userrights.md#userrights-profilesingleprocess)
+- [UserRights/RemoteShutdown](./policy-csp-userrights.md#userrights-remoteshutdown)
+- [UserRights/RestoreFilesAndDirectories](./policy-csp-userrights.md#userrights-restorefilesanddirectories)
+- [UserRights/TakeOwnership](./policy-csp-userrights.md#userrights-takeownership)
+- [Wifi/AllowAutoConnectToWiFiSenseHotspots](./policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots)
+- [Wifi/AllowInternetSharing](./policy-csp-wifi.md#wifi-allowinternetsharing)
+- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork)
+- [WindowsDefenderSecurityCenter/CompanyName](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname)
+- [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableaccountprotectionui)
+- [WindowsDefenderSecurityCenter/DisableAppBrowserUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui)
+- [WindowsDefenderSecurityCenter/DisableClearTpmButton](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablecleartpmbutton)
+- [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabledevicesecurityui)
+- [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications)
+- [WindowsDefenderSecurityCenter/DisableFamilyUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui)
+- [WindowsDefenderSecurityCenter/DisableHealthUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui)
+- [WindowsDefenderSecurityCenter/DisableNetworkUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui)
+- [WindowsDefenderSecurityCenter/DisableNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications)
+- [WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabletpmfirmwareupdatewarning)
+- [WindowsDefenderSecurityCenter/DisableVirusUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui)
+- [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride)
+- [WindowsDefenderSecurityCenter/Email](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email)
+- [WindowsDefenderSecurityCenter/EnableCustomizedToasts](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts)
+- [WindowsDefenderSecurityCenter/EnableInAppCustomization](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization)
+- [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hideransomwaredatarecovery)
+- [WindowsDefenderSecurityCenter/HideSecureBoot](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidesecureboot)
+- [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidetpmtroubleshooting)
+- [WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidewindowssecuritynotificationareacontrol)
+- [WindowsDefenderSecurityCenter/Phone](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone)
+- [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url)
+- [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace)
+- [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace)
+- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
+- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
+- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
+- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
+- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)
+- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers)
+- [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching)
+- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging)
+- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc)
+- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite.md
new file mode 100644
index 0000000000..f77d3c1308
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite.md
@@ -0,0 +1,71 @@
+---
+title: Policy CSPs supported by HoloLens (1st gen) Commercial Suite
+description: Policy CSPs supported by HoloLens (1st gen) Commercial Suite
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 09/17/2019
+---
+
+# Policy CSPs supported by HoloLens (1st gen) Commercial Suite
+
+> [!div class="op_single_selector"]
+>
+> - [HoloLens 2](policy-csps-supported-by-hololens2.md)
+> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
+> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
+>
+
+- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection)
+- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps)
+- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock)
+- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect)
+- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname)
+- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode)
+- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename)
+- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill)
+- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies)
+- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack)
+- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager)
+- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen)
+- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth)
+- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection)
+- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword)
+- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword)
+- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired)
+- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled)
+- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory)
+- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts)
+- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock)
+- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters)
+- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
+- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
+- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization)
+- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
+- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption)
+- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime)
+- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
+- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
+- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
+- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
+- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
+- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
+- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade)
+- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval)
+- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
+- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
+- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl)
+- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition.md
new file mode 100644
index 0000000000..2dec2fdb8b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition.md
@@ -0,0 +1,69 @@
+---
+title: Policy CSPs supported by HoloLens (1st gen) Development Edition
+description: Policy CSPs supported by HoloLens (1st gen) Development Edition
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 07/18/2019
+---
+
+# Policy CSPs supported by HoloLens (1st gen) Development Edition
+
+> [!div class="op_single_selector"]
+>
+> - [HoloLens 2](policy-csps-supported-by-hololens2.md)
+> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
+> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
+>
+
+- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection)
+- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock)
+- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps)
+- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect)
+- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode)
+- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename)
+- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack)
+- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager)
+- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen)
+- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies)
+- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth)
+- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection)
+- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword)
+- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts)
+- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock)
+- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
+- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory)
+- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired)
+- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters)
+- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword)
+- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled)
+- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
+- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization)
+- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
+- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption)
+- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime)
+- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
+- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
+- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
+- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
+- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
+- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
+- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval)
+- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
+- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
+- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl)
+- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade)
+- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens2.md b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md
new file mode 100644
index 0000000000..d6936c3bf9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md
@@ -0,0 +1,89 @@
+---
+title: Policy CSPs supported by HoloLens 2
+description: Policy CSPs supported by HoloLens 2
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 07/18/2019
+---
+
+# Policy CSPs supported by HoloLens 2
+
+> [!div class="op_single_selector"]
+>
+> - [HoloLens 2](policy-csps-supported-by-hololens2.md)
+> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
+> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
+>
+
+- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection)
+- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps)
+- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock)
+- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect)
+- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname)
+- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode)
+- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename)
+- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill)
+- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies)
+- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack)
+- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager)
+- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen)
+- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth)
+- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection)
+- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword)
+- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword)
+- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired)
+- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled)
+- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicelock-devicepasswordexpiration)
+- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory)
+- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts)
+- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock)
+- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters)
+- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
+- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
+- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
+- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization)
+- [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo)
+- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps)
+- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps)
+- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps)
+- [Privacy/LetAppsAccessBackgroundSpatialPerception](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception)
+- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forceallowtheseapps)
+- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forcedenytheseapps)
+- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-userincontroloftheseapps)
+- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#privacy-letappsaccesscamera)
+- [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#privacy-letappsaccesslocation)
+- [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#privacy-letappsaccessmicrophone)
+- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
+- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption)
+- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime)
+- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
+- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
+- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
+- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
+- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
+- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
+- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
+- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
+- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel)
+- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays)
+- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays)
+- [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds)
+- [Update/PauseFeatureUpdates](policy-csp-update.md#update-pausefeatureupdates)
+- [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates)
+- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
+- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
+- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl)
+- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-core.md b/windows/client-management/mdm/policy-csps-supported-by-iot-core.md
new file mode 100644
index 0000000000..c37cdb1b86
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-supported-by-iot-core.md
@@ -0,0 +1,74 @@
+---
+title: Policy CSPs supported by Windows 10 IoT Core
+description: Policy CSPs supported by Windows 10 IoT Core
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 09/16/2019
+---
+
+# Policy CSPs supported by Windows 10 IoT Core
+
+> [!div class="op_single_selector"]
+>
+> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
+> - [IoT Core](policy-csps-supported-by-iot-core.md)
+>
+
+- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera)
+- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui)
+- [CredentialProviders/AllowPINLogon](policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
+- [CredentialProviders/BlockPicturePassword](policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
+- [DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md#dataprotection-allowdirectmemoryaccess)
+- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
+- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
+- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
+- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
+- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
+- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
+- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
+- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
+- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
+- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
+- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
+- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
+- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
+- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
+- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
+- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
+- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
+- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
+- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
+- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
+- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
+- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
+- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
+- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
+- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
+- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
+- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
+- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
+- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
+- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
+- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
+- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
+- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
+- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
+- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
+- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
+- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
+- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot)
+- [Wifi/AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots)
+- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing)
+- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi)
+- [Wifi/WLANScanMode](policy-csp-wifi.md#wifi-wlanscanmode)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md
new file mode 100644
index 0000000000..f0837806da
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md
@@ -0,0 +1,69 @@
+---
+title: Policy CSPs supported by Windows 10 IoT Enterprise
+description: Policy CSPs supported by Windows 10 IoT Enterprise
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 07/18/2019
+---
+
+# Policy CSPs supported by Windows 10 IoT Enterprise
+
+> [!div class="op_single_selector"]
+>
+> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
+> - [IoT Core](policy-csps-supported-by-iot-core.md)
+>
+
+- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
+- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
+- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
+- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
+- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
+- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
+- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
+- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
+- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
+- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
+- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
+- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
+- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
+- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
+- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
+- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
+- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
+- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
+- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
+- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
+- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
+- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
+- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
+- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
+- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
+- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
+- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
+- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
+- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
+- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
+- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
+- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
+- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
+- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
+- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
+- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
+- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
+- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
+- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
+- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
+- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
+- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md b/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md
new file mode 100644
index 0000000000..ec48042286
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md
@@ -0,0 +1,79 @@
+---
+title: Policy CSPs supported by Microsoft Surface Hub
+description: Policy CSPs supported by Microsoft Surface Hub
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 07/18/2019
+---
+
+# Policy CSPs supported by Microsoft Surface Hub
+
+- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera)
+- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui)
+- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
+- [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#cryptography-tlsciphersuites)
+- [Defender/AllowArchiveScanning](policy-csp-defender.md#defender-allowarchivescanning)
+- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#defender-allowbehaviormonitoring)
+- [Defender/AllowCloudProtection](policy-csp-defender.md#defender-allowcloudprotection)
+- [Defender/AllowEmailScanning](policy-csp-defender.md#defender-allowemailscanning)
+- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
+- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
+- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection)
+- [Defender/AllowIntrusionPreventionSystem](policy-csp-defender.md#defender-allowintrusionpreventionsystem)
+- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection)
+- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring)
+- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles)
+- [Defender/AllowScriptScanning](policy-csp-defender.md#defender-allowscriptscanning)
+- [Defender/AllowUserUIAccess](policy-csp-defender.md#defender-allowuseruiaccess)
+- [Defender/AvgCPULoadFactor](policy-csp-defender.md#defender-avgcpuloadfactor)
+- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#defender-daystoretaincleanedmalware)
+- [Defender/ExcludedExtensions](policy-csp-defender.md#defender-excludedextensions)
+- [Defender/ExcludedPaths](policy-csp-defender.md#defender-excludedpaths)
+- [Defender/ExcludedProcesses](policy-csp-defender.md#defender-excludedprocesses)
+- [Defender/PUAProtection](policy-csp-defender.md#defender-puaprotection)
+- [Defender/RealTimeScanDirection](policy-csp-defender.md#defender-realtimescandirection)
+- [Defender/ScanParameter](policy-csp-defender.md#defender-scanparameter)
+- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#defender-schedulequickscantime)
+- [Defender/ScheduleScanDay](policy-csp-defender.md#defender-schedulescanday)
+- [Defender/ScheduleScanTime](policy-csp-defender.md#defender-schedulescantime)
+- [Defender/SignatureUpdateInterval](policy-csp-defender.md#defender-signatureupdateinterval)
+- [Defender/SubmitSamplesConsent](policy-csp-defender.md#defender-submitsamplesconsent)
+- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#defender-threatseveritydefaultaction)
+- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
+- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
+- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
+- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
+- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
+- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
+- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
+- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
+- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
+- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
+- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
+- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
+- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
+- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
+- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
+- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
+- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging)
+- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess)
+- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel)
+- [TextInput/AllowJapaneseIMESurrogatePairCharacters](policy-csp-textinput.md#textinput-allowjapaneseimesurrogatepaircharacters)
+- [TextInput/AllowJapaneseIVSCharacters](policy-csp-textinput.md#textinput-allowjapaneseivscharacters)
+- [TextInput/AllowJapaneseNonPublishingStandardGlyph](policy-csp-textinput.md#textinput-allowjapanesenonpublishingstandardglyph)
+- [TextInput/AllowJapaneseUserDictionary](policy-csp-textinput.md#textinput-allowjapaneseuserdictionary)
+- [TextInput/AllowLanguageFeaturesUninstall](policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall)
+- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208)
+- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208andeudc)
+- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#textinput-excludejapaneseimeexceptshiftjis)
+- [WiFi/AllowWiFiHotSpotReporting](policy-csp-wifi.md#wifi-allowwifihotspotreporting)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policies-that-can-be-set-using-eas.md b/windows/client-management/mdm/policy-csps-that-can-be-set-using-eas.md
similarity index 89%
rename from windows/client-management/mdm/policies-that-can-be-set-using-eas.md
rename to windows/client-management/mdm/policy-csps-that-can-be-set-using-eas.md
index 3c0303c2c0..171652aa2b 100644
--- a/windows/client-management/mdm/policies-that-can-be-set-using-eas.md
+++ b/windows/client-management/mdm/policy-csps-that-can-be-set-using-eas.md
@@ -1,6 +1,6 @@
---
-title: Policies that can be set using Exchange Active Sync (EAS)
-description: Policies that can be set using Exchange Active Sync (EAS)
+title: Policy CSPs that can be set using Exchange Active Sync (EAS)
+description: Policy CSPs that can be set using Exchange Active Sync (EAS)
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
ms.date: 07/18/2019
---
-# Policies that can be set using Exchange Active Sync (EAS)
+# Policy CSPs that can be set using Exchange Active Sync (EAS)
- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera)
- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui)
@@ -36,4 +36,5 @@ ms.date: 07/18/2019
- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi)
## Related topics
-[Policy CSP](policy-configuration-service-provider.md)
\ No newline at end of file
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md
index 70668fa9de..e7cb92b9c4 100644
--- a/windows/client-management/mdm/reboot-csp.md
+++ b/windows/client-management/mdm/reboot-csp.md
@@ -45,12 +45,16 @@ Setting a null (empty) date will delete the existing schedule. In accordance wit
The supported operations are Get, Add, Replace, and Delete.
+The supported data type is "String".
+
**Schedule/DailyRecurrent**
This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
Example to configure: 2018-10-25T18:00:00
The supported operations are Get, Add, Replace, and Delete.
+The supported data type is "String".
+
## Related topics
diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md
index d060d950c0..3beb6993e3 100644
--- a/windows/client-management/mdm/reclaim-seat-from-user.md
+++ b/windows/client-management/mdm/reclaim-seat-from-user.md
@@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 09/18/2017
+ms.date: 05/05/2020
---
# Reclaim seat from user
diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
index cfa669f4e5..be9c8a5339 100644
--- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
+++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
@@ -21,7 +21,7 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent
## Register your free Azure Active Directory subscription
-1. Sign in to the Office 365 portal at using your organization's account.
+1. Sign in to the Microsoft 365 admin center at using your organization's account.
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index bdf604d6d8..3ee8a2cd21 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -48,16 +48,16 @@ Supported operation is Exec.
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
**AutomaticRedeployment**
-Added in Windows 10, next major update. Node for the Autopilot Reset operation.
+Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
**AutomaticRedeployment/doAutomaticRedeployment**
-Added in Windows 10, next major update. Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
+Added in Windows 10, version 1809. Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
**AutomaticRedeployment/LastError**
-Added in Windows 10, next major update. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT).
+Added in Windows 10, version 1809. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT).
**AutomaticRedeployment/Status**
-Added in Windows 10, next major update. Status value indicating current state of an Autopilot Reset operation.
+Added in Windows 10, version 1809. Status value indicating current state of an Autopilot Reset operation.
Supported values:
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index 33001ff094..ab3a46a409 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 03/02/2018
+ms.date: 03/23/2020
ms.reviewer:
manager: dansimp
---
@@ -28,7 +28,7 @@ Depending on the specific category of the settings that they control (OS or appl
In a domain controller/Group Policy ecosystem, Group Policies are automatically added to the registry of the client computer or user profile by the Administrative Templates Client Side Extension (CSE) whenever the client computer processes a Group Policy. Conversely, in an MDM-managed client, ADMX files are leveraged to define policies independent of Group Policies. Therefore, in an MDM-managed client, a Group Policy infrastructure, including the Group Policy Service (gpsvc.exe), is not required.
-An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, including the PC’s Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM.
+An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, including the PC's Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM.
Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#admx-backed-policies).
@@ -37,22 +37,22 @@ Windows maps the name and category path of a Group Policy to a MDM policy area a
## ADMX files and the Group Policy Editor
-To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX-backed Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named “Publishing Server 2 Settings.” When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**.
+To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX-backed Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named "Publishing Server 2 Settings." When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**.
-The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the “Publishing Server 2 Settings” is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category.
+The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the "Publishing Server 2 Settings" is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category.
Group Policy option button setting:
- If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur:
- The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data.
- - The MDM client stack receives this data, which causes the Policy CSP to update the device’s registry per the ADMX-backed policy definition.
+ - The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX-backed policy definition.
- If **Disabled** is selected and you click **Apply**, the following events occur:
- The MDM ISV server sets up a Replace SyncML command with a payload set to ``.
- - The MDM client stack receives this command, which causes the Policy CSP to either delete the device’s registry settings, set the registry keys, or both, per the state change directed by the ADMX-backed policy definition.
+ - The MDM client stack receives this command, which causes the Policy CSP to either delete the device's registry settings, set the registry keys, or both, per the state change directed by the ADMX-backed policy definition.
- If **Not Configured** is selected and you click **Apply**, the following events occur:
- MDM ISV server sets up a Delete SyncML command.
- - The MDM client stack receives this command, which causes the Policy CSP to delete the device’s registry settings per the ADMX-backed policy definition.
+ - The MDM client stack receives this command, which causes the Policy CSP to delete the device's registry settings per the ADMX-backed policy definition.
The following diagram shows the main display for the Group Policy Editor.
@@ -62,7 +62,7 @@ The following diagram shows the settings for the "Publishing Server 2 Settings"
-Note that most Group Policies are a simple Boolean type. For a Boolean Group Policy, if you select **Enabled**, the options panel contains no data input fields and the payload of the SyncML is simply ``. However, if there are data input fields in the options panel, the MDM server must supply this data. The following *Enabling a Group Policy* example illustrates this complexity. In this example, 10 name-value pairs are described by `` tags in the payload, which correspond to the 10 data input fields in the Group Policy Editor options panel for the "Publishing Server 2 Settings" Group Policy. The ADMX file, which defines the Group Policies, is consumed by the MDM server, similarly to how the Group Policy Editor consumes it. The Group Policy Editor displays a UI to receive the complete Group Policy instance data, which the MDM server’s IT administrator console must also do. For every `` element and id attribute in the ADMX policy definition, there must be a corresponding `` element and id attribute in the payload. The ADMX file drives the policy definition and is required by the MDM server via the SyncML protocol.
+Note that most Group Policies are a simple Boolean type. For a Boolean Group Policy, if you select **Enabled**, the options panel contains no data input fields and the payload of the SyncML is simply ``. However, if there are data input fields in the options panel, the MDM server must supply this data. The following *Enabling a Group Policy* example illustrates this complexity. In this example, 10 name-value pairs are described by `` tags in the payload, which correspond to the 10 data input fields in the Group Policy Editor options panel for the "Publishing Server 2 Settings" Group Policy. The ADMX file, which defines the Group Policies, is consumed by the MDM server, similarly to how the Group Policy Editor consumes it. The Group Policy Editor displays a UI to receive the complete Group Policy instance data, which the MDM server's IT administrator console must also do. For every `` element and id attribute in the ADMX policy definition, there must be a corresponding `` element and id attribute in the payload. The ADMX file drives the policy definition and is required by the MDM server via the SyncML protocol.
> [!IMPORTANT]
> Any data entry field that is displayed in the Group Policy page of the Group Policy Editor must be supplied in the encoded XML of the SyncML payload. The SyncML data payload is equivalent to the user-supplied Group Policy data through GPEdit.msc.
@@ -171,7 +171,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2
-
+ ]]>
@@ -249,10 +249,10 @@ Note that the data payload of the SyncML needs to be encoded so that it does not
.
.
.
-
-
-
-
+
+
+
+
.
.
.
@@ -275,7 +275,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit
-
+
```
@@ -310,14 +310,14 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and
```XML
-
-
-
-
-
+ explainText="$(string.Virtualization_JITVAllowList_Help)" presentation="$(presentation.Virtualization_JITVAllowList)"
+ key="SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization"
+ valueName="ProcessesUsingVirtualComponents">
+
+
+
+
+
```
@@ -337,7 +337,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and
./Device/Vendor/MSFT/Policy/Config/AppVirtualization/VirtualComponentsAllowList
-
+ ]]>
@@ -352,7 +352,7 @@ The `list` element simply corresponds to a hive of REG_SZ registry strings and c
> [!NOTE]
> It is expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``).
-Variations of the `list` element are dictated by attributes. These attributes are ignored by the Policy Manager runtime. It is expected that the MDM server manages the name/value pairs. See below for a simple writeup of Group Policy List.
+Variations of the `list` element are dictated by attributes. These attributes are ignored by the Policy Manager runtime. It is expected that the MDM server manages the name/value pairs. See below for a simple write up of Group Policy List.
**ADMX file: inetres.admx**
@@ -361,7 +361,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
-
+
```
@@ -381,7 +381,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecondaryHomePageChange
-
+ ]]>
@@ -413,7 +413,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableUpdateCheck
-
+ ]]>
@@ -425,32 +425,32 @@ Variations of the `list` element are dictated by attributes. These attributes ar
```XML
-
-
-
-
-
- -
-
-
-
-
- -
-
-
-
-
- -
-
-
-
-
- -
-
-
-
-
-
+
+
+
+
+
+ -
+
+
+
+
+ -
+
+
+
+
+ -
+
+
+
+
+ -
+
+
+
+
+
```
@@ -467,8 +467,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar
./Device/Vendor/MSFT/Policy/Config/BitLocker/EncryptionMethodByDriveType
-
-
+
+ ]]>
@@ -482,13 +482,13 @@ Variations of the `list` element are dictated by attributes. These attributes ar
```XML
-
-
-
-
-
+
+
+
+
+
```
@@ -504,8 +504,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar
./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowReestablishmentInterval
-
-
+
+ ]]>
@@ -518,25 +518,25 @@ Variations of the `list` element are dictated by attributes. These attributes ar
```XML
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
@@ -557,8 +557,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar
./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
-
-
+
+ ]]>
diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md
index dd82298d1b..eecc7c7075 100644
--- a/windows/client-management/mdm/vpnv2-profile-xsd.md
+++ b/windows/client-management/mdm/vpnv2-profile-xsd.md
@@ -175,6 +175,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
+
@@ -194,7 +195,6 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
IKEv2
Eap
- Eap
diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
index 7b4f4424be..3d2584ee4e 100644
--- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
+++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 06/26/2017
+ms.date: 03/23/2020
ms.reviewer:
manager: dansimp
---
@@ -221,7 +221,8 @@ The following example shows an ADMX file in SyncML format:
./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01
-
+
+
@@ -350,7 +351,8 @@ The following example shows an ADMX file in SyncML format:
-
+ ]]>
+
@@ -439,7 +441,7 @@ The following examples describe how to set an ADMX-ingested app policy.
./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode
-
+ ]]>
@@ -473,7 +475,7 @@ The following examples describe how to set an ADMX-ingested app policy.
./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode
-
+ ]]>
diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md
index 3acffc551f..5556b97262 100644
--- a/windows/client-management/troubleshoot-inaccessible-boot-device.md
+++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md
@@ -112,8 +112,8 @@ To verify the BCD entries:
2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder.
- >[!NOTE]
- >If the computer is UEFI-based, the **bootmgr** and **winload** entires under **{default}** will contain an **.efi** extension.
+ > [!NOTE]
+ > If the computer is UEFI-based, the **bootmgr** and **winload** entries under **{default}** will contain an **.efi** extension.
@@ -279,4 +279,3 @@ The reason that these entries may affect us is because there may be an entry in
* `sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows`
-
diff --git a/windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md b/windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md
index 6092ae3bc8..fb99d5d919 100644
--- a/windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md
+++ b/windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md
@@ -23,7 +23,7 @@ This issue affects computers that meet the following criteria:
- The network adapter is a Broadcom NX1 Gigabit Ethernet network adapter.
- The number of logical processors is large (for example, a computer that has more than 38 logical processors).
-On such a computer, when you update the in-box Broadcom network adapter driver to a later version, the computer experiences a Stop error (also known as a blue screen error or bug check error).
+On such a computer, when you update the in-box Broadcom network adapter driver to a later version or when you install the Intel chipset driver, the computer experiences a Stop error (also known as a blue screen error or bug check error).
## Cause
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md
index 719976a254..3fe73d34ec 100644
--- a/windows/client-management/troubleshoot-stop-errors.md
+++ b/windows/client-management/troubleshoot-stop-errors.md
@@ -59,7 +59,7 @@ To troubleshoot Stop error messages, follow these general steps:
3. Run the [Machine Memory Dump Collector](https://home.diagnostics.support.microsoft.com/selfhelp?knowledgebasearticlefilter=2027760&wa=wsignin1.0) Windows diagnostic package. This diagnostic tool is used to collect machine memory dump files and check for known solutions.
-4. Run [Microsoft Safety Scanner](http://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections.
+4. Run [Microsoft Safety Scanner](https://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections.
5. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 10–15 percent free disk space.
diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md
index 664dc7700e..c9691539ef 100644
--- a/windows/client-management/troubleshoot-windows-freeze.md
+++ b/windows/client-management/troubleshoot-windows-freeze.md
@@ -251,7 +251,7 @@ If the physical computer is still running in a frozen state, follow these steps
Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag.
-Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](http://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx).
+Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](https://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx).
### Use memory dump to collect data for the virtual machine that's running in a frozen state
@@ -284,4 +284,4 @@ On Windows Server 2008, you may not have enough free disk space to generate a co
Additionally, on Windows Server 2008 Service Pack (SP2), there's a second option if the system drive doesn't have sufficient space. Namely, you can use the DedicatedDumpFile registry entry. To learn how to use the registry entry, see [New behavior in Windows Vista and Windows Server 2008](https://support.microsoft.com/help/969028).
-For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](http://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx).
+For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](https://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx).
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
index 8ca269aefe..1239cdfc7a 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@@ -18,6 +18,9 @@ manager: dansimp
- Windows 10, version 1703
- Windows 10 Mobile, version 1703
+>[!IMPORTANT]
+>Cortana for Power BI is deprecated and will not be available in future releases. This topic is provided as a reference for previous versions only.
+
Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop.
>[!Note]
@@ -35,6 +38,7 @@ To use this walkthrough, you’ll need:
- **Azure Active Directory (Azure AD)/Work or School account**. You can use the account that you created for Office 365, or you can create a new one while you’re establishing your Power BI account. If you choose to use Azure AD, you must connect your Azure AD account to your Windows account.
**To connect your account to Windows**
+
a. Open **Windows Settings**, click **Accounts**, click **Access work or school**, and then in the **Connect to work or school** section, click **Connect**.
b. Follow the instructions to add your Azure Active Directory (Azure AD) account to Windows.
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index f13d6f81c8..ad794f7530 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -117,11 +117,11 @@ When you have the Start layout that you want your users to see, use the [Export-
- <LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+ <LayoutModificationTemplate Version="1" xmlns="https://schemas.microsoft.com/Start/2014/LayoutModification">
<DefaultLayoutOverride>
<StartLayoutCollection>
- <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
- <start:Group Name="Life at a glance" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
+ <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="https://schemas.microsoft.com/Start/2014/FullDefaultLayout">
+ <start:Group Name="Life at a glance" xmlns:start="https://schemas.microsoft.com/Start/2014/StartLayout">
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI" />
<start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
diff --git a/windows/configuration/images/sccm-asset.PNG b/windows/configuration/images/configmgr-asset.PNG
similarity index 100%
rename from windows/configuration/images/sccm-asset.PNG
rename to windows/configuration/images/configmgr-asset.PNG
diff --git a/windows/configuration/images/sccm-assets.PNG b/windows/configuration/images/configmgr-assets.PNG
similarity index 100%
rename from windows/configuration/images/sccm-assets.PNG
rename to windows/configuration/images/configmgr-assets.PNG
diff --git a/windows/configuration/images/sccm-client.PNG b/windows/configuration/images/configmgr-client.PNG
similarity index 100%
rename from windows/configuration/images/sccm-client.PNG
rename to windows/configuration/images/configmgr-client.PNG
diff --git a/windows/configuration/images/sccm-collection.PNG b/windows/configuration/images/configmgr-collection.PNG
similarity index 100%
rename from windows/configuration/images/sccm-collection.PNG
rename to windows/configuration/images/configmgr-collection.PNG
diff --git a/windows/configuration/images/sccm-install-os.PNG b/windows/configuration/images/configmgr-install-os.PNG
similarity index 100%
rename from windows/configuration/images/sccm-install-os.PNG
rename to windows/configuration/images/configmgr-install-os.PNG
diff --git a/windows/configuration/images/sccm-post-refresh.PNG b/windows/configuration/images/configmgr-post-refresh.PNG
similarity index 100%
rename from windows/configuration/images/sccm-post-refresh.PNG
rename to windows/configuration/images/configmgr-post-refresh.PNG
diff --git a/windows/configuration/images/sccm-pxe.PNG b/windows/configuration/images/configmgr-pxe.PNG
similarity index 100%
rename from windows/configuration/images/sccm-pxe.PNG
rename to windows/configuration/images/configmgr-pxe.PNG
diff --git a/windows/configuration/images/sccm-site.PNG b/windows/configuration/images/configmgr-site.PNG
similarity index 100%
rename from windows/configuration/images/sccm-site.PNG
rename to windows/configuration/images/configmgr-site.PNG
diff --git a/windows/configuration/images/sccm-software-cntr.PNG b/windows/configuration/images/configmgr-software-cntr.PNG
similarity index 100%
rename from windows/configuration/images/sccm-software-cntr.PNG
rename to windows/configuration/images/configmgr-software-cntr.PNG
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index ca42852107..6d72ff398f 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -1,6 +1,6 @@
---
title: Configure Windows 10 (Windows 10)
-description: Learn about configuring Windows 10.
+description: Apply custom accessibility configurations to devices for their users using the all the features and methods available with Windows 10.
keywords: Windows 10, MDM, WSUS, Windows update
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md
index a523b64e83..0f99ece694 100644
--- a/windows/configuration/kiosk-policies.md
+++ b/windows/configuration/kiosk-policies.md
@@ -40,7 +40,6 @@ Remove access to the context menus for the task bar | Enabled
Clear history of recently opened documents on exit | Enabled
Prevent users from customizing their Start Screen | Enabled
Prevent users from uninstalling applications from Start | Enabled
-Remove All Programs list from the Start menu | Enabled
Remove Run menu from Start Menu | Enabled
Disable showing balloon notifications as toast | Enabled
Do not allow pinning items in Jump Lists | Enabled
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index b69a8c78e1..3de98a5454 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -27,7 +27,7 @@ In Windows 10, version 1703, you can install multiple Universal Windows Platform
When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv).
>[!IMPORTANT]
->If you plan to use Intune to manage your devices, we recommend using Intune to install Office 365 ProPlus 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Desktop Client, and Visio Pro for Office 365 ProPlus). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Office 365 ProPlus 2016 apps using Microsoft Intune.](https://docs.microsoft.com/intune/apps-add-office365)
+>If you plan to use Intune to manage your devices, we recommend using Intune to install Microsoft 365 Apps for enterprise 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Desktop Client, and Visio Pro for Microsoft 365 Apps for enterprise). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Microsoft 365 Apps for enterprise 2016 apps using Microsoft Intune.](https://docs.microsoft.com/intune/apps-add-office365)
## Settings for UWP apps
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index 2e002f5962..beff0509a7 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -7,7 +7,6 @@ ms.sitesec: library
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
-ms.date: 12/03/18
ms.reviewer:
manager: dansimp
ms.topic: troubleshooting
@@ -34,8 +33,6 @@ When troubleshooting basic Start issues (and for the most part, all other Window
- Powershell:[System.Environment]::OSVersion.Version
- WinVer from CMD.exe
-
-
### Check if Start is installed
- If Start fails immediately after a feature update, on thing to check is if the App package failed to install successfully.
@@ -66,7 +63,6 @@ If it is installed but not running, test booting into safe mode or use MSCONFIG
- If that file does not exist, the system is a clean install.
- Upgrade issues can be found by running `test-path "$env:windir\panther\miglog.xml"`
-
### Check if Start is registered or activated
- Export the following Event log to CSV and do a keyword search in a text editor or spreadsheet:
diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
index 0f0d1cd783..e665d37ba5 100644
--- a/windows/configuration/stop-employees-from-using-microsoft-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -78,14 +78,14 @@ You can also use Group Policy to manage access to Microsoft Store.
1. Type gpedit in the search bar to find and start Group Policy Editor.
-2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates** , click **Windows Components**, and then click **Store**.
+2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates**, click **Windows Components**, and then click **Store**.
-3. In the Setting pane, click **Turn off Store application**, and then click **Edit policy setting**.
+3. In the Setting pane, click **Turn off the Store application**, and then click **Edit policy setting**.
-4. On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**.
+4. On the **Turn off the Store application** setting page, click **Enabled**, and then click **OK**.
> [!Important]
-> Enabling **Turn off Store application** policy turns off app updates from Microsoft Store.
+> Enabling **Turn off the Store application** policy turns off app updates from Microsoft Store.
## Block Microsoft Store using management tool
diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
index 2a219ab6bc..f9fb4b255a 100644
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@@ -70,9 +70,9 @@ The XML declaration must specify the XML version 1.0 attribute (<?xml version
**Type: String**
-UE-V uses the http://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
+UE-V uses the https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
-``
+``
### Data types
@@ -646,10 +646,10 @@ Here is the SettingsLocationTemplate.xsd file showing its elements, child elemen
```xml
diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md
index 70054cae5a..f3d37601d0 100644
--- a/windows/configuration/ue-v/uev-release-notes-1607.md
+++ b/windows/configuration/ue-v/uev-release-notes-1607.md
@@ -67,7 +67,7 @@ WORKAROUND: None.
### UE-V does not support roaming settings between 32-bit and 64-bit versions of Microsoft Office
-We recommend that you install the 32-bit version of Microsoft Office for both 32-bit and 64-bit operating systems. To choose the Microsoft Office version that you need, click [here](). UE-V supports roaming settings between identical architecture versions of Office. For example, 32-bit Office settings will roam between all 32-bit Office instances. UE-V does not support roaming settings between 32-bit and 64-bit versions of Office.
+We recommend that you install the 32-bit version of Microsoft Office for both 32-bit and 64-bit operating systems. To choose the Microsoft Office version that you need, click [here](). UE-V supports roaming settings between identical architecture versions of Office. For example, 32-bit Office settings will roam between all 32-bit Office instances. UE-V does not support roaming settings between 32-bit and 64-bit versions of Office.
WORKAROUND: None
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index ef3757e12b..d4e56af1b7 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -79,19 +79,20 @@
##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
-### [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-#### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
-##### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md)
-##### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md)
-##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
+### Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT)
+#### [Get started with MDT](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
-#### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
-#### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
-#### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
-#### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md)
-#### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md)
-#### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-#### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md)
+#### Deploy Windows 10 with MDT
+##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
+##### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
+##### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
+##### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
+##### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md)
+##### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md)
+##### [Perform an in-place upgrade to Windows 10 with MDT](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+
+#### Customize MDT
+##### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md)
##### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md)
##### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md)
##### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md)
@@ -101,20 +102,21 @@
##### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md)
##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md)
-### [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-#### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-#### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-#### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-#### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
-#### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-#### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-#### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-#### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
-#### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
-#### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md)
-#### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-#### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-#### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+### Deploy Windows 10 with Microsoft Endpoint Configuration Manager
+#### Prepare for Windows 10 deployment with Configuration Manager
+##### [Prepare for Zero Touch Installation with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+##### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+##### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
+##### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+##### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+##### [Create a task sequence with Configuration Manager and MDT](deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+##### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+
+#### Deploy Windows 10 with Configuration Manager
+##### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md)
+##### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+##### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+##### [Perform an in-place upgrade to Windows 10 using Configuration Manager](deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md)
### [Windows 10 deployment tools](windows-10-deployment-tools.md)
@@ -244,15 +246,23 @@
### Monitor Windows Updates
#### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
#### [Get started with Update Compliance](update/update-compliance-get-started.md)
+##### [Update Compliance Configuration Script](update/update-compliance-configuration-script.md)
+##### [Manually Configuring Devices for Update Compliance](update/update-compliance-configuration-manual.md)
#### [Use Update Compliance](update/update-compliance-using.md)
##### [Need Attention! report](update/update-compliance-need-attention.md)
##### [Security Update Status report](update/update-compliance-security-update-status.md)
##### [Feature Update Status report](update/update-compliance-feature-update-status.md)
-##### [Windows Defender AV Status report](update/update-compliance-wd-av-status.md)
##### [Delivery Optimization in Update Compliance](update/update-compliance-delivery-optimization.md)
-##### [Update Compliance Perspectives](update/update-compliance-perspectives.md)
+##### [Data Handling and Privacy in Update Compliance](update/update-compliance-privacy.md)
+##### [Update Compliance Schema Reference](update/update-compliance-schema.md)
+###### [WaaSUpdateStatus](update/update-compliance-schema-waasupdatestatus.md)
+###### [WaaSInsiderStatus](update/update-compliance-schema-waasinsiderstatus.md)
+###### [WaaSDeploymentStatus](update/update-compliance-schema-waasdeploymentstatus.md)
+###### [WUDOStatus](update/update-compliance-schema-wudostatus.md)
+###### [WUDOAggregatedStatus](update/update-compliance-schema-wudoaggregatedstatus.md)
### Best practices
#### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md)
+#### [Update Windows 10 media with Dynamic Update](update/media-dynamic-update.md)
#### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md)
#### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md)
#### [Conclusion](update/feature-update-conclusion.md)
@@ -271,4 +281,3 @@
### [Manage device restarts after updates](update/waas-restart.md)
### [Manage additional Windows Update settings](update/waas-wu-settings.md)
### [Determine the source of Windows updates](update/windows-update-sources.md)
-
diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md
index a6b6ad9da6..b51e38cfae 100644
--- a/windows/deployment/add-store-apps-to-image.md
+++ b/windows/deployment/add-store-apps-to-image.md
@@ -1,85 +1,86 @@
----
-title: Add Microsoft Store for Business applications to a Windows 10 image
-description: This topic describes how to add Microsoft Store for Business applications to a Windows 10 image.
-keywords: upgrade, update, windows, windows 10, deploy, store, image, wim
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Add Microsoft Store for Business applications to a Windows 10 image
-
-**Applies to**
-
-- Windows 10
-
-This topic describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. This will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps.
-
->[!IMPORTANT]
->In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
-
-## Prerequisites
-
-* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images.
-
-* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/store-for-business/distribute-offline-apps#download-an-offline-licensed-app).
-
-* A Windows Image. For instructions on image creation, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) or [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
->[!NOTE]
-> If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)**.
-
-## Adding a Store application to your image
-
-On a machine where your image file is accessible:
-1. Open Windows PowerShell with administrator privileges.
-2. Mount the image. At the Windows PowerShell prompt, type:
-`Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test`
-3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, type:
-`Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml`
-
->[!NOTE]
->Paths and file names are examples. Use your paths and file names where appropriate.
->
->Do not dismount the image, as you will return to it later.
-
-## Editing the Start Layout
-
-In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
-
-On a test machine:
-1. **Install the Microsoft Store for Business application you previously added** to your image.
-2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**.
-3. Open Windows PowerShell with administrator privileges.
-4. Use `Export-StartLayout -path .xml` where *\\* is the path and name of the xml file your will later import into your Windows Image.
-5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image.
-
-Now, on the machine where your image file is accessible:
-1. Import the Start layout. At the Windows PowerShell prompt, type:
-`Import-StartLayout -LayoutPath ".xml" -MountPath "C:\test\"`
-2. Save changes and dismount the image. At the Windows PowerShell prompt, type:
-`Dismount-WindowsImage -Path c:\test -Save`
-
->[!NOTE]
->Paths and file names are examples. Use your paths and file names where appropriate.
->
->For more information on Start customization see [Windows 10 Start Layout Customization](https://blogs.technet.microsoft.com/deploymentguys/2016/03/07/windows-10-start-layout-customization/)
-
-
-## Related topics
-* [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
-* [Export-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/export-startlayout)
-* [Import-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/import-startlayout)
-* [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
-* [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-* [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md)
-
-
+---
+title: Add Microsoft Store for Business applications to a Windows 10 image
+description: This topic describes how to add Microsoft Store for Business applications to a Windows 10 image.
+keywords: upgrade, update, windows, windows 10, deploy, store, image, wim
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Add Microsoft Store for Business applications to a Windows 10 image
+
+**Applies to**
+
+- Windows 10
+
+This topic describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. This will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps.
+
+>[!IMPORTANT]
+>In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
+
+## Prerequisites
+
+* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images.
+
+* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/store-for-business/distribute-offline-apps#download-an-offline-licensed-app).
+deploy-windows-cm
+* A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md).
+
+>[!NOTE]
+> If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)**.
+
+## Adding a Store application to your image
+
+On a machine where your image file is accessible:
+1. Open Windows PowerShell with administrator privileges.
+2. Mount the image. At the Windows PowerShell prompt, type:
+`Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test`
+3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, type:
+`Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml`
+
+>[!NOTE]
+>Paths and file names are examples. Use your paths and file names where appropriate.
+>
+>Do not dismount the image, as you will return to it later.
+
+## Editing the Start Layout
+
+In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
+
+On a test machine:
+1. **Install the Microsoft Store for Business application you previously added** to your image.
+2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**.
+3. Open Windows PowerShell with administrator privileges.
+4. Use `Export-StartLayout -path .xml` where *\\* is the path and name of the xml file your will later import into your Windows Image.
+5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image.
+
+Now, on the machine where your image file is accessible:
+1. Import the Start layout. At the Windows PowerShell prompt, type:
+`Import-StartLayout -LayoutPath ".xml" -MountPath "C:\test\"`
+2. Save changes and dismount the image. At the Windows PowerShell prompt, type:
+`Dismount-WindowsImage -Path c:\test -Save`
+
+>[!NOTE]
+>Paths and file names are examples. Use your paths and file names where appropriate.
+>
+>For more information on Start customization see [Windows 10 Start Layout Customization](https://blogs.technet.microsoft.com/deploymentguys/2016/03/07/windows-10-start-layout-customization/)
+
+
+## Related topics
+* [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
+* [Export-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/export-startlayout)
+* [Import-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/import-startlayout)
+* [Sideload LOB apps in Windows 10](/windows/application-management/siddeploy-windows-cmws-10)
+* [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+* [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md)
+
+
diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md
deleted file mode 100644
index 2389ae314a..0000000000
--- a/windows/deployment/change-history-for-deploy-windows-10.md
+++ /dev/null
@@ -1,161 +0,0 @@
----
-title: Change history for Deploy Windows 10 (Windows 10)
-description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile.
-ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Change history for Deploy Windows 10
-This topic lists new and updated topics in the [Deploy Windows 10](https://docs.microsoft.com/windows/deployment) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
-
-## April 2018
-
-New or changed topic | Description
---- | ---
-[Install VAMT](volume-activation/install-vamt.md) | Updated the instructions and link for SQL Server Express.
-
-## November 2017
-
-New or changed topic | Description
--- | ---
- [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) | Added warning that you should not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml.
-
-## RELEASE: Windows 10, version 1709
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated the edition upgrade table to include all other Windows 10 editions previously not on the list and the supported upgrade methods for upgrade path. |
-| [Fonts missing after upgrading to Windows 10](windows-10-missing-fonts.md)| New article about the set of fonts that have moved from being included in the default installation image to being included in Optional Features. This article includes the steps for adding these optional font features.|
-
-## July 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| The table of contents for deployment topics was reorganized.
-
-## June 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) | New |
-
-## April 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) | Updated: The "refresh" and "replace" procedures were swapped in order so that it would not be necessary to save and restore VMs. Also a missing step was added to include the State migration point role. |
-| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)| Updated with minor fixes. |
-| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)| Updated child topics under this node to include new feature and user interface changes. |
-| [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)| Added a table summarizing connection scenarios under the Enable data sharing topic. |
-
-
-## RELEASE: Windows 10, version 1703
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](/windows/configuration/index).
-
-
-## March 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [What's new in Windows 10 deployment](deploy-whats-new.md) | New |
-| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. |
-| [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. |
-| [Convert MBR partition to GPT](mbr-to-gpt.md) | New |
-
-## February 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | Multiple topics updated, name changed from Upgrade Analytics to Upgrade Readiness, and other content updates. |
-| [USMT Requirements](usmt/usmt-requirements.md) | Updated: Vista support removed and other minor changes |
-| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated structure and content |
-| [Upgrade Analytics deployment script](upgrade/upgrade-readiness-deployment-script.md) | Added as a separate page from get started |
-| [Use Upgrade Analytics to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) | Updated with links to new content and information about the target OS setting |
-| [Upgrade Analytics - Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md) | New |
-| [Upgrade Analytics - Step 1: Identify important apps](upgrade/upgrade-readiness-identify-apps.md) | Updated topic title and content |
-| [Upgrade Analytics - Step 2: Resolve app and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | New |
-| [Upgrade Analytics - Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) | New |
-| [Upgrade Analytics - Additional insights](upgrade/upgrade-readiness-additional-insights.md) | New |
-
-
-## January 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New |
-| [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New |
-| [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) | New |
-| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | New (previously published in other topics) |
-| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) | New (previously published in Hardware Dev Center on MSDN) |
-| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant) | New (previously published in Hardware Dev Center on MSDN) |
-| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works) | New (previously published in Hardware Dev Center on MSDN) |
-| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) | New (previously published in Hardware Dev Center on MSDN) |
-| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc) | New (previously published in Hardware Dev Center on MSDN) |
-| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package) | New (previously published in Hardware Dev Center on MSDN) |
-| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app) | New (previously published in Hardware Dev Center on MSDN) |
-| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line) | New (previously published in Hardware Dev Center on MSDN) |
-| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog |
-| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
-| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
-
-
-## October 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) | New |
-
-## September 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New |
-| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated with prerequisites for site discovery |
-| [Resolve application and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | Updated with app status info for Ready For Windows |
-| [Review site discovery](upgrade/upgrade-readiness-additional-insights.md) | New |
-
-## RELEASE: Windows 10, version 1607
-
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
-
-- [Provisioning packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages.md)
-- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md)
-- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md)
-
-## August 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated with reboot requirements |
-
-## July 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Manage Windows upgrades with Upgrade Analytics](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | New |
-
-## June 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New |
-| [User State Migration Tool Technical Reference](usmt/usmt-technical-reference.md) | Updated support statement for Office 2016 |
-| [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) | New |
-
-## May 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) | New |
-
-## December 2015
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Activate using Key Management Service](volume-activation/activate-using-key-management-service-vamt.md) | Updated |
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated |
-
-## November 2015
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | New |
-
-## Related topics
-- [Change history for Plan for Windows 10 deployment](/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment)
-- [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
-- [Change history for Device Security](/windows/device-security/change-history-for-device-security)
-- [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index 0ee0a6d5b3..4e60ac99b8 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -36,7 +36,7 @@ New [Windows Autopilot](#windows-autopilot) content is available.
## The Modern Desktop Deployment Center
-The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus.
+The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Microsoft 365 Apps for enterprise.
## Microsoft 365
@@ -49,7 +49,7 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic
## Windows 10 servicing and support
-- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
+- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
@@ -58,7 +58,7 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic
- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
-Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below.
+Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below.
@@ -169,11 +169,9 @@ For more information, see the following guides:
The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10.
-[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
-
[Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
-
[Change history for Device Security](/windows/device-security/change-history-for-device-security)
-
[Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
-
+[Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
+[Change history for Device Security](/windows/device-security/change-history-for-device-security)
+[Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
## Related topics
diff --git a/windows/deployment/deploy-windows-cm/TOC.md b/windows/deployment/deploy-windows-cm/TOC.md
new file mode 100644
index 0000000000..b26445c4ab
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/TOC.md
@@ -0,0 +1,15 @@
+# Deploy Windows 10 with Microsoft Endpoint Configuration Manager
+## Prepare for Windows 10 deployment with Configuration Manager
+### [Prepare for Zero Touch Installation with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+### [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+### [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+
+## Deploy Windows 10 with Configuration Manager
+### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuraton-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
similarity index 50%
rename from windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
rename to windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 9fdf3cf07d..1fd47c5505 100644
--- a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -17,60 +17,54 @@ ms.topic: article
# Add a Windows 10 operating system image using Configuration Manager
-
**Applies to**
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
+- Windows 10
Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft Endpoint Configuration Manager, and how to distribute the image to a distribution point.
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard, as the distribution point. CM01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). Our image is named REFW10-X64-001.wim. For details on building this image, please see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
+## Infrastructure
-1. Using File Explorer, in the **E:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+- CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
-2. Copy the REFW10-X64-001.wim file to the **E:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
- 
+>[!IMPORTANT]
+>The procedures in this article require a reference image. Our reference images is named **REFW10-X64-001.wim**. If you have not already created a reference image, then perform all the steps in [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md) on CM01, replacing MDT01 with CM01. The final result will be a reference image located in the D:\MDTBuildLab\Captures folder that you can use for the procedure below.
- Figure 17. The Windows 10 image copied to the Sources folder structure.
+ ## Add a Windows 10 operating system image
+
+ On **CM01**:
+
+1. Using File Explorer, in the **D:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
+2. Copy the REFW10-X64-001.wim file to the **D:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
+
+ 
+
+ The Windows 10 image being copied to the Sources folder structure.
3. Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**.
-
-4. On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim and click **Next**.
-
-5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM and click **Next** twice, and then click **Close**.
-
-6. Distribute the operating system image to the CM01 distribution point by right-clicking the Windows 10 Enterprise x64 RTM operating system image and selecting **Distribute Content**.
-
-7. In the Distribute Content Wizard, add the CM01 distribution point.
-
-8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed. You also can review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
+4. On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim, select x64 next to Architecture and choose a language, then click **Next**.
+5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, click **Next** twice, and then click **Close**.
+6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**.
+7. In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**.
+8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
- Figure 18. The distributed Windows 10 Enterprise x64 RTM package.
+ The distributed Windows 10 Enterprise x64 RTM package.
+
+Next, see [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md).
## Related topics
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
new file mode 100644
index 0000000000..e8896d30de
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -0,0 +1,110 @@
+---
+title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10)
+description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers.
+ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deploy, task sequence
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+ An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+## Add drivers for Windows PE
+
+This section will show you how to import some network and storage drivers for Windows PE.
+
+>[!NOTE]
+>Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you have an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure.
+
+This section assumes you have downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01.
+
+
+
+Driver folder structure on CM01
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**.
+2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and click **Next**.
+3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **WinPE x64**, and then click **Next**.
+4. On the **Select the packages to add the imported driver** page, click **Next**.
+5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image and click **Next**.
+6. In the popup window that appears, click **Yes** to automatically update the distribution point.
+7. Click **Next**, wait for the image to be updated, and then click **Close**.
+
+ 
+ 
+ 
+ 
+
+ Add drivers to Windows PE
+
+## Add drivers for Windows 10
+
+This section illustrates how to add drivers for Windows 10 using the HP EliteBook 8560w as an example. For the HP EliteBook 8560w, you use HP SoftPaq Download Manager to get the drivers. The HP SoftPaq Download Manager can be accessed on the [HP Support site](https://go.microsoft.com/fwlink/p/?LinkId=619545).
+
+For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01.
+
+
+
+Driver folder structure on CM01
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**.
+2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder and click **Next**. Wait a minute for driver information to be validated.
+3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **Windows 10 x64 - HP EliteBook 8560w**, click **OK**, and then click **Next**.
+
+ 
+
+ Create driver categories
+
+
+4. On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**:
+
+ * Name: Windows 10 x64 - HP EliteBook 8560w
+ * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w
+
+ >[!NOTE]
+ >The package path does not yet exist, so you have to type it in. The wizard will create the new package using the path you specify.
+
+5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**.
+
+ >[!NOTE]
+ >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
+
+ 
+
+ Drivers imported and a new driver package created
+
+Next, see [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
new file mode 100644
index 0000000000..5ff94676d8
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -0,0 +1,100 @@
+---
+title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
+description: In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features.
+ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: tool, customize, deploy, boot image
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Create a custom Windows PE boot image with Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
+- The boot image that is created is based on the version of ADK that is installed.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+ An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+## Add DaRT 10 files and prepare to brand the boot image
+
+The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you do not wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image.
+
+We assume you have downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you have created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp.
+
+On **CM01**:
+
+1. Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT100.msi) using the default settings.
+2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
+3. Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder.
+4. Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder.
+5. Using File Explorer, navigate to the **C:\\Setup** folder.
+6. Copy the **Branding** folder to **D:\\Sources\\OSD**.
+
+## Create a boot image for Configuration Manager using the MDT wizard
+
+By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard.
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**.
+2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**.
+
+ >[!NOTE]
+ >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
+
+3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**.
+4. On the **Options** page, select the **x64** platform, and click **Next**.
+5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and click **Next**.
+
+ 
+
+ Add the DaRT component to the Configuration Manager boot image.
+
+ >Note: Another common component to add here is Windows PowerShell to enable PowerShell support within Windows PE.
+
+6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then click **Next** twice. Wait a few minutes while the boot image is generated, and then click **Finish**.
+7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
+8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
+9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples:
+
+ 
+ 
+
+ Content status for the Zero Touch WinPE x64 boot image
+
+10. Using the Configuration Manager Console, in the Software Library workspace, under **Boot Images**, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
+11. On the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and click **OK**.
+12. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: **Expanding PS100009 to D:\\RemoteInstall\\SMSImages**.
+13. Review the **D:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS100009) is from your new boot image with DaRT. See the examples below:
+
+ 
+ 
+
+>Note: Depending on your infrastructure and the number of packages and boot images present, the Image ID might be a different number than PS100009.
+
+Next, see [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
new file mode 100644
index 0000000000..7f539c965d
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -0,0 +1,144 @@
+---
+title: Create a task sequence with Configuration Manager (Windows 10)
+description: Create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
+ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deploy, upgrade, task sequence, install
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.pagetype: mdt
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Create a task sequence with Configuration Manager and MDT
+
+**Applies to**
+
+- Windows 10
+
+In this article, you will learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+ An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Note: Active Directory [permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) for the **CM_JD** account are required for the task sequence to work properly.
+
+## Create a task sequence using the MDT Integration Wizard
+
+This section walks you through the process of creating a Configuration Manager task sequence for production use.
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
+2. On the **Choose Template** page, select the **Client Task Sequence** template and click **Next**.
+3. On the **General** page, assign the following settings and then click **Next**:
+ * Task sequence name: Windows 10 Enterprise x64 RTM
+ * Task sequence comments: Production image with Office 365 Pro Plus x64
+4. On the **Details** page, assign the following settings and then click **Next**:
+ * Join a Domain
+ * Domain: contoso.com
+ * Account: contoso\\CM\_JD
+ * Password: pass@word1
+ * Windows Settings
+ * User name: Contoso
+ * Organization name: Contoso
+ * Product key: <blank>
+
+5. On the **Capture Settings** page, accept the default settings, and click **Next**.
+6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
+7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**.
+8. On the **MDT Details** page, assign the name **MDT** and click **Next**.
+9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**.
+10. On the **Deployment Method** page, accept the default settings (Zero Touch installation) and click **Next**.
+11. On the **Client Package** page, browse and select the **Microsoft Corporation Configuration Manager Client Package** and click **Next**.
+12. On the **USMT Package** page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package and click **Next**.
+13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings** and click **Next**.
+14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and click **Next**.
+15. On the **Sysprep Package** page, click **Next** twice.
+16. On the **Confirmation** page, click **Finish**.
+
+## Edit the task sequence
+
+After you create the task sequence, we recommend that you configure the task sequence for an optimal deployment experience. The configurations include enabling support for Unified Extensible Firmware Interface (UEFI), dynamic organizational unit (OU) allocation, computer replace scenarios, and more.
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and click **Edit**.
+2. In the **Install** group (about halfway down), select the **Set Variable for Drive Letter** action and configure the following:
+ * OSDPreserveDriveLetter: True
+
+ >[!NOTE]
+ >If you don't change this value, your Windows installation will end up in D:\\Windows.
+
+3. In the **Post Install** group, select **Apply Network Settings**, and configure the **Domain OU** value to use the **Contoso / Computers / Workstations** OU (browse for values).
+4. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.)
+5. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**.
+6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
+ * Name: HP EliteBook 8560w
+ * Driver Package: Windows 10 x64 - HP EliteBook 8560w
+ * Options tab - Add Condition: Task Sequence Variable: Model equals HP EliteBook 8560w
+
+ >[!NOTE]
+ >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
+
+ 
+
+ The driver package options
+
+7. In the **State Restore / Install Applications** group, select the **Install Application** action.
+8. Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list.
+
+ 
+
+ Add an application to the Configuration Manager task sequence
+
+ >[!NOTE]
+ >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There is also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release.
+
+9. In the **State Restore** group, after the **Set Status 5** action, verify there is a **User State \ Request State Store** action with the following settings:
+ * Request state storage location to: Restore state from another computer
+ * If computer account fails to connect to state store, use the Network Access account: selected
+ * Options: Continue on error
+ * Options / Add Condition:
+ * Task Sequence Variable
+ * USMTLOCAL not equals True
+
+10. In the **State Restore** group, after the **Restore User State** action, verify there is a **Release State Store** action with the following settings:
+ * Options: Continue on error
+ * Options / Condition:
+ * Task Sequence Variable
+ * USMTLOCAL not equals True
+
+11. Click **OK**.
+
+## Organize your packages (optional)
+
+If desired, you can create a folder structure for packages. This is purely for organizational purposes and is useful if you need to manage a large number of packages.
+
+To create a folder for packages:
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**.
+2. Right-click **Packages**, point to **Folder**, click **Create Folder** and create the OSD folder. This will create the Root \ OSD folder structure.
+3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**.
+4. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**.
+
+Next, see [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
new file mode 100644
index 0000000000..7e1c6b9819
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -0,0 +1,86 @@
+---
+title: Create an app to deploy with Windows 10 using Configuration Manager
+description: Microsoft Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
+ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deployment, task sequence, custom, customize
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Create an application to deploy with Windows 10 using Configuration Manager
+
+
+**Applies to**
+
+- Windows 10
+
+Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Configuration Manager that you later configure the task sequence to use.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+>[!NOTE]
+>The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image.
+
+## Example: Create the Adobe Reader application
+
+On **CM01**:
+
+1. Create the **D:\Setup** folder if it does not already exist.
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **D:\\Setup\\Adobe** on CM01. The filename will differ depending on the version of Acrobat Reader.
+2. Extract the .exe file that you downloaded to an .msi. The source folder will differ depending on where you downloaded the file. See the following example:
+
+ ```powershell
+ Set-Location C:\Users\administrator.CONTOSO\Downloads
+ .\AcroRdrDC2000620034_en_US.exe -sfx_o"d:\Setup\Adobe\" -sfx_ne
+ ```
+ >Note: the extraction process will create the "Adobe" folder
+
+3. Using File Explorer, copy the **D:\\Setup\\Adobe** folder to the **D:\\Sources\\Software\\Adobe** folder.
+4. In the Configuration Manager Console, in the Software Library workspace, expand **Application Management**.
+5. Right-click **Applications**, point to **Folder** and then click **Create Folder**. Assign the name **OSD**.
+6. Right-click the **OSD** folder, and click **Create Application**.
+7. In the Create Application Wizard, on the **General** page, use the following settings:
+
+ * Automatically detect information about this application from installation files
+ * Type: Windows Installer (\*.msi file)
+ * Location: \\\\CM01\\Sources$\\Software\\Adobe\\AcroRead.msi
+
+ 
+
+ The Create Application Wizard
+
+8. Click **Next**, and wait while Configuration Manager parses the MSI file.
+9. On the **Import Information** page, review the information and then click **Next**.
+10. On the **General Information** page, name the application Adobe Acrobat Reader DC - OSD Install, click **Next** twice, and then click **Close**.
+
+ >[!NOTE]
+ >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
+
+ 
+
+ Add the "OSD Install" suffix to the application name
+
+11. In the **Applications** node, select the Adobe Reader - OSD Install application, and click **Properties** on the ribbon bar (this is another place to view properties, you can also right-click and select properties).
+12. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**.
+
+Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
new file mode 100644
index 0000000000..a5ea3f78c2
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -0,0 +1,102 @@
+---
+title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
+description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences.
+ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deployment, image, UEFI, task sequence
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10 using PXE and Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic.
+
+This topic assumes that you have completed the following prerequisite procedures:
+- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+- [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+
+For the purposes of this guide, we will use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001).
+- DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. Note: DHCP services are required for the client (PC0001) to connect to the Windows Deployment Service (WDS).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+ - CM01 is also running WDS which will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS.
+- PC0001 is a client computer that is blank, or has an operating system that will be erased and replaced with Windows 10. The device must be configured to boot from the network.
+
+>[!NOTE]
+>If desired, PC0001 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0001 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+>[!NOTE]
+>No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console.
+
+## Procedures
+
+1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
+2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass@word1** and click **Next**.
+3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
+4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
+5. The operating system deployment will take several minutes to complete.
+6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following:
+
+ * Install the Windows 10 operating system.
+ * Install the Configuration Manager client and the client hotfix.
+ * Join the computer to the domain.
+ * Install the application added to the task sequence.
+
+ >[!NOTE]
+ >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
+
+ 
+
+ Monitoring the deployment with MDT.
+
+7. When the deployment is finished you will have a domain-joined Windows 10 computer with the Adobe Reader application installed as well as the applications that were included in the reference image, such as Office 365 Pro Plus.
+
+Examples are provided below of various stages of deployment:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Next, see [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
new file mode 100644
index 0000000000..b3c301d048
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -0,0 +1,167 @@
+---
+title: Finalize operating system configuration for Windows 10 deployment
+description: Follow this walk-through to finalize the configuration of your Windows 10 operating deployment.
+ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: configure, deploy, upgrade
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Finalize the operating system configuration for Windows 10 deployment with Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enabling optional MDT monitoring for Configuration Manager, logs folder settings, rules configuration, content distribution, and deployment of the previously created task sequence.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+ An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+## Enable MDT monitoring
+
+This section will walk you through the process of creating the D:\\MDTProduction deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager.
+
+On **CM01**:
+
+1. Open the Deployment Workbench, right-click **Deployment Shares** and click **New Deployment Share**. Use the following settings for the New Deployment Share Wizard:
+
+ * Deployment share path: D:\\MDTProduction
+ * Share name: MDTProduction$
+ * Deployment share description: MDT Production
+ * Options: <default settings>
+
+2. Right-click the **MDT Production** deployment share, and click **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**.
+
+ 
+
+ Enable MDT monitoring for Configuration Manager
+
+## Configure the Logs folder
+
+The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md?#review-the-sources-folder-structure) and SMB permissions were added. Next, we will add NTFS folder permissions for the Configuration Manager Network Access Account (CM_NAA), and enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence.
+
+On **CM01**:
+
+1. To configure NTFS permissions using icacls.exe, type the following at an elevated Windows PowerShell prompt:
+
+ ```
+ icacls D:\Logs /grant '"CM_NAA":(OI)(CI)(M)'
+ ```
+
+2. Using File Explorer, navigate to the **D:\\Sources\\OSD\\Settings\\Windows 10 x64 Settings** folder.
+3. To enable server-side logging, edit the CustomSetting.ini file with Notepad.exe and enter the following settings:
+
+ ```
+ [Settings]
+ Priority=Default
+ Properties=OSDMigrateConfigFiles,OSDMigrateMode
+
+ [Default]
+ DoCapture=NO
+ ComputerBackupLocation=NONE
+ MachineObjectOU=ou=Workstations,ou=Computers,ou=Contoso,dc=contoso,dc=com
+ OSDMigrateMode=Advanced
+ OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\*
+ OSDMigrateConfigFiles=Miguser.xml,Migapp.xml
+ SLSHARE=\\CM01\Logs$
+ EventService=http://CM01:9800
+ ApplyGPOPack=NO
+ ```
+
+ 
+
+ The Settings package, holding the rules and the Unattend.xml template used during deployment
+
+3. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Click **OK** in the popup dialog box.
+
+ >[!NOTE]
+ >Although you have not yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes.
+
+## Distribute content to the CM01 distribution portal
+
+In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**.
+2. In the Distribute Content Wizard, click **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard.
+3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully.
+
+ 
+
+ Content status
+
+## Create a deployment for the task sequence
+
+This sections provides steps to help you create a deployment for the task sequence.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** and then click **Deploy**.
+2. In the Deploy Software Wizard, on the **General** page, select the **All Unknown Computers** collection and click **Next**.
+3. On the **Deployment Settings** page, use the following settings and then click **Next**:
+
+ * Purpose: Available
+ * Make available to the following: Only media and PXE
+
+ 
+
+ Configure the deployment settings
+
+4. On the **Scheduling** page, accept the default settings and click **Next**.
+5. On the **User Experience** page, accept the default settings and click **Next**.
+6. On the **Alerts** page, accept the default settings and click **Next**.
+7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**.
+
+ 
+
+ The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE
+
+## Configure Configuration Manager to prompt for the computer name during deployment (optional)
+
+You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
+
+This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Asset and Compliance workspace, select **Device Collections**, right-click **All Unknown Computers**, and click **Properties**.
+
+2. On the **Collection Variables** tab, create a new variable with the following settings:
+
+ * Name: OSDComputerName
+ * Clear the **Do not display this value in the Configuration Manager console** check box.
+
+3. Click **OK**.
+
+ >[!NOTE]
+ >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
+
+ 
+
+ Configure a collection variable
+
+Next, see [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
new file mode 100644
index 0000000000..ca87d2d6b3
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -0,0 +1,391 @@
+---
+title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10)
+description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit.
+ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: install, configure, deploy, deployment
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+This topic will walk you through the Zero Touch Installation process of Windows 10 operating system deployment (OSD) using Microsoft Endpoint Configuration Manager (ConfigMgr) [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT).
+
+## Prerequisites
+
+In this topic, you will use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment:
+
+- Configuration Manager current branch + all security and critical updates are installed.
+ - Note: Procedures in this guide use ConfigMgr 1910. For information about the version of Windows 10 supported by ConfigMgr, see [Support for Windows 10](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
+- The [Active Directory Schema has been extended](https://docs.microsoft.com/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created.
+- Active Directory Forest Discovery and Active Directory System Discovery are [enabled](https://docs.microsoft.com/configmgr/core/servers/deploy/configure/configure-discovery-methods).
+- IP range [boundaries and a boundary group](https://docs.microsoft.com/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created.
+- The Configuration Manager [reporting services](https://docs.microsoft.com/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured.
+- A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure).
+- The [Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed.
+- The [CMTrace tool](https://docs.microsoft.com/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
+ - Note: CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. In previous releases of ConfigMgr it was necessary to install the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) separately to get the CMTrace tool, but this is no longer needed. Configuraton Manager version 1910 installs version 5.0.8913.1000 of the CMTrace tool.
+
+For the purposes of this guide, we will use three server computers: DC01, CM01 and HV01.
+- DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+- HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer does not need to be a domain member.
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+### Domain credentials
+
+The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials.
+
+**Active Directory domain name**: contoso.com
+**Domain administrator username**: administrator
+**Domain administrator password**: pass@word1
+
+## Create the OU structure
+
+>[!NOTE]
+>If you have already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section.
+
+On **DC01**:
+
+To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell. The procedure below uses Windows PowerShell.
+
+To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. Be sure that you are viewing file extensions and that you save the file with the .ps1 extension.
+
+```powershell
+$oulist = Import-csv -Path c:\oulist.txt
+ForEach($entry in $oulist){
+ $ouname = $entry.ouname
+ $oupath = $entry.oupath
+ New-ADOrganizationalUnit -Name $ouname -Path $oupath -WhatIf
+ Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath"
+}
+```
+
+Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt
+
+```text
+OUName,OUPath
+Contoso,"DC=CONTOSO,DC=COM"
+Accounts,"OU=Contoso,DC=CONTOSO,DC=COM"
+Computers,"OU=Contoso,DC=CONTOSO,DC=COM"
+Groups,"OU=Contoso,DC=CONTOSO,DC=COM"
+Admins,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Service Accounts,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Users,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Servers,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
+Workstations,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
+Security Groups,"OU=Groups,OU=Contoso,DC=CONTOSO,DC=COM"
+```
+
+Lastly, open an elevated Windows PowerShell prompt on DC01 and run the ou.ps1 script:
+
+```powershell
+Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
+Set-Location C:\Setup\Scripts
+.\ou.ps1
+```
+
+## Create the Configuration Manager service accounts
+
+A role-based model is used to configure permissions for the service accounts needed for operating system deployment in Configuration Manager. Perform the following steps to create the Configuration Manager **join domain** and **network access** accounts:
+
+On **DC01**:
+
+1. In the Active Directory Users and Computers console, browse to **contoso.com / Contoso / Service Accounts**.
+2. Select the Service Accounts OU and create the CM\_JD account using the following settings:
+
+ * Name: CM\_JD
+ * User logon name: CM\_JD
+ * Password: pass@word1
+ * User must change password at next logon: Clear
+ * User cannot change password: Selected
+ * Password never expires: Selected
+
+3. Repeat the step, but for the CM\_NAA account.
+4. After creating the accounts, assign the following descriptions:
+
+ * CM\_JD: Configuration Manager Join Domain Account
+ * CM\_NAA: Configuration Manager Network Access Account
+
+## Configure Active Directory permissions
+
+In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01.
+
+On **DC01**:
+
+1. Sign in as contoso\administrtor and enter the following at an elevated Windows PowerShell prompt:
+
+ ```
+ Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
+ Set-Location C:\Setup\Scripts
+ .\Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
+ ```
+
+2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted:
+
+ * Scope: This object and all descendant objects
+ * Create Computer objects
+ * Delete Computer objects
+ * Scope: Descendant Computer objects
+ * Read All Properties
+ * Write All Properties
+ * Read Permissions
+ * Modify Permissions
+ * Change Password
+ * Reset Password
+ * Validated write to DNS host name
+ * Validated write to service principal name
+
+## Review the Sources folder structure
+
+On **CM01**:
+
+To support the packages you create in this article, the following folder structure should be created on the Configuration Manager primary site server (CM01):
+
+>[!NOTE]
+>In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
+
+- D:\\Sources
+- D:\\Sources\\OSD
+- D:\\Sources\\OSD\\Boot
+- D:\\Sources\\OSD\\DriverPackages
+- D:\\Sources\\OSD\\DriverSources
+- D:\\Sources\\OSD\\MDT
+- D:\\Sources\\OSD\\OS
+- D:\\Sources\\OSD\\Settings
+- D:\\Sources\\OSD\\Branding
+- D:\\Sources\\Software
+- D:\\Sources\\Software\\Adobe
+- D:\\Sources\\Software\\Microsoft
+
+You can run the following commands from an elevated Windows PowerShell prompt to create this folder structure:
+
+>We will also create the D:\Logs folder here which will be used later to support server-side logging.
+
+```powershell
+New-Item -ItemType Directory -Path "D:\Sources"
+New-Item -ItemType Directory -Path "D:\Sources\OSD"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\Boot"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\DriverPackages"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\DriverSources"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\OS"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\Settings"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\Branding"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\MDT"
+New-Item -ItemType Directory -Path "D:\Sources\Software"
+New-Item -ItemType Directory -Path "D:\Sources\Software\Adobe"
+New-Item -ItemType Directory -Path "D:\Sources\Software\Microsoft"
+New-SmbShare -Name Sources$ -Path D:\Sources -FullAccess "NT AUTHORITY\INTERACTIVE", "BUILTIN\Administrators"
+New-Item -ItemType Directory -Path "D:\Logs"
+New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE
+```
+
+## Integrate Configuration Manager with MDT
+
+To extend the Configuration Manager console with MDT wizards and templates, install MDT with the default settings and run the **Configure ConfigManager Integration** desktop app. In these steps, we assume you have already [downloaded MDT](https://www.microsoft.com/download/details.aspx?id=54259) and installed it with default settings.
+
+On **CM01**:
+
+1. Sign in as contoso\administrator.
+2. Ensure the Configuration Manager Console is closed before continuing.
+5. Click Start, type **Configure ConfigManager Integration**, and run the application the following settings:
+
+ * Site Server Name: CM01.contoso.com
+ * Site code: PS1
+
+
+
+MDT integration with Configuration Manager.
+
+## Configure the client settings
+
+Most organizations want to display their name during deployment. In this section, you configure the default Configuration Manager client settings with the Contoso organization name.
+
+On **CM01**:
+
+1. Open the Configuration Manager Console, select the Administration workspace, then click **Client Settings**.
+2. In the right pane, right-click **Default Client Settings** and then click **Properties**.
+3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and click **OK**.
+
+
+
+Configure the organization name in client settings.
+
+
+
+The Contoso organization name displayed during deployment.
+
+## Configure the Network Access account
+
+Configuration Manager uses the Network Access account during the Windows 10 deployment process to access content on the distribution points. In this section, you configure the Network Access account.
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Administration workspace, expand **Site Configuration** and select **Sites**.
+2. Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**.
+3. On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the *New Account* **CONTOSO\\CM\_NAA** as the Network Access account (password: pass@word1). Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share.
+
+
+
+Test the connection for the Network Access account.
+
+## Enable PXE on the CM01 distribution point
+
+Configuration Manager has many options for starting a deployment, but starting via PXE is certainly the most flexible in a large environment. In this section, you enable PXE on the CM01 distribution point.
+
+On **CM01**:
+
+1. In the Configuration Manager Console, in the Administration workspace, select **Distribution Points**.
+2. Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**.
+3. On the **PXE** tab, use the following settings:
+
+ * Enable PXE support for clients
+ * Allow this distribution point to respond to incoming PXE requests
+ * Enable unknown computer
+ * Require a password when computers use PXE
+ * Password and Confirm password: pass@word1
+
+ 
+
+ Configure the CM01 distribution point for PXE.
+
+ >[!NOTE]
+ >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS will not be installed, or if it is already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder does not support multicast. For more information, see [Install and configure distribution points](https://docs.microsoft.com/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
+
+4. Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
+
+ 
+
+ The distmgr.log displays a successful configuration of PXE on the distribution point.
+
+5. Verify that you have seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**.
+
+ 
+
+ The contents of the D:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE.
+
+ **Note**: These files are used by WDS. They are not used by the ConfigMgr PXE Responder. This article does not use the ConfigMgr PXE Responder.
+
+Next, see [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md).
+
+## Components of Configuration Manager operating system deployment
+
+Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
+
+- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
+- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
+- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
+- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
+- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
+- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
+- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
+- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
+- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
+
+ **Note** The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10.
+
+## Why integrate MDT with Configuration Manager
+
+As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
+
+>[!NOTE]
+>MDT installation requires the following:
+>- The Windows ADK for Windows 10 (installed in the previous procedure)
+>- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
+>- Microsoft .NET Framework
+
+### MDT enables dynamic deployment
+
+When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
+
+The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
+- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
+
+ ``` syntax
+ [Settings]
+ Priority=Model
+ [HP EliteBook 8570w]
+ Packages001=PS100010:Install HP Hotkeys
+ ```
+- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
+
+ ``` syntax
+ [Settings]
+ Priority= ByLaptopType, ByDesktopType
+ [ByLaptopType]
+ Subsection=Laptop-%IsLaptop%
+ [ByDesktopType]
+ Subsection=Desktop-%IsDesktop%
+ [Laptop-True]
+ Packages001=PS100012:Install Cisco VPN Client
+ OSDComputerName=LT-%SerialNumber%
+ MachineObjectOU=ou=laptops,ou=Contoso,dc=contoso,dc=com
+ [Desktop-True]
+ OSDComputerName=DT-%SerialNumber%
+ MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com
+ ```
+
+
+
+The Gather action in the task sequence is reading the rules.
+
+### MDT adds an operating system deployment simulation environment
+
+When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
+
+
+
+The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1).
+
+### MDT adds real-time monitoring
+
+With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
+
+
+
+View the real-time monitoring data with PowerShell.
+
+### MDT adds an optional deployment wizard
+
+For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer.
+
+
+
+The optional UDI wizard open in the UDI Wizard Designer.
+
+MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager.
+
+### Why use MDT Lite Touch to create reference images
+
+You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
+- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
+- Configuration Manager performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
+- The Configuration Manager task sequence does not suppress user interface interaction.
+- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured.
+- MDT Lite Touch does not require any infrastructure and is easy to delegate.
+
+## Related topics
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
new file mode 100644
index 0000000000..24ea36579b
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -0,0 +1,148 @@
+---
+title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
+description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10.
+ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, install, installation, computer refresh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+This topic will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh is not the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refesh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
+
+A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps:
+
+1. Data and settings are backed up locally in a backup folder.
+2. The partition is wiped, except for the backup folder.
+3. The new operating system image is applied.
+4. Other applications are installed.
+5. Data and settings are restored.
+
+## Infrastructure
+
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+For the purposes of this article, we will use one server computer (CM01) and one client computer (PC0003).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+- PC0003 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be refreshed to Windows 10.
+
+>[!NOTE]
+>If desired, PC0003 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0003 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+>[!IMPORTANT]
+>This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
+
+## Verify the Configuration Manager client settings
+
+To verify that PC003 is correctly assigned to the PS1 site:
+
+On **PC0003**:
+
+1. Open the Configuration Manager control panel (control smscfgrc).
+2. On the **Site** tab, click **Configure Settings**, then click **Find Site**.
+3. Verify that Configuration Manager has successfullyl found a site to manage this client is displayed. See the following example.
+
+
+
+## Create a device collection and add the PC0003 computer
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Asset and Compliance workspace, expand **Overview**, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+
+ * General
+ * Name: Install Windows 10 Enterprise x64
+ * Limited Collection: All Systems
+ * Membership rules
+ * Add Rule: Direct rule
+ * Resource Class: System Resource
+ * Attribute Name: Name
+ * Value: PC0003
+ * Select Resources
+ * Select **PC0003**
+
+ Use the default settings to complete the remaining wizard pages and click **Close**.
+
+2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
+
+ >[!NOTE]
+ >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
+
+## Create a new deployment
+
+On **CM01**:
+
+Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then click **Deploy**. Use the following settings:
+
+- General
+ - Collection: Install Windows 10 Enterprise x64
+- Deployment Settings
+ - Purpose: Available
+ - Make available to the following: Configuration Manager clients, media and PXE
+
+ >[!NOTE]
+ >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
+
+- Scheduling
+ - <default>
+- User Experience
+ - <default>
+- Alerts
+ - <default>
+- Distribution Points
+ - <default>
+
+## Initiate a computer refresh
+
+Now you can start the computer refresh on PC0003.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Assets and Compliance workspace, click the **Install Windows 10 Enterprise x64** collection, right-click **PC0003**, point to **Client Notification**, click **Download Computer Policy**, and then click **OK** in the popup dialog box that appears.
+
+On **PC0003**:
+
+1. Open the Software Center (click Start and type **Software Center**, or click the **New software is available** balloon in the system tray), select **Operating Systems** and click the **Windows 10 Enterprise x64 RTM** deployment, then click **Install**.
+2. In the **Software Center** warning dialog box, click **Install Operating System**.
+3. The client computer will run the Configuration Manager task sequence, boot into Windows PE, and install the new OS and applications. See the following examples:
+
+
+
+
+
+
+
+
+
+
+
+
+Next, see [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
new file mode 100644
index 0000000000..b2ef8ff138
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -0,0 +1,214 @@
+---
+title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
+description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager.
+ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, install, installation, replace computer, setup
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the device, you have to run the backup job separately from the deployment of Windows 10.
+
+In this topic, you will create a backup-only task sequence that you run on PC0004 (the device you are replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
+
+## Infrastructure
+
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+For the purposes of this article, we will use one server computer (CM01) and two client computers (PC0004, PC0006).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+ - Important: CM01 must include the **[State migration point](https://docs.microsoft.com/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work.
+- PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be replaced.
+- PC0006 is a domain member client computer running Windows 10, with the Configuration Manager client installed, that will replace PC0004.
+
+>[!NOTE]
+>PC0004 and PC006 can be VMs hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, the VMs must have sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+>[!IMPORTANT]
+>This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
+
+## Create a replace task sequence
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
+2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**.
+3. On the **General** page, assign the following settings and click **Next**:
+
+ * Task sequence name: Replace Task Sequence
+ * Task sequence comments: USMT backup only
+
+4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
+5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**.
+6. On the **USMT Package** page, browse and select the **OSD / Microsoft Corporation User State Migration Tool for Windows** package. Then click **Next**.
+7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**.
+8. On the **Summary** page, review the details and then click **Next**.
+9. On the **Confirmation** page, click **Finish**.
+
+10. Review the Replace Task Sequence.
+
+ >[!NOTE]
+ >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence.
+
+
+
+The backup-only task sequence (named Replace Task Sequence).
+
+## Associate the new device with the old computer
+
+This section walks you through the process of associating a new, blank device (PC0006), with an existing computer (PC0004), for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine.
+
+On **HV01** (if PC0006 is a VM) or in the PC0006 BIOS:
+
+1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Do not attempt to PXE boot PC0006 yet.
+
+On **CM01**:
+
+2. Using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then click **Import Computer Information**.
+3. On the **Select Source** page, select **Import single computer** and click **Next**.
+4. On the **Single Computer** page, use the following settings and then click **Next**:
+
+ * Computer Name: PC0006
+ * MAC Address: <the mac address that you wrote down>
+ * Source Computer: PC0004
+
+ 
+
+ Creating the computer association between PC0004 and PC0006.
+
+5. On the **User Accounts** page, select **Capture and restore all user accounts** and click **Next**.
+6. On the **Data Preview** page, click **Next**.
+7. On the **Choose additional collections** page, click **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then click **Next**.
+8. On the **Summary** page, click **Next**, and then click **Close**.
+9. Select the **User State Migration** node and review the computer association in the right hand pane.
+10. Right-click the **PC0004/PC0006** association and click **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not.
+11. Review the **Install Windows 10 Enterprise x64** collection. Do not continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again.
+
+## Create a device collection and add the PC0004 computer
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+
+ * General
+ * Name: USMT Backup (Replace)
+ * Limited Collection: All Systems
+ * Membership rules:
+ * Add Rule: Direct rule
+ * Resource Class: System Resource
+ * Attribute Name: Name
+ * Value: PC0004
+ * Select Resources:
+ * Select **PC0004**
+
+ Use default settings for the remaining wizard pages, then click **Close**.
+
+2. Review the **USMT Backup (Replace)** collection. Do not continue until you see the **PC0004** computer in the collection.
+
+## Create a new deployment
+
+On **CM01**:
+
+Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
+
+- General
+ - Collection: USMT Backup (Replace)
+- Deployment Settings
+ - Purpose: Available
+ - Make available to the following: Only Configuration Manager Clients
+- Scheduling
+ - <default>
+- User Experience
+ - <default>
+- Alerts
+ - <default>
+- Distribution Points
+ - <default>
+
+## Verify the backup
+
+This section assumes that you have a computer named PC0004 with the Configuration Manager client installed.
+
+On **PC0004**:
+
+1. If it is not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc).
+2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, and then click **OK** in the popup dialog box that appears.
+
+ >[!NOTE]
+ >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+3. Open the Software Center, select the **Replace Task Sequence** deployment and then click **Install**.
+4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
+5. Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes.
+
+
+
+Capturing the user state
+
+On **CM01**:
+
+6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a sub-folder was created containing the USMT backup.
+7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
+
+ >[!NOTE]
+ >It may take a few minutes for the user state store location to be populated.
+
+## Deploy the new computer
+
+On **PC0006**:
+
+1. Start the PC0006 virtual machine (or physical computer), press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
+
+ * Password: pass@word1
+ * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
+
+2. The setup now starts and does the following:
+
+ * Installs the Windows 10 operating system
+ * Installs the Configuration Manager client
+ * Joins it to the domain
+ * Installs the applications
+ * Restores the PC0004 backup
+
+When the process is complete, you will have a new Windows 10 computer in your domain with user data and settings restored. See the following examples:
+
+
+
+
+
+
+
+
+
+
+
+Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuraton-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
new file mode 100644
index 0000000000..553be3b239
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
@@ -0,0 +1,142 @@
+---
+title: Perform in-place upgrade to Windows 10 via Configuration Manager
+description: In-place upgrades make upgrading Windows 7, Windows 8, and Windows 8.1 to Windows 10 easy -- you can even automate the whole process with a Microsoft Endpoint Configuration Manager task sequence.
+ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Perform an in-place upgrade to Windows 10 using Configuration Manager
+
+
+**Applies to**
+
+- Windows 10
+
+The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Configuration Manager task sequence to completely automate the process.
+
+>[!IMPORTANT]
+>Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10.
+
+## Infrastructure
+
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+For the purposes of this article, we will use one server computer (CM01) and one client computers (PC0004).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+- PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be upgraded to Windows 10.
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+## Add an OS upgrade package
+
+Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it does not use a default OS image, but rather uses an [OS upgrade package](https://docs.microsoft.com/configmgr/osd/get-started/manage-operating-system-upgrade-packages).
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and click **Add Operating System Upgrade Package**.
+2. On the **Data Source** page, under **Path**, click **Browse** and enter the UNC path to your media source. In this example, we have extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**.
+3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we have chosen **Windows 10 Enterprise**.
+4. Next to **Architecture**, select **x64**, choose a language from the dropdown menu next to **Language**, and then click **Next**.
+5. Next to **Name**, enter **Windows 10 x64 RTM** and then complete the wizard by clicking **Next** and **Close**.
+6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**.
+7. In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**.
+8. View the content status for the Windows 10 x64 RTM upgrade package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
+
+## Create an in-place upgrade task sequence
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create Task Sequence**.
+2. On the **Create a new task sequence** page, select **Upgrade an operating system from an upgrade package** and click **Next**.
+3. Use the following settings to complete the wizard:
+
+ * Task sequence name: Upgrade Task Sequence
+ * Description: In-place upgrade
+ * Upgrade package: Windows 10 x64 RTM
+ * Include software updates: Do not install any software updates
+ * Install applications: OSD \ Adobe Acrobat Reader DC
+
+4. Complete the wizard, and click **Close**.
+5. Review the Upgrade Task Sequence.
+
+
+
+The Configuration Manager upgrade task sequence
+
+## Create a device collection
+
+After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0004 computer running Windows 7 SP1, with the Configuration Manager client installed.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+ - General
+ - Name: Windows 10 x64 in-place upgrade
+ - Limited Collection: All Systems
+ - Membership rules:
+ - Direct rule
+ - Resource Class: System Resource
+ - Attribute Name: Name
+ - Value: PC0004
+ - Select Resources
+ - Select PC0004
+
+2. Review the Windows 10 x64 in-place upgrade collection. Do not continue until you see PC0004 in the collection.
+
+## Deploy the Windows 10 upgrade
+
+In this section, you create a deployment for the Windows 10 Enterprise x64 Update application.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, right-click the **Upgrade Task Sequence** task sequence, and then click **Deploy**.
+2. On the **General** page, browse and select the **Windows 10 x64 in-place upgrade** collection, and then click **Next**.
+3. On the **Content** page, click **Next**.
+4. On the **Deployment Settings** page, click **Next**:
+5. On the **Scheduling** page, accept the default settings, and then click **Next**.
+6. On the **User Experience** page, accept the default settings, and then click **Next**.
+7. On the **Alerts** page, accept the default settings, and then click **Next**.
+7. On the **Distribution Points** page, accept the default settings, and then click **Next**.
+8. On the **Summary** page, click **Next**, and then click **Close**.
+
+## Start the Windows 10 upgrade
+
+Next, run the in-place upgrade task sequence on PC0004.
+
+On **PC0004**:
+
+1. Open the Configuration Manager control panel (control smscfgrc).
+2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, and then click **OK** in the popup dialog box that appears.
+
+ >[!NOTE]
+ >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+3. Open the Software Center, select the **Upgrade Task Sequence** deployment and then click **Install**.
+4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
+5. Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the install.wim file, perform an in-place upgrade, and install your added applications. See the following examples:
+
+
+
+
+
+
+
+
+
+In-place upgrade with Configuration Manager
+
+## Related topics
+
+[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109)
diff --git a/windows/deployment/deploy-windows-mdt/TOC.md b/windows/deployment/deploy-windows-mdt/TOC.md
new file mode 100644
index 0000000000..7f51b8ca5b
--- /dev/null
+++ b/windows/deployment/deploy-windows-mdt/TOC.md
@@ -0,0 +1,22 @@
+# Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT)
+## [Get started with MDT](get-started-with-the-microsoft-deployment-toolkit.md)
+
+## Deploy Windows 10 with MDT
+### [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+### [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+### [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+### [Perform an in-place upgrade to Windows 10 with MDT](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+
+## Customize MDT
+### [Configure MDT settings](configure-mdt-settings.md)
+### [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+### [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+### [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+### [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+### [Use web services in MDT](use-web-services-in-mdt.md)
+### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
index f0259285ae..67daeba302 100644
--- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
@@ -21,15 +21,19 @@ ms.topic: article
**Applies to**
- Windows 10
-In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of the deployment solution. With images reaching 5 GB in size or more, you can't deploy machines in a remote office over the wire. You need to replicate the content, so that the clients can do local deployments.
+Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments.
-We will use four machines for this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0006 is a blank machine to which you will deploy Windows 10. You will configure a second deployment server (MDT02) for a remote site (Stockholm) by replicating the deployment share in the original site (New York). MDT01, MDT02, and PC0006 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we will deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation.
+
+For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more details on the infrastructure setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
-Figure 1. The machines used in this topic.
+Computers used in this topic.
-## Replicate deployment shares
+>HV01 is also used in this topic to host the PC0006 virtual machine.
+
+## Replicate deployment shares
Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content.
@@ -42,60 +46,88 @@ LDS is a built-in feature in MDT for replicating content. However, LDS works bes
### Why DFS-R is a better option
-DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication target(s) as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02.
+DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02.
-## Set up Distributed File System Replication (DFS-R) for replication
+## Set up Distributed File System Replication (DFS-R) for replication
-Setting up DFS-R for replication is a quick and straightforward process. You prepare the deployment servers and then create a replication group. To complete the setup, you configure some replication settings.
+Setting up DFS-R for replication is a quick and straightforward process: Prepare the deployment servers, create a replication group, then configure some replication settings.
### Prepare MDT01 for replication
-1. On MDT01, using Server Manager, click **Add roles and features**.
-2. On the **Select installation type** page, select **Role-based or feature-based installation**.
-3. On the **Select destination server** page, select **MDT01.contoso.com** and click **Next**.
-4. On the **Select server roles** page, expand **File and Storage Services (Installed)** and expand **File and iSCSI Services (Installed)**.
-5. In the **Roles** list, select **DFS Replication**. In the **Add Roles and Features Wizard** dialog box, select **Add Features**, and then click **Next**.
+On **MDT01**:
- 
+1. Install the DFS Replication role on MDT01 by entering the following at an elevated Windows PowerShell prompt:
- Figure 2. Adding the DFS Replication role to MDT01.
+```powershell
+Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
+```
-6. On the **Select features** page, accept the default settings, and click **Next**.
-7. On the **Confirm installation selections** page, click **Install**.
-8. On the **Installation progress** page, click **Close**.
+2. Wait for installation to comlete, and then verify that the installation was successful. See the following output:
+
+```output
+PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
+
+Success Restart Needed Exit Code Feature Result
+------- -------------- --------- --------------
+True No Success {DFS Replication, DFS Management Tools, Fi...
+```
### Prepare MDT02 for replication
-1. On MDT02, using Server Manager, click **Add roles and features**.
-2. On the **Select installation type** page, select **Role-based or feature-based installation**.
-3. On the **Select destination server** page, select **MDT02.contoso.com** and click **Next**.
-4. On the **Select server roles** page, expand **File and Storage Services (Installed)** and expand **File and iSCSI Services (Installed)**.
-5. In the **Roles** list, select **DFS Replication**. In the **Add Roles and Features Wizard** dialog box, select **Add Features**, and then click **Next**.
-6. On the **Select features** page, accept the default settings, and click **Next**.
-7. On the **Confirm installation selections** page, click **Install**.
-8. On the **Installation progress** page, click **Close**.
+On **MDT02**:
+
+1. Perform the same procedure on MDT02 by entering the following at an elevated Windows PowerShell prompt:
+
+```powershell
+Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
+```
+
+2. Wait for installation to comlete, and then verify that the installation was successful. See the following output:
+
+```output
+PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
+
+Success Restart Needed Exit Code Feature Result
+------- -------------- --------- --------------
+True No Success {DFS Replication, DFS Management Tools, Fi...
+```
### Create the MDTProduction folder on MDT02
-1. On MDT02, using File Explorer, create the **E:\\MDTProduction** folder.
-2. Share the **E:\\MDTProduction** folder as **MDTProduction$**. Use the default permissions.
+On **MDT02**:
- 
+1. Create and share the **D:\\MDTProduction** folder using default permissions by entering the following at an elevated command prompt:
- Figure 3. Sharing the **E:\\MDTProduction folder** on MDT02.
+ ```powershell
+ mkdir d:\MDTProduction
+ New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction"
+ ```
+
+2. You should see the following output:
+
+ ```output
+ C:\> New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction"
+
+ Name ScopeName Path Description
+ ---- --------- ---- -----------
+ MDTProduction$ * D:\MDTProduction
+ ```
### Configure the deployment share
When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT, that can be done by using the DefaultGateway property.
-1. On MDT01, using Notepad, navigate to the **E:\\MDTProduction\\Control** folder and modify the Boostrap.ini file to look like this:
+
+On **MDT01**:
+
+1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use.
```ini
[Settings]
Priority=DefaultGateway, Default
[DefaultGateway]
- 192.168.1.1=NewYork
- 192.168.2.1=Stockholm
+ 10.10.10.1=NewYork
+ 10.10.20.1=Stockholm
[NewYork]
DeployRoot=\\MDT01\MDTProduction$
@@ -106,137 +138,133 @@ When you have multiple deployment servers sharing the same content, you need to
[Default]
UserDomain=CONTOSO
UserID=MDT_BA
+ UserPassword=pass@word1
SkipBDDWelcome=YES
```
-
- > [!NOTE]
- > The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local.
- >
- > To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
+ >[!NOTE]
+ >The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
2. Save the Bootstrap.ini file.
-3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**.
-
- 
-
- Figure 4. Updating the MDT Production deployment share.
-
-4. Use the default settings for the Update Deployment Share Wizard.
-5. After the update is complete, use the Windows Deployment Services console. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**.
+3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. Use the default settings for the Update Deployment Share Wizard. This process will take a few minutes.
+4. After the update is complete, use the Windows Deployment Services console on MDT01. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**.
+5. Browse and select the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings.
- Figure 5. Replacing the updated boot image in WDS.
+ Replacing the updated boot image in WDS.
-6. Browse and select the **E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings.
+ >[!TIP]
+ >If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console.
+
+ ## Replicate the content
- ## Replicate the content
Once the MDT01 and MDT02 servers are prepared, you are ready to configure the actual replication.
### Create the replication group
-7. On MDT01, using DFS Management, right-click **Replication**, and select **New Replication Group**.
-8. On the **Replication Group Type** page, select **Multipurpose replication group**, and click **Next**.
-9. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**.
-10. On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**.
+6. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and click **New Replication Group**.
+7. On the **Replication Group Type** page, select **Multipurpose replication group**, and click **Next**.
+8. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**.
+9. On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**.
- Figure 6. Adding the Replication Group Members.
+ Adding the Replication Group Members.
-11. On the **Topology Selection** page, select the **Full mesh** option and click **Next**.
-12. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and click **Next**.
-13. On the **Primary Member** page, select **MDT01** and click **Next**.
-14. On the **Folders to Replicate** page, click **Add**, type in **E:\\MDTProduction** as the folder to replicate, click **OK**, and then click **Next**.
-15. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and click **Edit**.
-16. On the **Edit** page, select the **Enabled** option, type in **E:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, click **OK**, and then click **Next**.
-
- 
-
- Figure 7. Configure the MDT02 member.
-
-17. On the **Review Settings and Create Replication Group** page, click **Create**.
-18. On the **Confirmation** page, click **Close**.
+10. On the **Topology Selection** page, select the **Full mesh** option and click **Next**.
+11. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and click **Next**.
+12. On the **Primary Member** page, select **MDT01** and click **Next**.
+13. On the **Folders to Replicate** page, click **Add**, enter **D:\\MDTProduction** as the folder to replicate, click **OK**, and then click **Next**.
+14. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and click **Edit**.
+15. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, click **OK**, and then click **Next**.
+16. On the **Review Settings and Create Replication Group** page, click **Create**.
+17. On the **Confirmation** page, click **Close**.
### Configure replicated folders
-19. On MDT01, using DFS Management, expand **Replication** and then select **MDTProduction**.
-20. In the middle pane, right-click the **MDT01** member and select **Properties**.
-21. On the **MDT01 (MDTProduction) Properties** page, configure the following and then click **OK**:
+18. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**.
+19. In the middle pane, right-click the **MDT01** member and click **Properties**.
+20. On the **MDT01 (MDTProduction) Properties** page, configure the following and then click **OK**:
1. In the **Staging** tab, set the quota to **20480 MB**.
2. In the **Advanced** tab, set the quota to **8192 MB**.
- In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Here is a Windows PowerShell example that calculates the size of the 16 largest files in the E:\\MDTProduction deployment share:
+ In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Below is a Windows PowerShell example that calculates the size of the 16 largest files in the D:\\MDTProduction deployment share:
``` powershell
- (Get-ChildItem E:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
+ (Get-ChildItem D:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
```
- 
-
- Figure 8. Configure the Staging settings.
-
-22. In the middle pane, right-click the **MDT02** member and select **Properties**.
-23. On the **MDT02 (MDTProduction) Properties** page, configure the following and then click **OK**:
+21. In the middle pane, right-click the **MDT02** member and select **Properties**.
+22. On the **MDT02 (MDTProduction) Properties** page, configure the following and then click **OK**:
1. In the **Staging** tab, set the quota to **20480 MB**.
2. In the **Advanced** tab, set the quota to **8192 MB**.
> [!NOTE]
> It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly.
-
+
+23. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt:
+
+```cmd
+C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary
+MemName IsPrimary
+MDT01 Yes
+MDT02 No
+```
+
### Verify replication
-1. On MDT02, wait until you start to see content appear in the **E:\\MDTProduction** folder.
-2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**.
-3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, select **Health report** and click **Next**.
-4. On the **Path and Name** page, accept the default settings and click **Next**.
-5. On the **Members to Include** page, accept the default settings and click **Next**.
-6. On the **Options** page, accept the default settings and click **Next**.
-7. On the **Review Settings and Create Report** page, click **Create**.
-8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option.
+
+On **MDT02**:
+
+1. Wait until you start to see content appear in the **D:\\MDTProduction** folder.
+2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**.
+3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, choose **Health report** and click **Next**.
+4. On the **Path and Name** page, accept the default settings and click **Next**.
+5. On the **Members to Include** page, accept the default settings and click **Next**.
+6. On the **Options** page, accept the default settings and click **Next**.
+7. On the **Review Settings and Create Report** page, click **Create**.
+8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option.
-Figure 9. The DFS Replication Health Report.
+The DFS Replication Health Report.
-## Configure Windows Deployment Services (WDS) in a remote site
+>If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**.
+
+## Configure Windows Deployment Services (WDS) in a remote site
Like you did in the previous topic for MDT01, you need to add the MDT Production Lite Touch x64 Boot image to Windows Deployment Services on MDT02. For the following steps, we assume that WDS has already been installed on MDT02.
-1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**.
-2. Browse to the E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim file and add the image with the default settings.
+1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**.
+2. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
-## Deploy the Windows 10 client to the remote site
+## Deploy a Windows 10 client to the remote site
-Now you should have a solution ready for deploying the Windows 10 client to the remote site, Stockholm, connecting to the MDT Production deployment share replica on MDT02.
+Now you should have a solution ready for deploying the Windows 10 client to the remote site: Stockholm, using the MDTProduction deployment share replica on MDT02. You can test this deployment with the following optional procedure.
+
+>For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the Boostrap.ini file.
1. Create a virtual machine with the following settings:
- 1. Name: PC0006
- 2. Location: C:\\VMs
- 3. Generation: 2
- 4. Memory: 2048 MB
- 5. Hard disk: 60 GB (dynamic disk)
-2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
+ 1. Name: PC0006
+ 2. Location: C:\\VMs
+ 3. Generation: 2
+ 4. Memory: 2048 MB
+ 5. Hard disk: 60 GB (dynamic disk)
+ 6. Install an operating system from a network-based installation server
+2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server.
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
- 1. Password: P@ssw0rd
- 2. Select a task sequence to execute on this computer:
- 1. Windows 10 Enterprise x64 RTM Custom Image
- 2. Computer Name: PC0006
- 3. Applications: Select the Install - Adobe Reader XI - x86 application
-4. The setup will now start and do the following:
+ 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
+ 2. Computer Name: PC0006
+ 3. Applications: Select the Install - Adobe Reader
+4. Setup will now start and perform the following:
1. Install the Windows 10 Enterprise operating system.
- 2. Install the added application.
- 3. Update the operating system via your local Windows Server Update Services (WSUS) server.
+ 2. Install applications.
+ 3. Update the operating system using your local Windows Server Update Services (WSUS) server.
+
+
## Related topics
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-
-[Configure MDT settings](configure-mdt-settings.md)
-
-
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+[Configure MDT settings](configure-mdt-settings.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index 2b89867e2e..0eac636a76 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -1,6 +1,6 @@
---
title: Configure MDT settings (Windows 10)
-description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities. Learn how to customize your environment.
+description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization.
ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
ms.reviewer:
manager: laurawi
@@ -19,11 +19,11 @@ ms.topic: article
# Configure MDT settings
One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
-For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-Figure 1. The machines used in this topic.
+The computers used in this topic.
## In this section
@@ -38,14 +38,9 @@ Figure 1. The machines used in this topic.
## Related topics
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
deleted file mode 100644
index 9076a17339..0000000000
--- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ /dev/null
@@ -1,191 +0,0 @@
----
-title: Create a task sequence with Configuration Manager (Windows 10)
-description: Create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
-ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, upgrade, task sequence, install
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.pagetype: mdt
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Create a task sequence with Configuration Manager and MDT
-
-
-**Applies to**
-
-- Windows 10
-
-In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in System Center 2012 R2 Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
-
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## Create a task sequence using the MDT Integration Wizard
-
-
-This section walks you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use.
-
-1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
-
-2. On the **Choose Template** page, select the **Client Task Sequence** template and click **Next**.
-
-3. On the **General** page, assign the following settings and then click **Next**:
-
- * Task sequence name: Windows 10 Enterprise x64 RTM
-
- * Task sequence comments: Production image with Office 2013
-
-4. On the **Details** page, assign the following settings and then click **Next**:
-
- * Join a Domain
-
- * Domain: contoso.com
-
- * Account: CONTOSO\\CM\_JD
-
- * Password: Passw0rd!
-
- * Windows Settings
-
- * User name: Contoso
-
- * Organization name: Contoso
-
- * Product key: <blank>
-
-5. On the **Capture Settings** page, accept the default settings, and click **Next**.
-
-6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
-
-7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**.
-
-8. On the **MDT Details** page, assign the name **MDT** and click **Next**.
-
-9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**.
-
-10. On the **Deployment Method** page, accept the default settings and click **Next**.
-
-11. On the **Client Package** page, browse and select the **OSD / Configuration Manager Client** package. Then click **Next**.
-
-12. On the **USMT Package** page, browse and select **the OSD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
-
-13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings**. Then click **Next**.
-
-14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and click **Next**.
-
-15. On the **Sysprep Package** page, click **Next** twice.
-
-16. On the **Confirmation** page, click **Finish**.
-
-## Edit the task sequence
-
-
-After you create the task sequence, we recommend that you configure the task sequence for an optimal deployment experience. The configurations include enabling support for Unified Extensible Firmware Interface (UEFI), dynamic organizational unit (OU) allocation, computer replace scenarios, and more.
-
-1. On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**.
-
-2. In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following:
-
- * OSDPreserveDriveLetter: True
-
- >[!NOTE]
- >If you don't change this value, your Windows installation will end up in E:\\Windows.
-
-3. In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values).
-
-4. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.)
-
-5. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**.
-
-6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
-
- * Name: HP EliteBook 8560w
-
- * Driver Package: Windows 10 x64 - HP EliteBook 8560w
-
- * Options: Task Sequence Variable: Model equals HP EliteBook 8560w
-
- >[!NOTE]
- >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
-
- 
-
- *Figure 24. The driver package options*
-
-7. In the **State Restore / Install Applications** group, select the **Install Application** action.
-
-8. Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list.
-
- 
-
- *Figure 25. Add an application to the Configuration Manager task sequence*
-
-9. In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings:
-
- * Restore state from another computer
-
- * If computer account fails to connect to state store, use the Network Access account
-
- * Options: Continue on error
-
- * Options / Condition:
-
- * Task Sequence Variable
-
- * USMTLOCAL not equals True
-
-10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings:
-
- * Options: Continue on error
-
- * Options / Condition:
-
- * Task Sequence Variable
-
- * USMTLOCAL not equals True
-
-11. Click **OK**.
-
->[!NOTE]
->The Request State Store and Release State Store actions need to be added for common computer replace scenarios.
-
-
-
-## Move the packages
-
-
-While creating the task sequence with the MDT wizard, a few operating system deployment packages were created. To move these packages to the OSD folder, take the following steps.
-
-1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**.
-
-2. Select the **MDT** and **Windows 10 x64 Settings** packages, right-click and select **Move**.
-
-3. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 8e20ab78c8..c55b476746 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -19,60 +19,72 @@ ms.topic: article
# Create a Windows 10 reference image
**Applies to**
-- Windows 10
+- Windows 10
Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution.
-For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation.
>[!NOTE]
->For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-
+>See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information about the server, client, and network infrastructure used in this guide.
-Figure 1. The machines used in this topic.
+For the purposes of this topic, we will use three computers: DC01, MDT01, and HV01.
+ - DC01 is a domain controller for the contoso.com domain.
+ - MDT01 is a contoso.com domain member server.
+ - HV01 is a Hyper-V server that will be used to build the reference image.
+
+ 
+
+ Computers used in this topic.
## The reference image
-The reference image described in this documentation is designed primarily for deployment to physical machines. However, the reference image is created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are the following:
-- You reduce development time and can use snapshots to test different configurations quickly.
-- You rule out hardware issues. You simply get the best possible image, and if you have a problem, it's not likely to be hardware related.
-- It ensures that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process.
-- It's easy to move between lab, test, and production.
+The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are the following:
+- To reduce development time and can use snapshots to test different configurations quickly.
+- To rule out hardware issues. You simply get the best possible image, and if you have a problem, it's not likely to be hardware related.
+- To ensures that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process.
+- The image is easy to move between lab, test, and production.
-## Set up the MDT build lab deployment share
+## Set up the MDT build lab deployment share
-With Windows 10, there is no hard requirement to create reference images; however, to reduce the time needed for deployment, you may want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
+With Windows 10, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
### Create the MDT build lab deployment share
-- On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd.
+On **MDT01**:
+
+- Sign in as contoso\\administrator using a password of pass@word1 (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) topic).
+- Start the MDT deployment workbench, and pin this to the taskbar for easy access.
- Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
- Use the following settings for the New Deployment Share Wizard:
-- Deployment share path: E:\\MDTBuildLab
-- Share name: MDTBuildLab$
-- Deployment share description: MDT Build Lab
-- <default>
-- Verify that you can access the \\\\MDT01\\MDTBuildLab$ share.
+ - Deployment share path: **D:\\MDTBuildLab**
+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT Build Lab**
+- Accept the default selections on the Options page and click **Next**.
+- Review the Summary page, click **Next**, wait for the deployment share to be created, then click **Finish**.
+- Verify that you can access the \\\\MDT01\\MDTBuildLab$ share.
-
+ 
-Figure 2. The Deployment Workbench with the MDT Build Lab deployment share created.
+ The Deployment Workbench with the MDT Build Lab deployment share.
+
+### Enable monitoring
+
+To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, click **Properties**, click the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional.
### Configure permissions for the deployment share
-In order to write the reference image back to the deployment share, you need to assign Modify permissions to the MDT Build Account (MDT\_BA) for the **Captures** subfolder in the **E:\\MDTBuildLab** folder
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Modify the NTFS permissions for the **E:\\MDTBuildLab\\Captures** folder by running the following command in an elevated Windows PowerShell prompt:
+In order to read files in the deployment share and write the reference image back to it, you need to assign NTSF and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder
- ```
- icacls E:\MDTBuildLab\Captures /grant '"MDT_BA":(OI)(CI)(M)'
+On **MDT01**:
+
+1. Ensure you are signed in as **contoso\\administrator**.
+2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt:
+
+ ``` powershell
+ icacls "D:\MDTBuildLab" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
+ grant-smbshareaccess -Name MDTBuildLab$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force
```
-
-
-Figure 3. Permissions configured for the MDT\_BA user.
-
-## Add the setup files
+## Add setup files
This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
@@ -85,211 +97,205 @@ MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images t
### Add Windows 10 Enterprise x64 (full source)
-In these steps we assume that you have copied the content of a Windows 10 Enterprise x64 ISO to the **E:\\Downloads\\Windows 10 Enterprise x64** folder.
+On **MDT01**:
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**.
-3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
-4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
-5. Full set of source files
-6. Source directory: E:\\Downloads\\Windows 10 Enterprise x64
-7. Destination directory name: W10EX64RTM
-8. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click the added operating system name in the **Operating System** node and change the name to the following: **Windows 10 Enterprise x64 RTM Default Image**
+1. Sign in as **contoso\\administrator** and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD.
-
+ 
-Figure 4. The imported Windows 10 operating system after renaming it.
+2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**.
+3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
+4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
+ - Full set of source files
+ - Source directory: (location of your source files)
+ - Destination directory name: W10EX64RTM
+5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example.
-## Add applications
+ 
-Before you create an MDT task sequence, you need to add all of the applications and other sample scripts to the MDT Build Lab share.
+>Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work.
-The steps in this section use a strict naming standard for your MDT applications. You add the "Install - " prefix for typical application installations that run a setup installer of some kind, and you use the "Configure - " prefix when an application configures a setting in the operating system. You also add an " - x86", " - x64", or "- x86-x64" suffix to indicate the application's architecture (some applications have installers for both architectures). Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency.
-By storing configuration items as MDT applications, it is easy to move these objects between various solutions, or between test and production environments. In this topic's step-by-step sections, you will add the following applications:
+## Add applications
-- Install - Microsoft Office 2013 Pro Plus - x86
-- Install - Microsoft Silverlight 5.0 - x64
-- Install - Microsoft Visual C++ 2005 SP1 - x86
-- Install - Microsoft Visual C++ 2005 SP1 - x64
-- Install - Microsoft Visual C++ 2008 SP1 - x86
-- Install - Microsoft Visual C++ 2008 SP1 - x64
-- Install - Microsoft Visual C++ 2010 SP1 - x86
-- Install - Microsoft Visual C++ 2010 SP1 - x64
-- Install - Microsoft Visual C++ 2012 Update 4 - x86
-- Install - Microsoft Visual C++ 2012 Update 4 - x64
+Before you create an MDT task sequence, you need to add any applications and scripts you wish to install to the MDT Build Lab share.
-In these examples, we assume that you downloaded the software in this list to the E:\\Downloads folder. The first application is added using the UI, but because MDT supports Windows PowerShell, you add the other applications using Windows PowerShell.
+On **MDT01**:
+
+First, create an MDT folder to store the Microsoft applications that will be installed:
+
+1. In the MDT Deployment Workbench, expand **Deployment Shares \\ MDT Build Lab \\ Applications**
+2. Right-click **Applications** and then click **New Folder**.
+3. Under **Folder name**, type **Microsoft**.
+4. Click **Next** twice, and then click **Finish**.
+
+The steps in this section use a strict naming standard for your MDT applications.
+- Use the "Install - " prefix for typical application installations that run a setup installer of some kind,
+- Use the "Configure - " prefix when an application configures a setting in the operating system.
+- You also add an " - x86", " - x64", or "- x86-x64" suffix to indicate the application's architecture (some applications have installers for both architectures).
+
+Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency.
+
+By storing configuration items as MDT applications, it is easy to move these objects between various solutions, or between test and production environments.
+
+In example sections, you will add the following applications:
+
+- Install - Microsoft Office 365 Pro Plus - x64
+- Install - Microsoft Visual C++ Redistributable 2019 - x86
+- Install - Microsoft Visual C++ Redistributable 2019 - x64
+
+>The 64-bit version of Microsoft Office 365 Pro Plus is recommended unless you need legacy app support. For more information, see [Choose between the 64-bit or 32-bit version of Office](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261)
+
+Download links:
+- [Office Deployment Tool](https://www.microsoft.com/download/details.aspx?id=49117)
+- [Microsoft Visual C++ Redistributable 2019 - x86](https://aka.ms/vs/16/release/VC_redist.x86.exe)
+- [Microsoft Visual C++ Redistributable 2019 - x64](https://aka.ms/vs/16/release/VC_redist.x64.exe)
+
+Download all three items in this list to the D:\\Downloads folder on MDT01.
+
+**Note**: For the purposes of this lab, we will leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads).
>[!NOTE]
->All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523).
+>All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files.
-### Create the install: Microsoft Office Professional Plus 2013 x86
+### Create configuration file: Microsoft Office 365 Professional Plus x64
-You can customize Office 2013. In the volume license versions of Office 2013, there is an Office Customization Tool you can use to customize the Office installation. In these steps we assume you have copied the Office 2013 installation files to the E:\\Downloads\\Office2013 folder.
+1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted.
+2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename.
-### Add the Microsoft Office Professional Plus 2013 x86 installation files
+ For example, you can use the following configuration.xml file, which provides these configuration settings:
+ - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition.
+ - Use the Semi-Annual Channel and get updates directly from the Office CDN on the internet.
+ - Perform a silent installation. You won’t see anything that shows the progress of the installation and you won’t see any error messages.
-After adding the Microsoft Office Professional Plus 2013 x86 application, you then automate its setup by running the Office Customization Tool. In fact, MDT detects that you added the Office Professional Plus 2013 x86 application and creates a shortcut for doing this.
-You also can customize the Office installation using a Config.xml file. But we recommend that you use the Office Customization Tool as described in the following steps, as it provides a much richer way of controlling Office 2013 settings.
-1. Using the Deployment Workbench in the MDT Build Lab deployment share, expand the **Applications / Microsoft** node, and double-click **Install - Microsoft Office 2013 Pro Plus x86**.
-2. In the **Office Products** tab, click **Office Customization Tool**, and click **OK** in the **Information** dialog box.
+ ```xml
+
+
+
+
+
+
+
+
+
+ ```
- 
+ By using these settings, any time you build the reference image you’ll be installing the most up-to-date Semi-Annual Channel version of Microsoft 365 Apps for enterprise.
- Figure 5. The Install - Microsoft Office 2013 Pro Plus - x86 application properties.
+ >[!TIP]
+ >You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file.
+
+ Also see [Configuration options for the Office Deployment Tool](https://docs.microsoft.com/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](https://docs.microsoft.com/DeployOffice/overview-of-the-office-2016-deployment-tool) for more information.
- >[!NOTE]
- >If you don't see the Office Products tab, verify that you are using a volume license version of Office. If you are deploying Office 365, you need to download the Admin folder from Microsoft.
-
-3. In the Office Customization Tool dialog box, select the Create a new Setup customization file for the following product option, select the Microsoft Office Professional Plus 2013 (32-bit) product, and click OK.
-4. Use the following settings to configure the Office 2013 setup to be fully unattended:
- 1. Install location and organization name
- - Organization name: Contoso
- 2. Licensing and user interface
- 1. Select Use KMS client key
- 2. Select I accept the terms in the License Agreement.
- 3. Select Display level: None
+3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder:
- 
+ 
- Figure 6. The licensing and user interface screen in the Microsoft Office Customization Tool
+ Assuming you have named the file "configuration.xml" as shown above, we will use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Do not perform this step yet.
- 3. Modify Setup properties
- - Add the **SETUP\_REBOOT** property and set the value to **Never**.
- 4. Modify user settings
- - In the **Microsoft Office 2013** node, expand **Privacy**, select **Trust Center**, and enable the Disable Opt-in Wizard on first run setting.
-5. From the **File** menu, select **Save**, and save the configuration as 0\_Office2013ProPlusx86.msp in the **E:\\MDTBuildLab\\Applications\\Install - Microsoft Office 2013 Pro Plus - x86\\Updates** folder.
+ >[!IMPORTANT]
+ >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you are prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image.
- >[!NOTE]
- >The reason for naming the file with a 0 (zero) at the beginning is that the Updates folder also handles Microsoft Office updates, and they are installed in alphabetical order. The Office 2013 setup works best if the customization file is installed before any updates.
-
-6. Close the Office Customization Tool, click Yes in the dialog box, and in the **Install - Microsoft Office 2013 Pro Plus - x86 Properties** window, click **OK**.
+Additional information
+- Microsoft 365 Apps for enterprise is usually updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image.
+
+- **Note**: By using installing Office Deployment Tool as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won’t have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.)
+ - When you are creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise.
### Connect to the deployment share using Windows PowerShell
If you need to add many applications, you can take advantage of the PowerShell support that MDT has. To start using PowerShell against the deployment share, you must first load the MDT PowerShell snap-in and then make the deployment share a PowerShell drive (PSDrive).
-1. On MDT01, log on as **CONTOSO\\Administrator**.
+
+On **MDT01**:
+
+1. Ensure you are signed in as **contoso\\Administrator**.
2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt:
``` powershell
Import-Module "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1"
- New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "E:\MDTBuildLab"
+ New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "D:\MDTBuildLab"
```
+>[!TIP]
+>Use "Get-Command -module MicrosoftDeploymentToolkit" to see a list of available cmdlets
-### Create the install: Microsoft Visual C++ 2005 SP1 x86
+### Create the install: Microsoft Office 365 Pro Plus - x64
-In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2005SP1x86.
-1. On MDT01, log on as **CONTOSO\\Administrator**.
+In these steps we assume that you have downloaded the Office Deployment Tool. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads\\Office365.
+On **MDT01**:
+
+1. Ensure you are signed on as **contoso\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` powershell
- $ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x86"
- $CommandLine = "vcredist_x86.exe /Q"
- $ApplicationSourcePath = "E:\Downloads\VC++2005SP1x86"
- Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -Commandline $Commandline -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName
- -Verbose
+ $ApplicationName = "Install - Office365 ProPlus - x64"
+ $CommandLine = "setup.exe /configure configuration.xml"
+ $ApplicationSourcePath = "D:\Downloads\Office365"
+ Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose
```
-### Create the install: Microsoft Visual C++ 2005 SP1 x64
+ Upon successful installation the following text is displayed:
+ ```
+ VERBOSE: Performing the operation "import" on target "Application".
+ VERBOSE: Beginning application import
+ VERBOSE: Copying application source files from D:\Downloads\Office365 to D:\MDTBuildLab\Applications\Install -
+ Office365 ProPlus - x64
+ VERBOSE: Creating new item named Install - Office365 ProPlus - x64 at DS001:\Applications\Microsoft.
+
+ Name
+ ----
+ Install - Office365 ProPlus - x64
+ VERBOSE: Import processing finished.
+ ```
-In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2005SP1x64.
-1. On MDT01, log on as **CONTOSO\\Administrator**.
+### Create the install: Microsoft Visual C++ Redistributable 2019 - x86
+
+>[!NOTE]
+>We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters.
+
+In these steps we assume that you have downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads.
+
+On **MDT01**:
+
+1. Ensure you are signed on as **contoso\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` powershell
- $ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x64"
- $CommandLine = "vcredist_x64.exe /Q"
- $ApplicationSourcePath = "E:\Downloads\VC++2005SP1x64"
- Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -Commandline $Commandline -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName
- -Verbose
+ $ApplicationName = "Install - MSVC 2019 - x86"
+ $CommandLine = "vc_redist.x86.exe /Q"
+ $ApplicationSourcePath = "D:\Downloads"
+ Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose
```
-### Create the install: Microsoft Visual C++ 2008 SP1 x86
+ Upon successful installation the following text is displayed:
+ ```
+ VERBOSE: Performing the operation "import" on target "Application".
+ VERBOSE: Beginning application import
+ VERBOSE: Copying application source files from D:\Downloads to D:\MDTBuildLab\Applications\Install - MSVC 2019 - x86
+ VERBOSE: Creating new item named Install - MSVC 2019 - x86 at DS001:\Applications\Microsoft.
+
+ Name
+ ----
+ Install - MSVC 2019 - x86
+ VERBOSE: Import processing finished.
+ ```
-In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2008SP1x86.
-1. On MDT01, log on as **CONTOSO\\Administrator**.
+### Create the install: Microsoft Visual C++ Redistributable 2019 - x64
+
+In these steps we assume that you have downloaded Microsoft Visual C++ Redistributable 2019 - x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads.
+
+On **MDT01**:
+
+1. Ensure you are signed on as **contoso\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` powershell
- $ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x86"
- $CommandLine = "vcredist_x86.exe /Q"
- $ApplicationSourcePath = "E:\Downloads\VC++2008SP1x86"
- Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -Commandline $Commandline -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName
- -Verbose
+ $ApplicationName = "Install - MSVC 2019 - x64"
+ $CommandLine = "vc_redist.x64.exe /Q"
+ $ApplicationSourcePath = "D:\Downloads"
+ Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose
```
-### Create the install: Microsoft Visual C++ 2008 SP1 x64
-
-In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2008SP1x64.
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Create the application by running the following commands in an elevated PowerShell prompt:
-
- ``` powershell
- $ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x64"
- $CommandLine = "vcredist_x64.exe /Q"
- $ApplicationSourcePath = "E:\Downloads\VC++2008SP1x64"
- Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -Commandline $Commandline -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName
- -Verbose
- ```
-
-### Create the install: Microsoft Visual C++ 2010 SP1 x86
-
-In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2010SP1x86.
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Create the application by running the following commands in an elevated PowerShell prompt:
-
- ``` powershell
- $ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x86"
- $CommandLine = "vcredist_x86.exe /Q"
- $ApplicationSourcePath = "E:\Downloads\VC++2010SP1x86"
- Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName
- -Verbose
- ```
-
-### Create the install: Microsoft Visual C++ 2010 SP1 x64
-
-In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2010SP1x64.
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Create the application by running the following commands in an elevated PowerShell prompt:
-
- ``` powershell
- $ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x64"
- $CommandLine = "vcredist_x64.exe /Q"
- $ApplicationSourcePath = "E:\Downloads\VC++2010SP1x64"
- Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName
- -Verbose
- ```
-
-### Create the install: Microsoft Visual C++ 2012 Update 4 x86
-
-In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Update 4 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2012Ux86.
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Create the application by running the following commands in an elevated PowerShell prompt:
-
- ``` powershell
- $ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x86"
- $CommandLine = "vcredist_x86.exe /Q"
- $ApplicationSourcePath = "E:\Downloads\VC++2012Ux86"
- Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName
- -Verbose
- ```
-
-### Create the install: Microsoft Visual C++ 2012 Update 4 x64
-
-In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Update 4 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2012Ux64.
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Create the application by running the following commands in an elevated PowerShell prompt:
-
- ``` powershell
- $ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x64"
- $CommandLine = "vcredist_x64.exe /Q"
- $ApplicationSourcePath = "E:\Downloads\VC++2012Ux64"
- Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName
- -Verbose
- ```
-
-## Create the reference image task sequence
+## Create the reference image task sequence
In order to build and capture your Windows 10 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image.
After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you are deploying.
@@ -302,79 +308,72 @@ Because we use modern virtual platforms for creating our reference images, we do
To create a Windows 10 reference image task sequence, the process is as follows:
-1. Using the Deployment Workbench in the MDT Build Lab deployment share, right-click **Task Sequences**, and create a new folder named **Windows 10**.
-2. Expand the **Task Sequences** node, right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- 1. Task sequence ID: REFW10X64-001
- 2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image
- 3. Task sequence comments: Reference Build
- 4. Template: Standard Client Task Sequence
- 5. Select OS: Windows 10 Enterprise x64 RTM Default Image
- 6. Specify Product Key: Do not specify a product key at this time
- 7. Full Name: Contoso
- 8. Organization: Contoso
- 9. Internet Explorer home page: http://www.contoso.com
- 10. Admin Password: Do not specify an Administrator Password at this time
+On **MDT01**:
+
+1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**.
+2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+ 1. Task sequence ID: REFW10X64-001
+ 2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image
+ 3. Task sequence comments: Reference Build
+ 4. Template: Standard Client Task Sequence
+ 5. Select OS: Windows 10 Enterprise x64 RTM Default Image
+ 6. Specify Product Key: Do not specify a product key at this time
+ 7. Full Name: Contoso
+ 8. Organization: Contoso
+ 9. Internet Explorer home page: http://www.contoso.com
+ 10. Admin Password: Do not specify an Administrator Password at this time
### Edit the Windows 10 task sequence
-The steps below walk you through the process of editing the Windows 10 reference image task sequence to include the actions required to update the reference image with the latest updates from WSUS, install roles and features, and utilities, and install Microsoft Office 2013.
+The steps below walk you through the process of editing the Windows 10 reference image task sequence to include the actions required to update the reference image with the latest updates from WSUS, install roles and features, and utilities, and install Microsoft Office365 ProPlus x64.
-1. In the Task Sequences / Windows 10 folder, right-click the Windows 10 Enterprise x64 RTM Default Image task sequence, and select Properties.
-2. On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings:
- 1. State Restore. Enable the Windows Update (Pre-Application Installation) action.
- **Note**
- Enable an action by going to the Options tab and clearing the Disable this step check box.
+On **MDT01**:
+
+1. In the **Task Sequences / Windows 10** folder, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence, and select **Properties**.
+2. On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings:
+ 1. **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box.
- 2. State Restore. Enable the Windows Update (Post-Application Installation) action.
- 3. State Restore. Enable the Windows Update (Post-Application Installation) action. State Restore. After the **Tattoo** action, add a new **Group** action with the following setting:
- - Name: Custom Tasks (Pre-Windows Update)
- 4. State Restore. After Windows Update (Post-Application Installation) action, rename Custom Tasks to Custom Tasks (Post-Windows Update).
- **Note**
- The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating.
-
- 5. State Restore / Custom Tasks (Pre-Windows Update). Add a new Install Roles and Features action with the following settings:
- 1. Name: Install - Microsoft NET Framework 3.5.1
- 2. Select the operating system for which roles are to be installed: Windows 10
- 3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
+ 2. **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action.
+ 3. **State Restore**: After the **Tattoo** action, add a new **Group** action (click **Add** then click **New Group**) with the following setting:
+ - Name: **Custom Tasks (Pre-Windows Update)**
+ 4. **State Restore**: After **Windows Update (Post-Application Installation)** action, rename **Custom Tasks** to **Custom Tasks (Post-Windows Update)**.
+ - **Note**: The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating.
+ 5. **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings:
+ 1. Name: Install - Microsoft NET Framework 3.5.1
+ 2. Select the operating system for which roles are to be installed: Windows 10
+ 3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
>[!IMPORTANT]
>This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.
- 
+ 
- Figure 7. The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action.
+ The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action.
- 6. State Restore - Custom Tasks (Pre-Windows Update). After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action with the following settings:
- 1. Name: Install - Microsoft Visual C++ 2005 SP1 - x86
- 2. Install a Single Application: Install - Microsoft Visual C++ 2005 SP1 - x86-x64
- 7. Repeat the previous step (add a new **Install Application**) to add the following applications:
- 1. Install - Microsoft Visual C++ 2005 SP1 - x64
- 2. Install - Microsoft Visual C++ 2008 SP1 - x86
- 3. Install - Microsoft Visual C++ 2008 SP1 - x64
- 4. Install - Microsoft Visual C++ 2010 SP1 - x86
- 5. Install - Microsoft Visual C++ 2010 SP1 - x64
- 6. Install - Microsoft Visual C++ 2012 Update 4 - x86
- 7. Install - Microsoft Visual C++ 2012 Update 4 - x64
- 8. Install - Microsoft Office 2013 Pro Plus - x86
- 8. After the Install - Microsoft Office 2013 Pro Plus - x86 action, add a new Restart computer action.
-3. Click **OK**.
+ 6. **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings:
+ 1. Name: Microsoft Visual C++ Redistributable 2019 - x86
+ 2. Install a Single Application: browse to **Install - MSVC 2019 - x86**
+ 7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well.
+3. Click **OK**.
+
+ 
### Optional configuration: Add a suspend action
The goal when creating a reference image is of course to automate everything. But sometimes you have a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine.
-
+ 
-Figure 8. A task sequence with optional Suspend action (LTISuspend.wsf) added.
+ A task sequence with optional Suspend action (LTISuspend.wsf) added.
-
+ 
-Figure 9. The Windows 10 desktop with the Resume Task Sequence shortcut.
+ The Windows 10 desktop with the Resume Task Sequence shortcut.
### Edit the Unattend.xml file for Windows 10 Enterprise
-When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer 11 behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use Internet Explorer Administration Kit (IEAK).
+When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use the Internet Explorer Administration Kit (IEAK).
>[!WARNING]
>Do not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used.
@@ -384,37 +383,54 @@ When using MDT, you don't need to edit the Unattend.xml file very often because
Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence:
-1. Using the Deployment Workbench, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**.
-2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start.
-3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry.
-4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values:
- - DisableDevTools: true
-5. Save the Unattend.xml file, and close Windows SIM.
-6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**.
+On **MDT01**:
-
+1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**.
+2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start.
-Figure 10. Windows System Image Manager with the Windows 10 Unattend.xml.
+ >[!IMPORTANT]
+ >The current version of MDT (8456) has a known issue generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. As a temporary workaround:
+ >- Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144.
+ >- Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe).
+ >- Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim).
+ >- After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml.
-## Configure the MDT deployment share rules
+3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry.
+4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values:
+ - DisableDevTools: true
+5. Save the Unattend.xml file, and close Windows SIM.
+ - Note: If errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1.
+6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**.
-Understanding rules is critical to successfully using MDT. Rules are configured using the Rules tab of the deployment share's properties. The Rules tab is essentially a shortcut to edit the CustomSettings.ini file that exists in the E:\\MDTBuildLab\\Control folder. This section discusses how to configure the MDT deployment share rules as part of your Windows 10 Enterprise deployment.
+ 
+
+ Windows System Image Manager with the Windows 10 Unattend.xml.
+
+## Configure the MDT deployment share rules
+
+Understanding rules is critical to successfully using MDT. Rules are configured using the **Rules** tab of the deployment share's properties. The **Rules** tab is essentially a shortcut to edit the **CustomSettings.ini** file that exists in the **D:\\MDTBuildLab\\Control** folder. This section discusses how to configure the MDT deployment share rules as part of your Windows 10 Enterprise deployment.
### MDT deployment share rules overview
-In MDT, there are always two rule files: the CustomSettings.ini file and the Bootstrap.ini file. You can add almost any rule to either; however, the Bootstrap.ini file is copied from the Control folder to the boot image, so the boot image needs to be updated every time you change that file.
-For that reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you click OK. By taking the following steps, you will configure the rules for the MDT Build Lab deployment share:
-1. Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Properties**.
-2. Select the **Rules** tab and modify using the following information:
+In MDT, there are always two rule files: the **CustomSettings.ini** file and the **Bootstrap.ini** file. You can add almost any rule to either. However, the Bootstrap.ini file is copied from the Control folder to the boot image, so the boot image needs to be updated every time you change that file. For this reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you click OK.
+
+To configure the rules for the MDT Build Lab deployment share:
+
+On **MDT01**:
+
+1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**.
+2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you do not have a WSUS server in your environment, delete the **WSUSServer** line from the configuration:
+
```
[Settings]
Priority=Default
+
[Default]
_SMSTSORGNAME=Contoso
UserDataLocation=NONE
DoCapture=YES
OSInstall=Y
- AdminPassword=P@ssw0rd
+ AdminPassword=pass@word1
TimeZoneName=Pacific Standard Time
JoinWorkgroup=WORKGROUP
HideShell=YES
@@ -439,49 +455,46 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which
SkipFinalSummary=YES
```
- 
-
- Figure 11. The server-side rules for the MDT Build Lab deployment share.
+ 
+ The server-side rules for the MDT Build Lab deployment share.
+
3. Click **Edit Bootstrap.ini** and modify using the following information:
```
[Settings]
Priority=Default
+
[Default]
DeployRoot=\\MDT01\MDTBuildLab$
UserDomain=CONTOSO
UserID=MDT_BA
- UserPassword=P@ssw0rd
+ UserPassword=pass@word1
+
SkipBDDWelcome=YES
```
- 
-
- Figure 12. The boot image rules for the MDT Build Lab deployment share.
-
>[!NOTE]
- >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation.
+ >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. Obviously if you are not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini.
-4. In the **Windows PE** tab, in the **Platform** drop-down list, select **x86**.
-5. In the **Lite Touch Boot Image Settings** area, configure the following settings:
- 1. Image description: MDT Build Lab x86
- 2. ISO file name: MDT Build Lab x86.iso
-6. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
-7. In the **Lite Touch Boot Image Settings** area, configure the following settings:
- 1. Image description: MDT Build Lab x64
- 2. ISO file name: MDT Build Lab x64.iso
-8. Click **OK**.
+4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**.
+5. In the **Lite Touch Boot Image Settings** area, configure the following settings:
+ 1. Image description: MDT Build Lab x86
+ 2. ISO file name: MDT Build Lab x86.iso
+6. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+7. In the **Lite Touch Boot Image Settings** area, configure the following settings:
+ 1. Image description: MDT Build Lab x64
+ 2. ISO file name: MDT Build Lab x64.iso
+8. Click **OK**.
>[!NOTE]
>In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface).
-
### Update the deployment share
After the deployment share has been configured, it needs to be updated. This is the process when the Windows PE boot images are created.
-1. Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Update Deployment Share**.
+1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**.
2. Use the default options for the Update Deployment Share Wizard.
>[!NOTE]
@@ -500,7 +513,7 @@ The CustomSettings.ini file is normally stored on the server, in the Deployment
### The Bootstrap.ini file
-The Bootstrap.ini file is available via the deployment share's Properties dialog box, or via the E:\\MDTBuildLab\\Control folder on MDT01.
+The Bootstrap.ini file is available via the deployment share's Properties dialog box, or via the D:\\MDTBuildLab\\Control folder on MDT01.
```
[Settings]
@@ -509,7 +522,7 @@ Priority=Default
DeployRoot=\\MDT01\MDTBuildLab$
UserDomain=CONTOSO
UserID=MDT_BA
-UserPassword=P@ssw0rd
+UserPassword=pass@word1
SkipBDDWelcome=YES
```
@@ -538,7 +551,7 @@ _SMSTSORGNAME=Contoso
UserDataLocation=NONE
DoCapture=YES
OSInstall=Y
-AdminPassword=P@ssw0rd
+AdminPassword=pass@word1
TimeZoneName=Pacific Standard Time
JoinWorkgroup=WORKGROUP
HideShell=YES
@@ -562,91 +575,105 @@ SkipRoles=YES
SkipCapture=NO
SkipFinalSummary=YES
```
-- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you have multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file.
-- **\_SMSTSORGNAME.** The organization name displayed in the task sequence progress bar window during deployment.
-- **UserDataLocation.** Controls the settings for user state backup. You do not need to use when building and capturing a reference image.
-- **DoCapture.** Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed.
-- **OSInstall.** Must be set to Y or YES (the code actually just looks for the Y character) for the setup to proceed.
-- **AdminPassword.** Sets the local Administrator account password.
-- **TimeZoneName.** Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003).
+- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you have multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file.
+- **\_SMSTSORGNAME.** The organization name displayed in the task sequence progress bar window during deployment.
+- **UserDataLocation.** Controls the settings for user state backup. You do not need to use when building and capturing a reference image.
+- **DoCapture.** Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed.
+- **OSInstall.** Must be set to Y or YES (the code actually just looks for the Y character) for the setup to proceed.
+- **AdminPassword.** Sets the local Administrator account password.
+- **TimeZoneName.** Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003).
- **Note**
- The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
+ **Note**: The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
-- **JoinWorkgroup.** Configures Windows to join a workgroup.
-- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
-- **FinishAction.** Instructs MDT what to do when the task sequence is complete.
-- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image.
-- **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.
-- **SLSHARE.** Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed.
-- **ApplyGPOPack.** Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM).
-- **SkipAdminPassword.** Skips the pane that asks for the Administrator password.
-- **SkipProductKey.** Skips the pane that asks for the product key.
-- **SkipComputerName.** Skips the Computer Name pane.
-- **SkipDomainMemberShip.** Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties.
-- **SkipUserData.** Skips the pane for user state migration.
-- **SkipLocaleSelection.** Skips the pane for selecting language and keyboard settings.
-- **SkipTimeZone.** Skips the pane for setting the time zone.
-- **SkipApplications.** Skips the Applications pane.
-- **SkipBitLocker.** Skips the BitLocker pane.
-- **SkipSummary.** Skips the initial Windows Deployment Wizard summary pane.
-- **SkipRoles.** Skips the Install Roles and Features pane.
-- **SkipCapture.** Skips the Capture pane.
-- **SkipFinalSummary.** Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to click OK before the machine shuts down.
+- **JoinWorkgroup.** Configures Windows to join a workgroup.
+- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
+- **FinishAction.** Instructs MDT what to do when the task sequence is complete.
+- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image.
+- **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.
+- **SLSHARE.** Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed.
+- **ApplyGPOPack.** Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM).
+- **SkipAdminPassword.** Skips the pane that asks for the Administrator password.
+- **SkipProductKey.** Skips the pane that asks for the product key.
+- **SkipComputerName.** Skips the Computer Name pane.
+- **SkipDomainMemberShip.** Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties.
+- **SkipUserData.** Skips the pane for user state migration.
+- **SkipLocaleSelection.** Skips the pane for selecting language and keyboard settings.
+- **SkipTimeZone.** Skips the pane for setting the time zone.
+- **SkipApplications.** Skips the Applications pane.
+- **SkipBitLocker.** Skips the BitLocker pane.
+- **SkipSummary.** Skips the initial Windows Deployment Wizard summary pane.
+- **SkipRoles.** Skips the Install Roles and Features pane.
+- **SkipCapture.** Skips the Capture pane.
+- **SkipFinalSummary.** Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to click OK before the machine shuts down.
-## Build the Windows 10 reference image
+## Build the Windows 10 reference image
-Once you have created your task sequence, you are ready to create the Windows 10 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process.
-This steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then execute the reference image task sequence image to create and capture the Windows 10 reference image.
+As previously described, this section requires a Hyper-V host. See [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements) for more information.
-1. Copy the E:\\MDTBuildLab\\Boot\\MDT Build Lab x86.iso on MDT01 to C:\\ISO on the Hyper-V host.
+Once you have created your task sequence, you are ready to create the Windows 10 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process.
- **Note**
- Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image.
+The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image.
+
+1. Copy D:\\MDTBuildLab\\Boot\\MDT Build Lab x86.iso on MDT01 to C:\\ISO on your Hyper-V host (HV01).
+
+ **Note**: Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image.
+
+On **HV01**:
-2. Create a virtual machine with the following settings:
- 1. Name: REFW10X64-001
- 2. Location: C:\\VMs
- 3. Memory: 1024 MB
- 4. Network: External (The network that is connected to the same infrastructure as MDT01 is)
- 5. Hard disk: 60 GB (dynamic disk)
- 6. Image file: C:\\ISO\\MDT Build Lab x86.iso
-3. Take a snapshot of the REFW10X64-001 virtual machine, and name it **Clean with MDT Build Lab x86 ISO**.
+2. Create a new virtual machine with the following settings:
+ 1. Name: REFW10X64-001
+ 2. Store the virtual machine in a different location: C:\VM
+ 3. Generation 1
+ 4. Memory: 1024 MB
+ 5. Network: Must be able to connect to \\MDT01\MDTBuildLab$
+ 7. Hard disk: 60 GB (dynamic disk)
+ 8. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso
+1. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**.
- **Note**
- Taking a snapshot is useful if you need to restart the process and want to make sure you can start clean.
+ **Note**: Checkpoints are useful if you need to restart the process and want to make sure you can start clean.
-4. Start the REFW10X64-001 virtual machine. After booting into Windows PE, complete the Windows Deployment Wizard using the following settings:
- 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image
- 2. Specify whether to capture an image: Capture an image of this reference computer
- - Location: \\\\MDT01\\MDTBuildLab$\\Captures
- 3. File name: REFW10X64-001.wim
+4. Start the REFW10X64-001 virtual machine and connect to it.
- 
+ **Note**: Up to this point we have not discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario this is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11.
- Figure 13. The Windows Deployment Wizard for the Windows 10 reference image.
+ After booting into Windows PE, complete the Windows Deployment Wizard with the following settings:
+ 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image
+ 2. Specify whether to capture an image: Capture an image of this reference computer
+ - Location: \\\\MDT01\\MDTBuildLab$\\Captures
+ 3. File name: REFW10X64-001.wim
-5. The setup now starts and does the following:
- 1. Installs the Windows 10 Enterprise operating system.
- 2. Installs the added applications, roles, and features.
- 3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
- 4. Stages Windows PE on the local disk.
- 5. Runs System Preparation (Sysprep) and reboots into Windows PE.
- 6. Captures the installation to a Windows Imaging (WIM) file.
- 7. Turns off the virtual machine.
+ 
-After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the E:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
+ The Windows Deployment Wizard for the Windows 10 reference image.
+
+5. The setup now starts and does the following:
+ 1. Installs the Windows 10 Enterprise operating system.
+ 2. Installs the added applications, roles, and features.
+ 3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
+ 4. Stages Windows PE on the local disk.
+ 5. Runs System Preparation (Sysprep) and reboots into Windows PE.
+ 6. Captures the installation to a Windows Imaging (WIM) file.
+ 7. Turns off the virtual machine.
+
+After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
+
+ 
+
+## Troubleshooting
+
+If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence.
+
+ 
+
+If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](https://docs.microsoft.com/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$.
+
+After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
## Related topics
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 238fd0d31e..7e06abfeb3 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -21,115 +21,144 @@ ms.topic: article
**Applies to**
- Windows 10
-This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). You will prepare for this by creating a MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. You will then configure the deployment share, create a new task sequence, add applications, add drivers, add rules, and configure Active Directory permissions for deployment.
+This topic will show you how to take your reference image for Windows 10 (that was just [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
-For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0005. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0005 is a blank machine to which you deploy Windows 10. MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation.
+We will prepare for this by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We will configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules.
-
+For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 and PC0005.
-Figure 1. The machines used in this topic.
+- DC01 is a domain controller
+- MDT01 is a domain member server
+- HV01 is a Hyper-V server
+- PC0005 is a blank device to which we will deploy Windows 10
+
+MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment.
+
+ 
>[!NOTE]
->For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
+>For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
-## Step 1: Configure Active Directory permissions
+## Step 1: Configure Active Directory permissions
+
+These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.
+
+On **DC01**:
+
+1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on DC01. This script configures permissions to allow the MDT_JD account to manage computer accounts in the contoso > Computers organizational unit.
+2. Create the MDT_JD service account by running the following command from an elevated Windows PowerShell prompt:
+
+ ```powershell
+ New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
+ ```
+
+3. Next, run the Set-OuPermissions script to apply permissions to the **MDT\_JD** service account, enabling it to manage computer accounts in the Contoso / Computers OU. Run the following commands from an elevated Windows PowerShell prompt:
-These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.
-1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
-2. Select the **Service Accounts** organizational unit (OU) and create the MDT\_JD account using the following settings:
- 1. Name: MDT\_JD
- 2. User logon name: MDT\_JD
- 3. Password: P@ssw0rd
- 4. User must change password at next logon: Clear
- 5. User cannot change password: Select
- 6. Password never expires: Select
-3. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press **Enter** after each command:
```powershell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Set-Location C:\Setup\Scripts
.\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
```
-4. The Set-OUPermissions.ps1 script allows the MDT\_JD user account permissions to manage computer accounts in the Contoso / Computers OU. Below you find a list of the permissions being granted:
- 1. Scope: This object and all descendant objects
- 1. Create Computer objects
- 2. Delete Computer objects
- 2. Scope: Descendant Computer objects
- 1. Read All Properties
- 2. Write All Properties
- 3. Read Permissions
- 4. Modify Permissions
- 5. Change Password
- 6. Reset Password
- 7. Validated write to DNS host name
- 8. Validated write to service principal name
-## Step 2: Set up the MDT production deployment share
+The following is a list of the permissions being granted:
+ a. Scope: This object and all descendant objects
+ b. Create Computer objects
+ c. Delete Computer objects
+ d. Scope: Descendant Computer objects
+ e. Read All Properties
+ f. Write All Properties
+ g. Read Permissions
+ h. Modify Permissions
+ i. Change Password
+ j. Reset Password
+ k. Validated write to DNS host name
+ l. Validated write to service principal name
-When you are ready to deploy Windows 10 in a production environment, you will first create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. For guidance on creating a custom Windows 10 image, see
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+## Step 2: Set up the MDT production deployment share
+
+Next, create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server.
### Create the MDT production deployment share
+On **MDT01**:
+
The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image:
-1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd.
-2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
-3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction** and click **Next**.
+
+1. Ensure you are signed on as: contoso\administrator.
+2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
-## Step 3: Add a custom image
+### Configure permissions for the production deployment share
+
+To read files in the deployment share, you need to assign NTFS and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTProduction** folder
+
+On **MDT01**:
+
+1. Ensure you are signed in as **contoso\\administrator**.
+2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt:
+
+ ``` powershell
+ icacls "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
+ grant-smbshareaccess -Name MDTProduction$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force
+ ```
+
+## Step 3: Add a custom image
The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components.
### Add the Windows 10 Enterprise x64 RTM custom image
-In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image in the E:\\MDTBuildLab\\Captures folder on MDT01.
+In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01.
+
1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
2. Right-click the **Windows 10** folder and select **Import Operating System**.
3. On the **OS Type** page, select **Custom image file** and click **Next**.
-4. On the **Image** page, in the **Source file** text box, browse to **E:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**.
-5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **E:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**.
+4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**.
+5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**.
6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**.
-7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to match the following: **Windows 10 Enterprise x64 RTM Custom Image**.
+7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**.
>[!NOTE]
>The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.
-
+
-Figure 2. The imported operating system after renaming it.
+## Step 4: Add an application
-## Step 4: Add an application
+When you configure your MDT Build Lab deployment share, you can also add applications to the new deployment share before creating your task sequence. This section walks you through the process of adding an application to the MDT Production deployment share using Adobe Reader as an example.
-When you configure your MDT Build Lab deployment share, you will also add any applications to the new deployment share before creating your task sequence. This section walks you through the process of adding an application to the MDT Production deployment share using Adobe Reader as an example.
+### Create the install: Adobe Reader DC
-### Create the install: Adobe Reader XI x86
+On **MDT01**:
-In this example, we assume that you have downloaded the Adobe Reader XI installation file (AdbeRdr11000\_eu\_ES.msi) to E:\\Setup\\Adobe Reader on MDT01.
-1. Using the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
-2. Right-click the **Applications** node, and create a new folder named **Adobe**.
-3. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
-4. On the **Application Type** page, select the **Application with source files** option and click **Next**.
-5. On the **Details** page, in the **Application** name text box, type **Install - Adobe Reader XI - x86** and click **Next**.
-6. On the **Source** page, in the **Source Directory** text box, browse to **E:\\Setup\\Adobe Reader XI** and click **Next**.
-7. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader XI - x86** and click **Next**.
-8. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AdbeRdr11000\_eu\_ES.msi /q**, click **Next** twice, and then click **Finish**.
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC1902120058_en_US.exe) to **D:\\setup\\adobe** on MDT01.
+2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC1902120058_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
+3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
+4. Right-click the **Applications** node, and create a new folder named **Adobe**.
+5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
+6. On the **Application Type** page, select the **Application with source files** option and click **Next**.
+7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**.
+8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**.
+9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**.
+10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.
-
+
-Figure 3. The Adobe Reader application added to the Deployment Workbench.
+The Adobe Reader application added to the Deployment Workbench.
-## Step 5: Prepare the drivers repository
+## Step 5: Prepare the drivers repository
In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
- Lenovo ThinkPad T420
-- Dell Latitude E6440
+- Dell Latitude 7390
- HP EliteBook 8560w
- Microsoft Surface Pro
+
For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers.
>[!NOTE]
@@ -139,20 +168,22 @@ For boot images, you need to have storage and network drivers; for the operating
The key to successful management of drivers for MDT, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use.
-1. On MDT01, using File Explorer, create the **E:\\Drivers** folder.
-2. In the **E:\\Drivers** folder, create the following folder structure:
+On **MDT01**:
+
+1. Using File Explorer, create the **D:\\drivers** folder.
+2. In the **D:\\drivers** folder, create the following folder structure:
1. WinPE x86
2. WinPE x64
3. Windows 10 x64
3. In the new Windows 10 x64 folder, create the following folder structure:
- Dell
- - Latitude E6440
- - HP
+ - Latitude E7450
+ - Hewlett-Packard
- HP EliteBook 8560w
- Lenovo
- - ThinkPad T420 (4178)
+ - ThinkStation P500 (30A6003TUS)
- Microsoft Corporation
- - Surface Pro 3
+ - Surface Laptop
>[!NOTE]
>Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
@@ -166,16 +197,16 @@ When you import drivers to the MDT driver repository, MDT creates a single insta
2. WinPE x64
3. Windows 10 x64
3. In the **Windows 10 x64** folder, create the following folder structure:
- - Dell Inc.
- - Latitude E6440
+ - Dell
+ - Latitude E7450
- Hewlett-Packard
- HP EliteBook 8560w
- Lenovo
- - 4178
+ - 30A6003TUS
- Microsoft Corporation
- - Surface Pro 3
+ - Surface Laptop
-The preceding folder names are selected because they match the actual make and model values that MDT reads from the machines during deployment. You can find out the model values for your machines via the following command in Windows PowerShell:
+The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell:
``` powershell
Get-WmiObject -Class:Win32_ComputerSystem
@@ -188,87 +219,104 @@ wmic csproduct get name
If you want a more standardized naming convention, try the ModelAliasExit.vbs script from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
-
+
-Figure 4. The Out-of-Box Drivers structure in Deployment Workbench.
+The Out-of-Box Drivers structure in the Deployment Workbench.
### Create the selection profiles for boot image drivers
By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles.
The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can’t locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice.
-1. On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**.
+
+On **MDT01**:
+
+1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**.
2. In the New Selection Profile Wizard, create a selection profile with the following settings:
1. Selection Profile name: WinPE x86
2. Folders: Select the WinPE x86 folder in Out-of-Box Drivers.
-3. Again, right-click the **Selection Profiles** node, and select **New Selection Profile**.
+ 3. Click **Next**, **Next** and **Finish**.
+3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**.
4. In the New Selection Profile Wizard, create a selection profile with the following settings:
1. Selection Profile name: WinPE x64
2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
+ 3. Click **Next**, **Next** and **Finish**.
-Figure 5. Creating the WinPE x64 selection profile.
+Creating the WinPE x64 selection profile.
### Extract and import drivers for the x64 boot image
Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image.
-In these steps, we assume you have downloaded PROWinx64.exe from Intel.com and saved it to a temporary folder.
-1. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder.
-2. Using File Explorer, create the **E:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
-3. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **E:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
-4. Using Deployment Workbench, expand the **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**. Use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\WinPE x64\\Intel PRO1000**
+On **MDT01**:
+
+1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)).
+2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder.
+ a. **Note**: Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates.
+3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
+4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
+5. In the Deployment Workbench, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**, and use the following Driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**.
### Download, extract, and import drivers
-### For the ThinkPad T420
+### For the Lenovo ThinkStation P500
-For the Lenovo T420 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo T420 model has the 4178B9G model name, meaning the Machine Type is 4178.
+For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
-To get the updates, you download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can download the drivers from the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
+
-In these steps, we assume you have downloaded and extracted the drivers using ThinkVantage Update Retriever v5.0 to the E:\\Drivers\\Lenovo\\ThinkPad T420 (4178) folder.
+To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
-1. On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Lenovo** node.
-2. Right-click the **4178** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkPad T420 (4178)**
+In this example, we assume you have downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory.
-### For the Latitude E6440
+On **MDT01**:
-For the Dell Latitude E6440 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544).
+1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node.
+2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
-In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E6440 model to the E:\\Drivers\\Dell\\Latitude E6440 folder.
+The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
-1. On **MDT01**, using the **Deployment Workbench**, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Dell** node.
-2. Right-click the **Latitude E6440** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\Windows 10 x64\\Dell\\Latitude E6440**
+### For the Latitude E7450
+
+For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544).
+
+In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell\\Latitude E7450** folder.
+
+On **MDT01**:
+
+1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell** node.
+2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell\\Latitude E7450**
### For the HP EliteBook 8560w
For the HP EliteBook 8560w, you use HP SoftPaq Download Manager to get the drivers. The HP SoftPaq Download Manager can be accessed on the [HP Support site](https://go.microsoft.com/fwlink/p/?LinkId=619545).
-In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the E:\\Drivers\\Windows 10 x64\\HP\\HP EliteBook 8560w folder.
+In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder.
-1. On **MDT01**, using the **Deployment Workbench**, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Hewlett-Packard** node.
-2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\Windows 10 x64\\HP\\HP EliteBook 8560w**
+On **MDT01**:
-### For the Microsoft Surface Pro 3
+1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node.
+2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
-For the Microsoft Surface Pro model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Pro 3 drivers to the E:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Pro 3 folder.
+### For the Microsoft Surface Laptop
-1. On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Microsoft** node.
-2. Right-click the **Surface Pro 3** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Pro 3**
+For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder.
-## Step 6: Create the deployment task sequence
+On **MDT01**:
-This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the tasks sequence to enable patching via a Windows Server Update Services (WSUS) server.
+1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node.
+2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
+
+## Step 6: Create the deployment task sequence
+
+This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server.
### Create a task sequence for Windows 10 Enterprise
-1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**.
+On **MDT01**:
+
+1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**.
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. Task sequence ID: W10-X64-001
2. Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
@@ -278,13 +326,14 @@ This section will show you how to create the task sequence used to deploy your p
6. Specify Product Key: Do not specify a product key at this time
7. Full Name: Contoso
8. Organization: Contoso
- 9. Internet Explorer home page: about:blank
+ 9. Internet Explorer home page: https://www.contoso.com
10. Admin Password: Do not specify an Administrator Password at this time
- ### Edit the Windows 10 task sequence
-3. Right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**.
-4. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
- 1. Preinstall. After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
+### Edit the Windows 10 task sequence
+
+1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**.
+2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
+ 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
1. Name: Set DriverGroup001
2. Task Sequence Variable: DriverGroup001
3. Value: Windows 10 x64\\%Make%\\%Model%
@@ -297,89 +346,93 @@ This section will show you how to create the task sequence used to deploy your p
3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action.
4. State Restore. Enable the **Windows Update (Post-Application Installation)** action.
-5. Click **OK**.
+3. Click **OK**.
-
+
-Figure 6. The task sequence for production deployment.
+The task sequence for production deployment.
-## Step 7: Configure the MDT production deployment share
+## Step 7: Configure the MDT production deployment share
In this section, you will learn how to configure the MDT Build Lab deployment share with the rules required to create a simple and dynamic deployment process. This includes configuring commonly used rules and an explanation of how these rules work.
### Configure the rules
-1. On MDT01, using File Explorer, copy the following files from the **D:\\Setup\\Sample Files\\MDT Production\\Control** folder to **E:\\MDTProduction\\Control**. Overwrite the existing files.
- 1. Bootstrap.ini
- 2. CustomSettings.ini
-2. Right-click the **MDT Production** deployment share and select **Properties**.
-3. Select the **Rules** tab and modify using the following information:
+On **MDT01**:
- ```
- [Settings]
- Priority=Default
- [Default]
- _SMSTSORGNAME=Contoso
- OSInstall=YES
- UserDataLocation=AUTO
- TimeZoneName=Pacific Standard Time
- AdminPassword=P@ssw0rd
- JoinDomain=contoso.com
- DomainAdmin=CONTOSO\MDT_JD
- DomainAdminPassword=P@ssw0rd
- MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
- SLShare=\\MDT01\Logs$
- ScanStateArgs=/ue:*\* /ui:CONTOSO\*
- USMTMigFiles001=MigApp.xml
- USMTMigFiles002=MigUser.xml
- HideShell=YES
- ApplyGPOPack=NO
- WSUSServer=mdt01.contoso.com:8530
- SkipAppsOnUpgrade=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=NO
- SkipDomainMembership=YES
- SkipUserData=YES
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=NO
- SkipBitLocker=YES
- SkipSummary=YES
- SkipCapture=YES
- SkipFinalSummary=NO
- ```
-4. Click **Edit Bootstrap.ini** and modify using the following information:
+1. Right-click the **MDT Production** deployment share and select **Properties**.
+2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment):
- ```
- [Settings]
- Priority=Default
- [Default]
- DeployRoot=\\MDT01\MDTProduction$
- UserDomain=CONTOSO
- UserID=MDT_BA
- SkipBDDWelcome=YES
- ```
-5. In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
-6. In the **General** sub tab, configure the following settings:
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ _SMSTSORGNAME=Contoso
+ OSInstall=YES
+ UserDataLocation=AUTO
+ TimeZoneName=Pacific Standard Time
+ AdminPassword=pass@word1
+ JoinDomain=contoso.com
+ DomainAdmin=CONTOSO\MDT_JD
+ DomainAdminPassword=pass@word1
+ MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
+ SLShare=\\MDT01\Logs$
+ ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+ USMTMigFiles001=MigApp.xml
+ USMTMigFiles002=MigUser.xml
+ HideShell=YES
+ ApplyGPOPack=NO
+ WSUSServer=mdt01.contoso.com:8530
+ SkipAppsOnUpgrade=NO
+ SkipAdminPassword=YES
+ SkipProductKey=YES
+ SkipComputerName=NO
+ SkipDomainMembership=YES
+ SkipUserData=YES
+ SkipLocaleSelection=YES
+ SkipTaskSequence=NO
+ SkipTimeZone=YES
+ SkipApplications=NO
+ SkipBitLocker=YES
+ SkipSummary=YES
+ SkipCapture=YES
+ SkipFinalSummary=NO
+ ```
+
+3. Click **Edit Bootstrap.ini** and modify using the following information:
+
+```
+[Settings]
+Priority=Default
+
+[Default]
+DeployRoot=\\MDT01\MDTProduction$
+UserDomain=CONTOSO
+UserID=MDT_BA
+UserPassword=pass@word1
+SkipBDDWelcome=YES
+```
+
+4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
+5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings:
- In the **Lite Touch Boot Image Settings** area:
1. Image description: MDT Production x86
2. ISO file name: MDT Production x86.iso
> [!NOTE]
>
- > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
+ >Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
-7. In the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
-8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
-9. In the **General** sub tab, configure the following settings:
+6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
+7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+8. On the **General** sub tab, configure the following settings:
- In the **Lite Touch Boot Image Settings** area:
1. Image description: MDT Production x64
2. ISO file name: MDT Production x64.iso
-10. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
-11. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
-12. Click **OK**.
+9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
+10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
+11. Click **OK**.
>[!NOTE]
>It will take a while for the Deployment Workbench to create the monitoring database and web service.
@@ -387,39 +440,46 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
-Figure 7. The Windows PE tab for the x64 boot image.
+The Windows PE tab for the x64 boot image.
### The rules explained
-The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup and that you do not automate the logon.
+The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup.
+
+>
+>You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials.
### The Bootstrap.ini file
-This is the MDT Production Bootstrap.ini without the user credentials (except domain information):
+This is the MDT Production Bootstrap.ini:
```
[Settings]
Priority=Default
+
[Default]
DeployRoot=\\MDT01\MDTProduction$
UserDomain=CONTOSO
UserID=MDT_BA
+UserPassword=pass@word1
SkipBDDWelcome=YES
```
+
### The CustomSettings.ini file
This is the CustomSettings.ini file with the new join domain information:
```
[Settings]
Priority=Default
+
[Default]
_SMSTSORGNAME=Contoso
OSInstall=Y
UserDataLocation=AUTO
TimeZoneName=Pacific Standard Time
-AdminPassword=P@ssw0rd
+AdminPassword=pass@word1
JoinDomain=contoso.com
DomainAdmin=CONTOSO\MDT_JD
-DomainAdminPassword=P@ssw0rd
+DomainAdminPassword=pass@word1
MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
SLShare=\\MDT01\Logs$
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
@@ -444,7 +504,8 @@ SkipCapture=YES
SkipFinalSummary=NO
EventService=http://MDT01:9800
```
-The additional properties to use in the MDT Production rules file are as follows:
+
+Some properties to use in the MDT Production rules file are as follows:
- **JoinDomain.** The domain to join.
- **DomainAdmin.** The account to use when joining the machine to the domain.
- **DomainAdminDomain.** The domain for the join domain account.
@@ -456,33 +517,35 @@ The additional properties to use in the MDT Production rules file are as follows
### Optional deployment share configuration
-If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you
-troubleshoot MDT deployments, as well as troubleshoot Windows itself.
+If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, as well as troubleshoot Windows itself.
### Add DaRT 10 to the boot images
-If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT, you need to do the following:
-- Install DaRT 10 (part of MDOP 2015 R1).
-- Copy the two tools CAB files (Toolsx86.cab and Toolsx64.cab) to the deployment share.
-- Configure the deployment share to add DaRT.
- In these steps, we assume that you downloaded MDOP 2015 R1 and copied DaRT 10 to the E:\\Setup\\DaRT 10 folder on MDT01.
-- On MDT01, install DaRT 10 (MSDaRT10.msi) using the default settings.
-- Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
-- Copy the Toolsx64.cab file to **E:\\MDTProduction\\Tools\\x64**.
-- Copy the Toolsx86.cab file to **E:\\MDTProduction\\Tools\\x86**.
-- Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
-- In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
-- In the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
+If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following:
- 
+>DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). Note: MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
- Figure 8. Selecting the DaRT 10 feature in the deployment share.
+On **MDT01**:
+
+1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\\\x64\\MSDaRT100.msi).
+2. Install DaRT 10 (MSDaRT10.msi) using the default settings.
+
+ 
+
+2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively.
+3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
+4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
+5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox.
+
+ 
+
+ Selecting the DaRT 10 feature in the deployment share.
8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
10. Click **OK**.
-### Update the deployment share
+### Update the deployment share
Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created.
1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**.
@@ -490,57 +553,75 @@ Like the MDT Build Lab deployment share, the MDT Production deployment share nee
>[!NOTE]
>The update process will take 5 to 10 minutes.
-
-## Step 8: Deploy the Windows 10 client image
+
+## Step 8: Deploy the Windows 10 client image
These steps will walk you through the process of using task sequences to deploy Windows 10 images through a fully automated process. First, you need to add the boot image to Windows Deployment Services (WDS) and then start the deployment. In contrast with deploying images from the MDT Build Lab deployment share, we recommend using the Pre-Installation Execution Environment (PXE) to start the full deployments in the datacenter, even though you technically can use an ISO/CD or USB to start the process.
### Configure Windows Deployment Services
-You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparation for the deployment. For the following steps, we assume that Windows Deployment Services has already been installed on MDT01.
-1. Using the WDS console, right-click **Boot Images** and select **Add Boot Image**.
-2. Browse to the E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim file and add the image with the default settings.
+You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparation for the deployment. In this procedure, we assume that WDS is already installed and initialized on MDT01 as described in the [Prepare for Windows deployment](prepare-for-windows-deployment-with-mdt.md#install-and-initialize-windows-deployment-services-wds) article.
+
+On **MDT01**:
+
+1. Open the Windows Deployment Services console, expand the **Servers** node and then expand **MDT01.contoso.com**.
+2. Right-click **Boot Images** and select **Add Boot Image**.
+3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
-Figure 9. The boot image added to the WDS console.
+The boot image added to the WDS console.
### Deploy the Windows 10 client
At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you are confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. This helps rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine:
-1. Create a virtual machine with the following settings:
- 1. Name: PC0005
- 2. Location: C:\\VMs
- 3. Generation: 2
- 4. Memory: 2048 MB
- 5. Hard disk: 60 GB (dynamic disk)
-2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The machine will now load the Windows PE boot image from the WDS server.
+
+On **HV01**:
+
+1. Create a virtual machine with the following settings:
+ 1. Name: PC0005
+ 2. Store the virtual machine in a different location: C:\VM
+ 3. Generation: 2
+ 4. Memory: 2048 MB
+ 5. Network: Must be able to connect to \\MDT01\MDTProduction$
+ 6. Hard disk: 60 GB (dynamic disk)
+ 7. Installation Options: Install an operating system from a network-based installation server
+2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server.
- Figure 10. The initial PXE boot process of PC0005.
+ The initial PXE boot process of PC0005.
3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting:
- 1. Password: P@ssw0rd
- 2. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
- 3. Computer Name: PC0005
- 4. Applications: Select the Install - Adobe Reader XI - x86 application.
-4. The setup now starts and does the following:
+ 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
+ 2. Computer Name: **PC0005**
+ 3. Applications: Select the **Install - Adobe Reader** checkbox.
+4. Setup now begins and does the following:
1. Installs the Windows 10 Enterprise operating system.
2. Installs the added application.
3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
+
+
+### Application installation
+
+Following OS installation, Microsoft Office 365 Pro Plus - x64 is installed automatically.
+
+ 
+
### Use the MDT monitoring feature
-Now that you have enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node.
+Since you have enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node.
-1. On MDT01, using Deployment Workbench, expand the **MDT Production** deployment share folder.
+On **MDT01**:
+
+1. In the Deployment Workbench, expand the **MDT Production** deployment share folder.
2. Select the **Monitoring** node, and wait until you see PC0005.
3. Double-click PC0005, and review the information.
-Figure 11. The Monitoring node, showing the deployment progress of PC0005.
+The Monitoring node, showing the deployment progress of PC0005.
### Use information in the Event Viewer
@@ -548,11 +629,11 @@ When monitoring is enabled, MDT also writes information to the event viewer on M
-Figure 12. The Event Viewer showing a successful deployment of PC0005.
+The Event Viewer showing a successful deployment of PC0005.
-## Multicast deployments
+## Multicast deployments
-Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it is important to ensure that your network supports it and is designed for it.
+Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it is important to ensure that your network supports it and is designed for it. If you have a limited number of simultaneous deployments, you probably do not need to enable multicast.
### Requirements
@@ -563,25 +644,30 @@ Internet Group Management Protocol (IGMP) snooping is turned on and that the net
Setting up MDT for multicast is straightforward. You enable multicast on the deployment share, and MDT takes care of the rest.
-1. On MDT01, right-click the **MDT Production** deployment share folder and select **Properties**.
-2. In the **General** tab, select the **Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows Deployment Services)** check box, and click **OK**.
+On **MDT01**:
+
+1. In the Deployment Workbench, right-click the **MDT Production** deployment share folder and select **Properties**.
+2. On the **General** tab, select the **Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows Deployment Services)** check box, and click **OK**.
3. Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**.
4. After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created.
-Figure 13. The newly created multicast namespace.
+The newly created multicast namespace.
-## Use offline media to deploy Windows 10
+## Use offline media to deploy Windows 10
-In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - by the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment.
+In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - through the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment.
Offline media are useful not only when you do not have network connectivity to the deployment share, but also when you have limited connection to the deployment share and do not want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire.
### Create the offline media selection profile
To filter what is being added to the media, you create a selection profile. When creating selection profiles, you quickly realize the benefits of having created a good logical folder structure in the Deployment Workbench.
-1. On MDT01, using Deployment Workbench, in the **MDT Production / Advanced Configuration** node, right-click **Selection Profile**, and select **New Selection Profile**.
+
+On **MDT01**:
+
+1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**.
2. Use the following settings for the New Selection Profile Wizard:
1. General Settings
- Selection profile name: Windows 10 Offline Media
@@ -592,48 +678,58 @@ To filter what is being added to the media, you create a selection profile. When
4. Out-Of-Box Drivers / Windows 10 x64
5. Task Sequences / Windows 10
+ 
+
### Create the offline media
In these steps, you generate offline media from the MDT Production deployment share. To filter what is being added to the media, you use the previously created selection profile.
-1. On MDT01, using File Explorer, create the **E:\\MDTOfflineMedia** folder.
+1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder.
- >[!NOTE]
- >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media.
+ >[!NOTE]
+ >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media.
-2. Using Deployment Workbench, in the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**.
+2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**.
3. Use the following settings for the New Media Wizard:
- General Settings
- 1. Media path: **E:\\MDTOfflineMedia**
- 2. Selection profile: Windows 10 Offline Media
+ 1. Media path: **D:\\MDTOfflineMedia**
+ 2. Selection profile: **Windows 10 Offline Media**
### Configure the offline media
Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini files. These files are stored in the Control folder of the offline media; they also can be accessed via properties of the offline media in the Deployment Workbench.
-1. On MDT01, using File Explorer, copy the CustomSettings.ini file from the **E:\MDTProduction\Control** folder to **E:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
-2. Using Deployment Workbench, in the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**.
+On **MDT01**:
+
+1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
+2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**.
3. In the **General** tab, configure the following:
1. Clear the Generate x86 boot image check box.
2. ISO file name: Windows 10 Offline Media.iso
-4. Still in the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
-5. In the **General** sub tab, configure the following settings:
+4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+5. On the **General** sub tab, configure the following settings:
1. In the **Lite Touch Boot Image Settings** area:
- Image description: MDT Production x64
2. In the **Windows PE Customizations** area, set the Scratch space size to 128.
-6. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
+6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
7. Click **OK**.
### Generate the offline media
-You have now configured the offline media deployment share however the share has not yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO.
+You have now configured the offline media deployment share, however the share has not yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO.
-1. On MDT01, using Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node.
-2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **E:\\MDTOfflineMedia\\Content** folder.
+On **MDT01**:
+
+1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node.
+2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes.
### Create a bootable USB stick
The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.)
+
+>[!TIP]
+>In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. This means you must split the .wim file, which can be done using DISM:
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\True\), so this must be changed and the offline media content updated.
+
Follow these steps to create a bootable USB stick from the offline media content:
1. On a physical machine running Windows 7 or later, insert the USB stick you want to use.
@@ -643,24 +739,19 @@ Follow these steps to create a bootable USB stick from the offline media content
5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter).
6. In the Diskpart utility, type **active**, and then type **exit**.
-## Unified Extensible Firmware Interface (UEFI)-based deployments
+## Unified Extensible Firmware Interface (UEFI)-based deployments
-As referenced in [Windows 10 deployment tools](https://go.microsoft.com/fwlink/p/?LinkId=619546), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UEFI.
+As referenced in [Windows 10 deployment scenarios and tools](https://go.microsoft.com/fwlink/p/?LinkId=619546), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UEFI.
-Figure 14. The partitions when deploying an UEFI-based machine.
+The partitions when deploying an UEFI-based machine.
## Related topics
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-
-[Configure MDT settings](configure-mdt-settings.md)
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
deleted file mode 100644
index bc6f898741..0000000000
--- a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10)
-description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
-ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, tools, configure, script
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.pagetype: mdt
-ms.topic: article
----
-
-# Deploy Windows 10 with the Microsoft Deployment Toolkit
-
-**Applies to**
-- Windows 10
-
-This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
-
-The Microsoft Deployment Toolkit is a unified collection of tools, processes, and guidance for automating desktop and server deployment. In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the Windows Assessment and Deployment Kit (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
-MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager.
-
-To download the latest version of MDT, visit the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
-## In this section
-
-- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-- [Configure MDT settings](configure-mdt-settings.md)
-
-## Proof-of-concept environment
-
-For the purposes of this guide, and the topics discussed herein, we will use the following servers and client machines: DC01, MDT01, CM01, PC0001, and PC0002.
-
-
-
-Figure 1. The servers and machines used for examples in this guide.
-
-DC01 is a domain controller; the other servers and client machines are members of the domain contoso.com for the fictitious Contoso Corporation.
-
-
-
-Figure 2. The organizational unit (OU) structure used in this guide.
-
-### Server details
-
-- **DC01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as Active Directory Domain Controller, DNS Server, and DHCP Server in the contoso.com domain.
- - Server name: DC01
- - IP Address: 192.168.1.200
- - Roles: DNS, DHCP, and Domain Controller
-- **MDT01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as a member server in the contoso.com domain.
- - Server name: MDT01
- - IP Address: 192.168.1.210
-- **CM01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as a member server in the contoso.com domain.
- - Server name: CM01
- - IP Address: 192.168.1.214
-
-### Client machine details
-
-- **PC0001.** A Windows 10 Enterprise x64 machine, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This machine is referenced as the admin workstation.
- - Client name: PC0001
- - IP Address: DHCP
-- **PC0002.** A Windows 7 SP1 Enterprise x64 machine, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This machine is referenced during the migration scenarios.
- - Client name: PC0002
- - IP Address: DHCP
-
-## Sample files
-
-The information in this guide is designed to help you deploy Windows 10. In order to help you put the information you learn into practice more quickly, we recommend that you download a small set of sample files for the fictitious Contoso Corporation:
-- [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
-- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
-- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.
-
-## Related topics
-
-[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-
-[Windows 10 deployment tools](../windows-deployment-scenarios-and-tools.md)
-
-[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-
-[Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-
-[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
-
-[Volume Activation for Windows 10](../volume-activation/volume-activation-windows-10.md)
-
diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index e7742fa773..00c0a446a3 100644
--- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -1,54 +1,171 @@
----
-title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
-description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment.
-ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, image, feature, install, tools
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Get started with the Microsoft Deployment Toolkit (MDT)
-
-**Applies to**
-- Windows 10
-
-This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager.
-
-In addition to familiarizing you with the features and options available in MDT, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process.
-
-For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see
-[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-
-
-Figure 1. The machines used in this topic.
-
-## In this section
-
-- [Key features in MDT](key-features-in-mdt.md)
-- [MDT Lite Touch components](mdt-lite-touch-components.md)
-- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
-
-## Related topics
-
-[Microsoft Deployment Toolkit downloads and documentation](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-
-[Configure MDT settings](configure-mdt-settings.md)
+---
+title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
+description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment.
+ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deploy, image, feature, install, tools
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mdt
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Get started with MDT
+
+**Applies to**
+- Windows 10
+
+This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+
+## About MDT
+
+MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today.
+
+In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](https://docs.microsoft.com/windows-hardware/get-started/adk-install) (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
+
+MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/).
+
+## Key features in MDT
+
+MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment.
+
+MDT has many useful features, such as:
+- **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10.
+- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
+- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), as well as Windows 8.1 Embedded Industry.
+- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
+- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This is related to UEFI.
+- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
+
+ 
+
+ The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
+
+- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
+- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
+- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
+- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
+- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard.
+- **Monitoring.** Allows you to see the status of currently running deployments.
+- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
+- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
+- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
+- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
+
+ 
+
+ The offline USMT backup in action.
+
+- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
+- **Microsoft System Center Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence.
+- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image.
+- **Support for Microsoft Office.** Provides added support for deploying Microsoft Office.
+- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
+- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
+- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+## MDT Lite Touch components
+
+Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
+
+When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.
+
+
+
+If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task.
+
+## Deployment shares
+
+A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Configuration Manager deploys the image in the production environment.
+
+## Rules
+
+The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed:
+- Computer name
+- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object
+- Whether to enable BitLocker
+- Regional settings
+You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+
+
+Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
+
+## Boot images
+
+Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment
+share on the server and start the deployment.
+
+## Operating systems
+
+Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments.
+
+## Applications
+
+Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps.
+
+## Driver repository
+
+You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image.
+
+## Packages
+
+With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts.
+
+## Task sequences
+
+Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence.
+
+You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows:
+- **Gather.** Reads configuration settings from the deployment server.
+- **Format and Partition.** Creates the partition(s) and formats them.
+- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository.
+- **Apply Operating System.** Uses ImageX to apply the image.
+- **Windows Update.** Connects to a WSUS server and updates the machine.
+
+## Task sequence templates
+
+MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence.
+- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
+
+ **Note**: It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot.
+
+- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
+- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
+- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action).
+- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers.
+- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
+- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments.
+- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
+- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers.
+- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
+
+## Selection profiles
+
+Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to:
+- Control which drivers and packages are injected into the Lite Touch (and generic) boot images.
+- Control which drivers are injected during the task sequence.
+- Control what is included in any media that you create.
+- Control what is replicated to other deployment shares.
+- Filter which task sequences and applications are displayed in the Deployment Wizard.
+
+## Logging
+
+MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well.
+
+**Note**
+The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717).
+
+## Monitoring
+
+On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench.
+
+## See next
+
+[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
deleted file mode 100644
index 54b6e72815..0000000000
--- a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-title: Integrate Configuration Manager with MDT (Windows 10)
-description: Understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy Windows.
-ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.pagetype: mdt
-keywords: deploy, image, customize, task sequence
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Integrate Configuration Manager with MDT
-
-**Applies to**
-- Windows 10
-
-This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
-MDT is a free, supported download from Microsoft that adds approximately 280 enhancements to Windows operating system deployment with System Center 2012 R2 Configuration Manager SP1. It is, therefore, recommended that you utilize MDT when deploying the Windows operating system with Configuration Manager SP1. In addition to integrating MDT with Configuration Manager, we also recommend using MDT Lite Touch to create the Windows 10 reference images used in Configuration Manager. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
-
-## Why integrate MDT with Configuration Manager
-
-As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
-
-> [!Note]
-> Microsoft Deployment Toolkit requires you to install [Windows PowerShell 2.0 Engine](https://docs.microsoft.com/powershell/scripting/install/installing-the-windows-powershell-2.0-engine) on your server.
-
-### MDT enables dynamic deployment
-
-When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
-
-The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
-- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
-
- ``` syntax
- [Settings]
- Priority=Model
- [HP EliteBook 8570w]
- Packages001=PS100010:Install HP Hotkeys
- ```
-- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
-
- ``` syntax
- [Settings]
- Priority= ByLaptopType, ByDesktopType
- [ByLaptopType]
- Subsection=Laptop-%IsLaptop%
- [ByDesktopType]
- Subsection=Desktop-%IsDesktop%
- [Laptop-True]
- Packages001=PS100012:Install Cisco VPN Client
- OSDComputerName=LT-%SerialNumber%
- MachineObjectOU=ou=laptops,ou=Contoso,dc=contoso,dc=com
- [Desktop-True]
- OSDComputerName=DT-%SerialNumber%
- MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com
- ```
-
-
-
-Figure 2. The Gather action in the task sequence is reading the rules.
-
-### MDT adds an operating system deployment simulation environment
-
-When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](configure-mdt-settings.md).
-
-
-
-Figure 3. The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1).
-
-### MDT adds real-time monitoring
-
-With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
-
-
-
-Figure 4. View the real-time monitoring data with PowerShell.
-
-### MDT adds an optional deployment wizard
-
-For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer.
-
-
-
-Figure 5. The optional UDI wizard open in the UDI Wizard Designer.
-
-MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager.
-
-## Why use MDT Lite Touch to create reference images
-
-You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
-- In a deployment project, it is typically much faster to create a reference image using MDT Lite Touch than Configuration Manager.
-- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center 2012 R2 Virtual Machine Manager (SCVMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
-- Microsoft System Center 2012 R2 performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
-- The Configuration Manager task sequence does not suppress user interface interaction.
-- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured.
-- MDT Lite Touch does not require any infrastructure and is easy to delegate.
-
-## Related topics
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
deleted file mode 100644
index f0fe20a593..0000000000
--- a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Key features in MDT (Windows 10)
-description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0.
-ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, feature, tools, upgrade, migrate, provisioning
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Key features in MDT
-
-**Applies to**
-- Windows 10
-
-The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment.
-
-MDT has many useful features, the most important of which are:
-- **Windows Client support.** Supports Windows 7, Windows 8, Windows 8.1, and Windows 10.
-- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
-- **Additional operating systems support.** Supports Windows Thin PC and Windows Embedded POSReady 7, as well as Windows 8.1 Embedded Industry.
-- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
-- **GPT support.** Supports deployment to machines that require the new GUID (globally unique identifier) partition table (GPT) format. This is related to UEFI.
-- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
-
- 
-
- Figure 2. The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
-
-- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
-- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
-- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
-- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
-- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard.
-- **Monitoring.** Allows you to see the status of currently running deployments.
-- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
-- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
-- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
-- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
-
- 
-
- Figure 3. The offline USMT backup in action.
-
-- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
-- **Microsoft System Center 2012 Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence.
-- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image.
-- **Support for Office 2013.** Provides added support for deploying Microsoft Office Professional Plus 2013.
-- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
-- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
-- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
-## Related topics
-
-[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
-
-[MDT Lite Touch components](mdt-lite-touch-components.md)
-
-
diff --git a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
deleted file mode 100644
index 15f4f07658..0000000000
--- a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-title: MDT Lite Touch components (Windows 10)
-description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10.
-ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, install, deployment, boot, log, monitor
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# MDT Lite Touch components
-
-**Applies to**
-- Windows 10
-
-This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
-When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.
-
-
-
-Figure 4. If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task.
-
-## Deployment shares
-
-A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Microsoft System Center 2012 R2 Configuration Manager deploys the image in the production environment.
-
-## Rules
-
-The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed:
-- Computer name
-- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object
-- Whether to enable BitLocker
-- Regional settings
-You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
-
-
-Figure 5. Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
-
-## Boot images
-
-Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment
-share on the server and start the deployment.
-
-## Operating systems
-
-Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments.
-
-## Applications
-
-Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps.
-
-## Driver repository
-
-You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image.
-
-## Packages
-
-With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts.
-
-## Task sequences
-
-Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence.
-
-You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows:
-- **Gather.** Reads configuration settings from the deployment server.
-- **Format and Partition.** Creates the partition(s) and formats them.
-- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository.
-- **Apply Operating System.** Uses ImageX to apply the image.
-- **Windows Update.** Connects to a WSUS server and updates the machine.
-
-## Task sequence templates
-
-MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence.
-- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
-
- **Note**
- It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot.
-
-- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
-- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
-- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action).
-- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers.
-- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
-- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments.
-- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
-- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers.
-- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
-
-## Selection profiles
-
-Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to:
-- Control which drivers and packages are injected into the Lite Touch (and generic) boot images.
-- Control which drivers are injected during the task sequence.
-- Control what is included in any media that you create.
-- Control what is replicated to other deployment shares.
-- Filter which task sequences and applications are displayed in the Deployment Wizard.
-
-## Logging
-
-MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well.
-
-**Note**
-The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717).
-
-## Monitoring
-
-On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench.
-
-## Related topics
-
-[Key features in MDT](key-features-in-mdt.md)
-
-[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index aa2e3ff40e..52246fddfd 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -1,6 +1,6 @@
---
title: Prepare for deployment with MDT (Windows 10)
-description: Learn how to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
+description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
ms.reviewer:
manager: laurawi
@@ -19,51 +19,176 @@ ms.topic: article
# Prepare for deployment with MDT
**Applies to**
-- Windows 10
+- Windows 10
-This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the files system and in Active Directory.
+This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory.
-For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+## Infrastructure
-## System requirements
+The procedures in this guide use the following names and infrastructure.
-MDT requires the following components:
-- Any of the following operating systems:
- - Windows 7
- - Windows 8
- - Windows 8.1
- - Windows 10
- - Windows Server 2008 R2
- - Windows Server 2012
- - Windows Server 2012 R2
-- Windows Assessment and Deployment Kit (ADK) for Windows 10
-- Windows PowerShell
-- Microsoft .NET Framework
+### Network and servers
-## Install Windows ADK for Windows 10
+For the purposes of this topic, we will use three server computers: **DC01**, **MDT01**, and **HV01**.
+- All servers are running Windows Server 2019.
+ - You can use an earlier version of Windows Server with minor modifications to some procedures.
+ - Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is requried to perform the procedures in this guide.
+- **DC01** is a domain controller, DHCP server, and DNS server for contoso.com, representing the fictitious Contoso Corporation.
+- **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server.
+ - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway.
+- **HV01** is a Hyper-V host computer that is used to build a Windows 10 reference image.
+ - See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01.
-These steps assume that you have the MDT01 member server installed and configured and that you have downloaded [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) to the E:\\Downloads\\ADK folder.
-1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd.
-2. Start the **ADK Setup** (E:\\Downloads\\ADK\\adksetup.exe), and on the first wizard page, click **Continue**.
-3. On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings:
- 1. Deployment Tools
- 2. Windows Preinstallation Environment (Windows PE)
- 3. User State Migration Tool (USMT)
+### Client computers
- >[!IMPORTANT]
- >Starting with Windows 10, version 1809, Windows PE is released separately from the ADK. See [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) for more information.
+Several client computers are referenced in this guide with hostnames of PC0001 to PC0007.
-## Install MDT
+- **PC0001**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain.
+ - Client name: PC0001
+ - IP Address: DHCP
+- **PC0002**: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios.
+ - Client name: PC0002
+ - IP Address: DHCP
+- **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively.
-These steps assume that you have downloaded [MDT](https://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT folder on MDT01.
+### Storage requirements
-1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd.
-2. Install **MDT** (E:\\Downloads\\MDT\\MicrosoftDeploymentToolkit\_x64.msi) with the default settings.
+MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:) you will need to adjust come procedures in this guide to specify the C: drive instead of the D: drive.
-## Create the OU structure
+### Hyper-V requirements
-If you do not have an organizational unit (OU) structure in your Active Directory, you should create one. In this section, you create an OU structure and a service account for MDT.
-1. On DC01, using Active Directory User and Computers, in the contoso.com domain level, create a top-level OU named **Contoso**.
+If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](https://docs.microsoft.com/windows/deployment/windows-10-poc#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V.
+
+### Network requirements
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+### Domain credentials
+
+The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials.
+
+**Active Directory domain name**: contoso.com
+**Domain administrator username**: administrator
+**Domain administrator password**: pass@word1
+
+### Organizational unit structure
+
+The following OU structure is used in this guide. Instructions are provided [below](#create-the-ou-structure) to help you create the required OUs.
+
+
+
+## Install the Windows ADK
+
+These steps assume that you have the MDT01 member server running and configured as a domain member server.
+
+On **MTD01**:
+
+Visit the [Download and install the Windows ADK](https://go.microsoft.com/fwlink/p/?LinkId=526803) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder):
+- [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042)
+- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112)
+- [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334)
+
+>[!TIP]
+>You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties).
+
+1. On **MDT01**, ensure that you are signed in as an administrator in the CONTOSO domain.
+ - For the purposes of this guide, we are using a Domain Admin account of **administrator** with a password of pass@word1. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials.
+2. Start the **ADK Setup** (D:\\Downloads\\ADK\\adksetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page accept the default list of features by clicking **Install**. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step.
+3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page click **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step.
+4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file.
+ - You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later.
+
+## Install and initialize Windows Deployment Services (WDS)
+
+On **MDT01**:
+
+1. Open an elevated Windows PowerShell prompt and enter the following command:
+
+ ```powershell
+ Install-WindowsFeature -Name WDS -IncludeManagementTools
+ WDSUTIL /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall"
+ WDSUTIL /Set-Server /AnswerClients:All
+ ```
+
+## Optional: Install Windows Server Update Services (WSUS)
+
+If you wish to use MDT as a WSUS server using the Windows Internal Database (WID), use the following command to install this service. Alternatively, change the WSUS server information in this guide to the WSUS server in your environment.
+
+To install WSUS on MDT01, enter the following at an elevated Windows PowerShell prompt:
+
+ ```powershell
+ Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI
+ cmd /c "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
+ ```
+
+>To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wsus#configure-automatic-updates-and-update-service-location) on DC01 and perform the neccessary post-installation configuration of WSUS on MDT01.
+
+## Install MDT
+
+>[!NOTE]
+>MDT installation requires the following:
+>- The Windows ADK for Windows 10 (installed in the previous procedure)
+>- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
+>- Microsoft .NET Framework
+
+On **MDT01**:
+
+1. Visit the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117) and click **Download MDT**.
+2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01.
+ - **Note**: As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work.
+3. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings.
+
+## Create the OU structure
+
+Switch to **DC01** and perform the following procedures on **DC01**:
+
+To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell.
+
+To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. Be sure that you are viewing file extensions and that you save the file with the .ps1 extension.
+
+```powershell
+$oulist = Import-csv -Path c:\oulist.txt
+ForEach($entry in $oulist){
+ $ouname = $entry.ouname
+ $oupath = $entry.oupath
+ New-ADOrganizationalUnit -Name $ouname -Path $oupath
+ Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath"
+}
+```
+
+Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt
+
+```text
+OUName,OUPath
+Contoso,"DC=CONTOSO,DC=COM"
+Accounts,"OU=Contoso,DC=CONTOSO,DC=COM"
+Computers,"OU=Contoso,DC=CONTOSO,DC=COM"
+Groups,"OU=Contoso,DC=CONTOSO,DC=COM"
+Admins,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Service Accounts,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Users,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Servers,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
+Workstations,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
+Security Groups,"OU=Groups,OU=Contoso,DC=CONTOSO,DC=COM"
+```
+
+Lastly, open an elevated Windows PowerShell prompt on DC01 and run the ou.ps1 script:
+
+```powershell
+Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
+Set-Location C:\Setup\Scripts
+.\ou.ps1
+```
+
+This will create an OU structure as shown below.
+
+
+
+To use the Active Directory Users and Computers console (instead of PowerShell):
+
+On **DC01**:
+
+1. Using the Active Directory Users and Computers console (dsa.msc), in the contoso.com domain level, create a top-level OU named **Contoso**.
2. In the **Contoso** OU, create the following OUs:
1. Accounts
2. Computers
@@ -76,55 +201,62 @@ If you do not have an organizational unit (OU) structure in your Active Director
1. Servers
2. Workstations
5. In the **Contoso / Groups** OU, create the following OU:
- - Security Groups
+ 1. Security Groups
-
+The final result of either method is shown below. The **MDT_BA** account will be created next.
-Figure 6. A sample of how the OU structure will look after all the OUs are created.
+## Create the MDT service account
-## Create the MDT service account
+When creating a reference image, you need an account for MDT. The MDT build account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.
-When creating a reference image, you need an account for MDT. The MDT Build Account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.
-1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
-2. Select the **Service Accounts** OU and create the **MDT\_BA** account using the following settings:
- 1. Name: MDT\_BA
- 2. User logon name: MDT\_BA
- 3. Password: P@ssw0rd
- 4. User must change password at next logon: Clear
- 5. User cannot change password: Selected
- 6. Password never expires: Selected
+To create an MDT build account, open an elevalted Windows PowerShell prompt on DC01 and enter the following (copy and paste the entire command, taking care to notice the scroll bar at the bottom). This command will create the MDT_BA user account and set the password to "pass@word1":
-## Create and share the logs folder
+```powershell
+New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
+```
+If you have the Active Directory Users and Computers console open you can refresh the view and see this new account in the **Contoso\Accounts\Service Accounts** OU as shown in the screenshot above.
+
+## Create and share the logs folder
By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
+On **MDT01**:
- ``` powershell
- New-Item -Path E:\Logs -ItemType directory
- New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
- icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
+1. Sign in as **CONTOSO\\administrator**.
+2. Create and share the **D:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
+
+ ```powershell
+ New-Item -Path D:\Logs -ItemType directory
+ New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE
+ icacls D:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
```
-
+See the following example:
-Figure 7. The Sharing tab of the E:\\Logs folder after sharing it with PowerShell.
+
-## Use CMTrace to read log files (optional)
+## Use CMTrace to read log files (optional)
-The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part [of Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You can use Notepad, but CMTrace formatting makes the logs easier to read.
+The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](https://docs.microsoft.com/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool.
+You can use Notepad (example below):
-Figure 8. An MDT log file opened in Notepad.
+Alternatively, CMTrace formatting makes the logs much easier to read. See the same log file below, opened in CMTrace:
+After installing the ConfigMgrTools.msi file, you can search for **cmtrace** and pin the tool to your taskbar for easy access.
-Figure 9. The same log file, opened in CMTrace, is much easier to read.
-## Related topics
+## Next steps
-[Key features in MDT](key-features-in-mdt.md)
+When you have completed all the steps in this section to prepare for deployment, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
-[MDT Lite Touch components](mdt-lite-touch-components.md)
+## Appendix
+
+**Sample files**
+
+The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so that you can see how some tasks can be automated with Windows PowerShell.
+- [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
+- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
+- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
index 6c0524658f..c0f5f7d8a1 100644
--- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
@@ -1,132 +1,120 @@
----
-title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
-description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
-ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: reinstallation, customize, template, script, restore
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Refresh a Windows 7 computer with Windows 10
-
-**Applies to**
-- Windows 10
-
-This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version.
-
-For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-
-
-Figure 1. The machines used in this topic.
-
-## The computer refresh process
-
-Even though a computer will appear, to the end user, to be upgraded, a computer refresh is not, technically, an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation.
-For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will:
-
-1. Back up data and settings locally, in a backup folder.
-
-2. Wipe the partition, except for the backup folder.
-
-3. Apply the new operating system image.
-
-4. Install other applications.
-
-5. Restore data and settings.
-
-During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data.
-
->[!NOTE]
->In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
-
-### Multi-user migration
-
-By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a machine that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up
-by configuring command-line switches to ScanState (added as rules in MDT).
-
-As an example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
-
->[!NOTE]
->You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
-
-### Support for additional settings
-
-In addition to the command-line switches that control which profiles to migrate, the XML templates control exactly what data is being migrated. You can control data within and outside the user profiles
-
-## Create a custom User State Migration Tool (USMT) template
-
-In this section, you learn to migrate additional data using a custom template. You configure the environment to use a custom USMT XML template that will:
-
-1. Back up the **C:\\Data** folder (including all files and folders).
-
-2. Scan the local disk for PDF documents (\*.pdf files) and restore them into the **C:\\Data\\PDF Documents** folder on the destination machine.
- The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
-
- * [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
- * [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
- * [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
-
-### Add the custom XML template
-
-In order to use the custom MigContosoData.xml USMT template, you need to copy it to the MDT Production deployment share and update the CustomSettings.ini file. In these steps, we assume you have downloaded the MigContosoData.xml file.
-1. Using File Explorer, copy the MigContosoData.xml file to the **E:\\MDTProduction\\Tools\\x64\\USMT5** folder.
-2. Using Notepad, edit the E:\\MDTProduction\\Control\\CustomSettings.ini file. After the USMTMigFiles002=MigUser.xml line add the following line:
-
- ``` syntax
- USMTMigFiles003=MigContosoData.xml
- ```
-3. Save the CustomSettings.ini file.
-
-## Refresh a Windows 7 SP1 client
-
-After adding the additional USMT template and configuring the CustomSettings.ini file to use it, you are now ready to refresh a Windows 7 SP1 client to Windows 10. In these steps, we assume you have a Windows 7 SP1 client named PC0001 in your environment that is ready for a refresh to Windows 10.
-
->[!NOTE]
->MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
-### Upgrade (refresh) a Windows 7 SP1 client
-
-1. On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings:
-
- * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
- * Computer name: <default>
- * Specify where to save a complete computer backup: Do not back up the existing computer
- >[!NOTE]
- >Skip this optional full WIM backup. The USMT backup will still run.
-
-2. Select one or more applications to install: Install - Adobe Reader XI - x86
-
-3. The setup now starts and does the following:
-
- * Backs up user settings and data using USMT.
- * Installs the Windows 10 Enterprise x64 operating system.
- * Installs the added application(s).
- * Updates the operating system via your local Windows Server Update Services (WSUS) server.
- * Restores user settings and data using USMT.
-
-
-
-Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
-
-## Related topics
-
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-
-[Configure MDT settings](configure-mdt-settings.md)
+---
+title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
+description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
+ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: reinstallation, customize, template, script, restore
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mdt
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Refresh a Windows 7 computer with Windows 10
+
+**Applies to**
+- Windows 10
+
+This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+For the purposes of this topic, we will use three computers: DC01, MDT01, and PC0001.
+- DC01 is a domain controller for the contoso.com domain.
+- MDT01 is domain member server that hosts your deployment share.
+- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1.
+
+Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+
+
+
+The computers used in this topic.
+
+## The computer refresh process
+
+A computer refresh is not the same as an in-place upgrade because a computer refresh involves exporting user data and settings then wiping the device before installing a fresh OS and restoring the user's data and settings.
+
+For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will:
+
+1. Back up data and settings locally, in a backup folder.
+2. Wipe the partition, except for the backup folder.
+3. Apply the new operating system image.
+4. Install other applications.
+5. Restore data and settings.
+
+During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data.
+
+>[!NOTE]
+>In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario.
+
+### Multi-user migration
+
+By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a computer that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up by configuring command-line switches to ScanState (added as rules in MDT).
+
+For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
+
+>[!NOTE]
+>You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
+
+### Support for additional settings
+
+In addition to the command-line switches that control which profiles to migrate, [XML templates](https://docs.microsoft.com/windows/deployment/usmt/understanding-migration-xml-files) control exactly what data is being migrated. You can control data within and outside the user profiles.
+
+### Multicast
+
+Multicast is a technology designed to optimize simultaneous deployment to multiple devices. If you have a limited number of simultaneous deployments, you should disable multicast which was [configured in a previous procedure](deploy-a-windows-10-image-using-mdt.md#set-up-mdt-for-multicast) in this guide. Disabling multicast will speed up deployment for a small number of computers. You will need to update the deployment share after changing this setting.
+
+## Refresh a Windows 7 SP1 client
+
+In these section, we assume that you have already performed the prerequisite procedures in the following topics, so that you have a deployment share named **MDTProduction$** on MDT01:
+
+- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+
+It is also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we will refreshing a Windows 7 SP1 PC to Windows 10, version 1909.
+
+### Upgrade (refresh) a Windows 7 SP1 client
+
+>[!IMPORTANT]
+>Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in Contoso > Computers > Workstations. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer.
+
+1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**.
+2. Complete the deployment guide using the following settings:
+
+ * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
+ * Computer name: <default>
+ * Specify where to save a complete computer backup: Do not back up the existing computer
+ >[!NOTE]
+ >Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run.
+ * Select one or more applications to install: Install - Adobe Reader
+
+ 
+
+4. Setup starts and does the following:
+
+ * Backs up user settings and data using USMT.
+ * Installs the Windows 10 Enterprise x64 operating system.
+ * Installs any added applications.
+ * Updates the operating system using your local Windows Server Update Services (WSUS) server.
+ * Restores user settings and data using USMT.
+
+5. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example:
+
+ 
+
+6. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated.
+
+## Related topics
+
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
index f9d1c1f252..1f16c8febd 100644
--- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -21,68 +21,75 @@ ms.topic: article
**Applies to**
- Windows 10
-A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it.
-For the purposes of this topic, we will use four machines: DC01, MDT01, PC0002, and PC0007. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. PC0002 is an old machine running Windows 7 SP1. It is going to be replaced by a new Windows 10 machine, PC0007. User State Migration Tool (USMT) will be used to backup and restore data and settings. MDT01, PC0002, and PC0007 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10. However, because you are replacing a device, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings.
-
+For the purposes of this topic, we will use four computers: DC01, MDT01, PC0002, and PC0007.
+- DC01 is a domain controller for the contoso.com domain.
+- MDT01 is domain member server that hosts your deployment share.
+- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007.
+- PC0007 is a new computer will have the Windows 10 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain.
-Figure 1. The machines used in this topic.
+For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
-## Prepare for the computer replace
+
-When preparing for the computer replace, you need to create a folder in which to store the backup, and a backup only task sequence that you run on the old computer.
+The computers used in this topic.
+
+>HV01 is also used in this topic to host the PC0007 virtual machine for demonstration purposes, however typically PC0007 is a physical computer.
+
+## Prepare for the computer replace
+
+ To prepare for the computer replace, you need to create a folder in which to store the backup and a backup only task sequence to run on the old computer.
### Configure the rules on the Microsoft Deployment Toolkit (MDT) Production share
-1. On MDT01, using the Deployment Workbench, update the MDT Production deployment share rules.
+On **MDT01**:
-2. Change the **SkipUserData=YES** option to **NO**, and click **OK**.
+1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, click **Properties**, and then click the **Rules** tab.
+2. Change the **SkipUserData=YES** option to **NO**, and click **OK**.
+3. Right-click **MDT Production** and click **Update Deployment Share**. Click **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default setttings.
### Create and share the MigData folder
-1. On MDT01, log on as **CONTOSO\\Administrator**.
+On **MDT01**:
-2. Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
+1. Create and share the **D:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
``` powershell
- New-Item -Path E:\MigData -ItemType directory
- New-SmbShare -Name MigData$ -Path E:\MigData
- -ChangeAccess EVERYONE
- icacls E:\MigData /grant '"MDT_BA":(OI)(CI)(M)'
+ New-Item -Path D:\MigData -ItemType directory
+ New-SmbShare -Name MigData$ -Path D:\MigData -ChangeAccess EVERYONE
+ icacls D:\MigData /grant '"MDT_BA":(OI)(CI)(M)'
```
### Create a backup only (replace) task sequence
-3. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node and create a new folder named **Other**.
+2. In Deployment Workbench, under the **MDT Production** deployment share, select the **Task Sequences** node and create a new folder named **Other**.
-4. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+3. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
* Task sequence ID: REPLACE-001
* Task sequence name: Backup Only Task Sequence
* Task sequence comments: Run USMT to backup user data and settings
* Template: Standard Client Replace Task Sequence
-5. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
+4. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
- Figure 2. The Backup Only Task Sequence action list.
+ The Backup Only Task Sequence action list.
-## Perform the computer replace
+## Perform the computer replace
During a computer replace, these are the high-level steps that occur:
1. On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Window Imaging (WIM) backup.
+2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
-2. On the new machine, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
+### Run the replace task sequence
-### Execute the replace task sequence
+On **PC0002**:
-1. On PC0002, log on as **CONTOSO\\Administrator**.
-
-2. Verify that you have write access to the **\\\\MDT01\\MigData$** share.
-
-3. Execute **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
-
-4. Complete the Windows Deployment Wizard using the following settings:
+1. Sign in as **CONTOSO\\Administrator** and verify that you have write access to the **\\\\MDT01\\MigData$** share.
+2. Run **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
+3. Complete the Windows Deployment Wizard using the following settings:
1. Select a task sequence to execute on this computer: Backup Only Task Sequence
* Specify where to save your data and settings: Specify a location
@@ -92,21 +99,24 @@ During a computer replace, these are the high-level steps that occur:
>If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
2. Specify where to save a complete computer backup: Do not back up the existing computer
- 3. Password: P@ssw0rd
- The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the machine.
+ The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the computer.
- Figure 3. The new task sequence running the Capture User State action on PC0002.
+ The new task sequence running the Capture User State action on PC0002.
-5. On MDT01, verify that you have an USMT.MIG compressed backup file in the **E:\\MigData\\PC0002\\USMT** folder.
+4. On **MDT01**, verify that you have an USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder.
- Figure 4. The USMT backup of PC0002.
+ The USMT backup of PC0002.
-### Deploy the PC0007 virtual machine
+### Deploy the replacement computer
+
+To demonstrate deployment of the replacement computer, HV01 is used to host a virtual machine: PC0007.
+
+On **HV01**:
1. Create a virtual machine with the following settings:
@@ -115,38 +125,40 @@ During a computer replace, these are the high-level steps that occur:
* Generation: 2
* Memory: 2048 MB
* Hard disk: 60 GB (dynamic disk)
+ * Install an operating system from a network-based installation server
-2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
+2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site).
- Figure 5. The initial PXE boot process of PC0005.
+ The initial PXE boot process of PC0007.
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
- * Password: P@ssw0rd
* Select a task sequence to execute on this computer:
* Windows 10 Enterprise x64 RTM Custom Image
* Computer Name: PC0007
- * Applications: Select the Install - Adobe Reader XI - x86 application.
+ * Move Data and Settings: Do not move user data and settings.
+ * User Data (Restore) > Specify a location: \\\\MDT01\\MigData$\\PC0002
+ * Applications: Adobe > Install - Adobe Reader
-4. The setup now starts and does the following:
+4. Setup now starts and does the following:
+ * Partitions and formats the disk.
* Installs the Windows 10 Enterprise operating system.
- * Installs the added application.
+ * Installs the application.
* Updates the operating system via your local Windows Server Update Services (WSUS) server.
* Restores the USMT backup from PC0002.
+You can view progress of the process by clicking the Monitoring node in the Deployment Workbrench on MDT01.
+
+
+
## Related topics
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 03899e149e..c6400f67e9 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -31,13 +31,16 @@ To configure your environment for BitLocker, you will need to do the following:
4. Configure the rules (CustomSettings.ini) for BitLocker.
> [!NOTE]
-> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
+> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
> [!NOTE]
-> Backing up TMP to Active Directory was supported only on Windows 10 version 1507 and 1511.
+> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511.
-For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+>[!NOTE]
+>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+
+For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## Configure Active Directory for BitLocker
@@ -50,7 +53,7 @@ In Windows Server version from 2008 R2 and later, you have access to the BitLock
-Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.
+The BitLocker Recovery information on a computer object in the contoso.com domain.
### Add the BitLocker Drive Encryption Administration Utilities
@@ -69,7 +72,7 @@ The BitLocker Drive Encryption Administration Utilities are added as features vi
-Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.
+Selecting the BitLocker Drive Encryption Administration Utilities.
### Create the BitLocker Group Policy
@@ -92,7 +95,7 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor
### Set permissions in Active Directory for BitLocker
-In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01.
+In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://gallery.technet.microsoft.com/ScriptCenter/b4dee016-053e-4aa3-a278-3cebf70d1191) from Microsoft to C:\\Setup\\Scripts on DC01.
1. On DC01, start an elevated PowerShell prompt (run as Administrator).
2. Configure the permissions by running the following command:
@@ -103,7 +106,7 @@ In addition to the Group Policy created previously, you need to configure permis
-Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.
+Running the Add-TPMSelfWriteACE.vbs script on DC01.
## Add BIOS configuration tools from Dell, HP, and Lenovo
@@ -161,16 +164,10 @@ In the following task sequence, we added five actions:
## Related topics
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-
-[Use web services in MDT](use-web-services-in-mdt.md)
-
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+[Use web services in MDT](use-web-services-in-mdt.md)
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
index 6278b32fe5..cb28eea313 100644
--- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -18,15 +18,26 @@ ms.topic: article
# Simulate a Windows 10 deployment in a test environment
-This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it is most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you are using a domain-joined machine (client or server). In the following example, you use the PC0001 Windows 10 client.
-For the purposes of this topic, you already will have either downloaded and installed the free Microsoft System Center 2012 R2 Configuration Manager Toolkit, or copied Configuration Manager Trace (CMTrace) if you have access to the System Center 2012 R2 Configuration Manager media. We also assume that you have downloaded the [sample Gather.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619361) from the TechNet gallery.
+This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it is most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you are using a domain-joined client.
-1. On PC0001, log on as **CONTOSO\\Administrator** using the password P@ssw0rd.
-2. Using Computer Management, add the **CONTOSO\\MDT\_BA** user account to the local **Administrators** group.
-3. Log off, and then log on to PC0001 as **CONTOSO\\MDT\_BA**.
-4. Using File Explorer, create a folder named **C:\\MDT**.
-5. Copy the downloaded Gather.ps1 script to the **C:\\MDT** folder.
-6. From the **\\\\MDT01\\MDTProduction$\\Scripts** folder, copy the following files to **C:\\MDT**:
+## Test environment
+
+- A Windows 10 client named **PC0001** will be used to simulate deployment. The client is joined to the contoso.com domain and has access to the Internet to required download tools and scripts.
+- It is assumed that you have performed (at least) the following procedures so that you have an MDT service account and an MDT production deployment share:
+ - [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+ - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+ - [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+
+## Simulate deployment
+
+On **PC0001**:
+
+1. Sign as **contoso\\Administrator**.
+2. Download the [sample Gather.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619361) from the TechNet gallery and copy it to a directory named **C:\MDT** on PC0001.
+3. Download and install the free [Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717) on PC0001 so that you have access to the Configuration Manager Trace (cmtrace.exe) tool.
+4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group.
+5. Sign off, and then sign on to PC0001 as **contoso\\MDT\_BA**.
+6. Open the **\\\\MDT01\\MDTProduction$\\Scripts** folder and copy the following files to **C:\\MDT**:
1. ZTIDataAccess.vbs
2. ZTIGather.wsf
3. ZTIGather.xml
@@ -35,36 +46,32 @@ For the purposes of this topic, you already will have either downloaded and inst
8. In the **C:\\MDT** folder, create a subfolder named **X64**.
9. From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**.
- 
+ 
- Figure 6. The C:\\MDT folder with the files added for the simulation environment.
+ The C:\\MDT folder with the files added for the simulation environment.
-10. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press Enter after each command:
+10. Type the following at an elevated Windows PowerShell prompt:
``` powershell
+ Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -Force
Set-Location C:\MDT
.\Gather.ps1
```
-11. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder.
+ When prompted, press **R** to run the gather script.
+
+11. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder using CMTrace.
**Note**
Warnings or errors with regard to the Wizard.hta are expected. If the log file looks okay, you are ready to try a real deployment.
+ 
-
-
-Figure 7. The ZTIGather.log file from PC0001, displaying some of its hardware capabilities.
+ The ZTIGather.log file from PC0001.
## Related topics
-[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-
-[Use web services in MDT](use-web-services-in-mdt.md)
-
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+[Use web services in MDT](use-web-services-in-mdt.md)
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
new file mode 100644
index 0000000000..38604acbf4
--- /dev/null
+++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -0,0 +1,114 @@
+---
+title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10)
+description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
+ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mdt
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Perform an in-place upgrade to Windows 10 with MDT
+
+**Applies to**
+- Windows 10
+
+The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
+
+>[!TIP]
+>In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple.
+
+In-place upgrade differs from [computer refresh](refresh-a-windows-7-computer-with-windows-10.md) in that you cannot use a custom image to perform the in-place upgrade. In this article we will add a default Windows 10 image to the production deployment share specifically to perform an in-place upgrade.
+
+Three computers are used in this topic: DC01, MDT01, and PC0002.
+
+- DC01 is a domain controller for the contoso.com domain
+- MDT01 is a domain member server
+- PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade
+
+ 
+
+ The computers used in this topic.
+
+>[!NOTE]
+>For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+
+>If you have already completed all the steps in [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 10 Enterprise x64 (full source)](#add-windows-10-enterprise-x64-full-source).
+
+## Create the MDT production deployment share
+
+On **MDT01**:
+
+1. Ensure you are signed on as: contoso\administrator.
+2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
+4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
+5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
+6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
+7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
+
+## Add Windows 10 Enterprise x64 (full source)
+
+>If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section.
+
+On **MDT01**:
+
+1. Sign in as contoso\\administrator and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01.
+2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**.
+3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
+4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
+ - Full set of source files
+ - Source directory: (location of your source files)
+ - Destination directory name: W10EX64RTM
+5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**.
+
+## Create a task sequence to upgrade to Windows 10 Enterprise
+
+On **MDT01**:
+
+1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**.
+2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+ - Task sequence ID: W10-X64-UPG
+ - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade
+ - Template: Standard Client Upgrade Task Sequence
+ - Select OS: Windows 10 Enterprise x64 RTM Default Image
+ - Specify Product Key: Do not specify a product key at this time
+ - Organization: Contoso
+ - Admin Password: Do not specify an Administrator password at this time
+
+## Perform the Windows 10 upgrade
+
+To initiate the in-place upgrade, perform the following steps on PC0002 (the device to be upgraded).
+
+On **PC0002**:
+
+1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**
+2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**.
+3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader
+4. On the **Ready** tab, click **Begin** to start the task sequence.
+ When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
+
+
+
+
+
+
+
+
+
+
+
+After the task sequence completes, the computer will be fully upgraded to Windows 10.
+
+## Related topics
+
+[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
deleted file mode 100644
index 04dc40cc6e..0000000000
--- a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10)
-description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers.
-ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, task sequence
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
-
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## Add drivers for Windows PE
-
-
-This section will show you how to import some network and storage drivers for Windows PE. This section assumes you have downloaded some drivers to the E:\\Sources\\OSD\\DriverSources\\WinPE x64 folder on CM01.
-
-1. On CM01, using the Configuration Manager Console, in the Software Library workspace, right-click the **Drivers** node and select **Import Driver**.
-
-2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and click **Next**.
-
-3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **WinPE x64**, and then click **Next**.
-
-4. On the **Select the packages to add the imported driver** page, click **Next**.
-
-5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image. Also select the **Update distribution points when finished** check box, and click **Next** twice.
-
-
-
-*Figure 21. Add drivers to Windows PE*
-
->[!NOTE]
->The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two.
-
-
-## Add drivers for Windows 10
-
-
-This section illustrates how to add drivers for Windows 10 through an example in which you want to import Windows 10 drivers for the HP EliteBook 8560w model. For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the E:\\Sources\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w folder on CM01.
-
-1. On CM01, using the Configuration Manager Console, right-click the **Drivers** folder and select **Import Driver**.
-
-2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w** folder and click **Next**.
-
-3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named Windows 10 x64 - HP EliteBook 8560w, and then click **Next**.
-
- 
-
- *Figure 22. Create driver categories*
-
-4. On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**:
-
- * Name: Windows 10 x64 - HP EliteBook 8560w
-
- * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w
-
- >[!NOTE]
- >The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder.
-
-
-5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**.
-
- >[!NOTE]
- >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
-
- 
-
- *Figure 23. Drivers imported and a new driver package created*
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
deleted file mode 100644
index 77ad24c498..0000000000
--- a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ /dev/null
@@ -1,118 +0,0 @@
----
-title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
-description: In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features.
-ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: tool, customize, deploy, boot image
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Create a custom Windows PE boot image with Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In Microsoft Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
-
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## Add DaRT 10 files and prepare to brand the boot image
-
-
-The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. We assume you have downloaded Microsoft Desktop Optimization Pack (MDOP) 2015 and copied the x64 version of MSDaRT10.msi to the C:\\Setup\\DaRT 10 folder. We also assume you have created a custom background image and saved it in C:\\Setup\\Branding on CM01. In this section, we use a custom background image named ContosoBackground.bmp.
-
-1. Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT10.msi) using the default settings.
-
-2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
-
-3. Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder.
-
-4. Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder.
-
-5. Using File Explorer, navigate to the **C:\\Setup** folder.
-
-6. Copy the **Branding** folder to **E:\\Sources\\OSD**.
-
-## Create a boot image for Configuration Manager using the MDT wizard
-
-
-By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard.
-
-1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**.
-
-2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**.
-
- >[!NOTE]
- >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
-
-3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**.
-
-4. On the **Options** page, select the **x64** platform, and click **Next**.
-
-5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
-
- 
-
- Figure 15. Add the DaRT component to the Configuration Manager boot image.
-
-6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ ContosoBackground.bmp**. Then click **Next** twice.
-
- >[!NOTE]
- >It will take a few minutes to generate the boot image.
-
-7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
-
-8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
-
-9. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads STATMSG: ID=2301. You also can view Content Status in the Configuration Manager Console by selecting **the Zero Touch WinPE x86** boot image.
-
- 
-
- Figure 16. Content status for the Zero Touch WinPE x64 boot image
-
-10. Using the Configuration Manager Console, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
-
-11. In the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and click **OK**.
-
-12. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: Expanding PS10000B to E:\\RemoteInstall\\SMSImages.
-
-13. Review the **E:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS10000B) is from your new boot image with DaRT.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
deleted file mode 100644
index f19cafa1a4..0000000000
--- a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-title: Create an app to deploy with Windows 10 using Configuration Manager
-description: Microsoft Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
-ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deployment, task sequence, custom, customize
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Create an application to deploy with Windows 10 using Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Configuration Manager that you later configure the task sequence to use.
-
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
->[!NOTE]
->Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
-
-## Example: Create the Adobe Reader XI application
-
-
-The following steps show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01.
-
-1. On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder.
-
-2. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**.
-
-3. Right-click **Applications** and select **Folder / Create Folder**. Assign the name **OSD**.
-
-4. Right-click the **OSD** folder, and select **Create Application**.
-
-5. In the Create Application Wizard, on the **General** page, use the following settings:
-
- * Automatically detect information about this application from installation files
-
- * Type: Windows Installer (\*.msi file)
-
- * Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI
-
- * \\AdbeRdr11000\_en\_US.msi
-
- 
-
- *Figure 19. The Create Application Wizard*
-
-6. Click **Next**, and wait while Configuration Manager parses the MSI file.
-
-7. On the **Import Information** page, review the information and then click **Next**.
-
-8. On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**.
-
- >[!NOTE]
- >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
-
- 
-
- *Figure 20. Add the "OSD Install" suffix to the application name*
-
-9. In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar.
-
-10. In the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
deleted file mode 100644
index 6b8c2133f1..0000000000
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
-description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences.
-ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deployment, image, UEFI, task sequence
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10 using PXE and Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001.
-
-For the purposes of this topic, we will use two additional machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-1. Start the PC0001 machine. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
-
- 
-
- Figure 31. PXE booting PC0001.
-
-2. On the **Welcome to the Task Sequence Wizard** page, type in the password **Passw0rd!** and click **Next**.
-
-3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
-
-4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
-
-
-
-Figure 32. Typing in the computer name.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
deleted file mode 100644
index 06c696d2c7..0000000000
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ /dev/null
@@ -1,115 +0,0 @@
----
-title: Deploy Windows 10 with Microsoft Endpoint Configuration Manager (Windows 10)
-description: If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10.
-ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deployment, custom, boot
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10 with Microsoft Endpoint Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
-
-For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-
-
-Figure 1. The machines used in this topic.
-
-## In this section
-
-
-- [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-- [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
-
-- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-- [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
-
-- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-- [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-## Components of Configuration Manager operating system deployment
-
-
-Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
-
-- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
-
-- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
-
-- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
-
-- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
-
-- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
-
-- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
-
-- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
-
-- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
-
-- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
-
- **Note** Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
-
-
-
-## See also
-
-
-- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-
-- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)
-
-- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-
-- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-
-- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-
-- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx)
-
-- [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803)
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
deleted file mode 100644
index 99f2e1edd9..0000000000
--- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ /dev/null
@@ -1,194 +0,0 @@
----
-title: Finalize operating system configuration for Windows 10 deployment
-description: Follow this walk-through to finalize the configuration of your Windows 10 operating deployment.
-ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: configure, deploy, upgrade
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Finalize the operating system configuration for Windows 10 deployment with Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft Endpoint Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
-
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## Enable MDT monitoring
-
-
-This section will walk you through the process of creating the E:\\MDTProduction deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager.
-
-1. On CM01, using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard:
-
- * Deployment share path: E:\\MDTProduction
-
- * Share name: MDTProduction$
-
- * Deployment share description: MDT Production
-
- * Options: <default settings>
-
-2. Right-click the **MDT Production** deployment share, and select **Properties**. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**.
-
- 
-
- *Figure 26. Enable MDT monitoring for Configuration Manager*
-
-## Create and share the Logs folder
-
-
-To support additional server-side logging in Configuration Manager, you create and share the E:\\Logs folder on CM01 using Windows PowerShell. Then in the next step, you enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence.
-
-1. On CM01, start an elevated Windows PowerShell prompt (run as Administrator).
-
-2. Type the following commands, pressing **Enter** after each one:
-
- ```
- New-Item -Path E:\Logs -ItemType directory
- New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
- icacls E:\Logs /grant '"CM_NAA":(OI)(CI)(M)'
- ```
-
-## Configure the rules (Windows 10 x64 Settings package)
-
-
-This section will show you how to configure the rules (the Windows 10 x64 Settings package) to support the Contoso environment.
-
-1. On CM01, using File Explorer, navigate to the **E:\\Sources\\OSD\\Settings\\Windows 10 x64 Settings** folder.
-
-2. Using Notepad, edit the CustomSetting.ini file with the following settings:
-
- ```
- [Settings]
- Priority=Default
- Properties=OSDMigrateConfigFiles,OSDMigrateMode
- [Default]
- DoCapture=NO
- ComputerBackupLocation=NONE
- MachineObjectOU=ou=Workstations,ou=Computers,ou=Contoso,dc=contoso,dc=com
- OSDMigrateMode=Advanced
- OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\*
- OSDMigrateConfigFiles=Miguser.xml,Migapp.xml
- SLSHARE=\\CM01\Logs$
- EventService=http://CM01:9800
- ApplyGPOPack=NO
- ```
-
- 
-
- *Figure 27. The Settings package, holding the rules and the Unattend.xml template used during deployment*
-
-3. Update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**.
-
- >[!NOTE]
- >Although you have not yet added a distribution point, you still need to select Update Distribution Points. That process also updates the Configuration Manager 2012 content library with changes.
-
-
-
-## Distribute content to the CM01 distribution portal
-
-
-In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point.
-
-1. **On CM01, using the Configuration Manager Console**, select **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content.**
-
-2. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
-
-3. Using Configuration Manager Trace, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully.
-
-## Create a deployment for the task sequence
-
-
-This sections provides steps to help you create a deployment for the task sequence.
-
-1. On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**.
-
-2. On the **General** page, select the **All Unknown Computers** collection and click **Next**.
-
-3. On the **Deployment Settings** page, use the following settings and then click **Next**:
-
- * Purpose: Available
-
- * Make available to the following: Only media and PXE
-
- 
-
- *Figure 28. Configure the deployment settings*
-
-4. On the **Scheduling** page, accept the default settings and click **Next**.
-
-5. On the **User Experience** page, accept the default settings and click **Next**.
-
-6. On the **Alerts** page, accept the default settings and click **Next**.
-
-7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**.
-
- 
-
- *Figure 29. The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE*
-
-## Configure Configuration Manager to prompt for the computer name during deployment (optional)
-
-
-You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
-
-This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names.
-
-1. Using the Configuration Manager Console, in the Asset and Compliance workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**.
-
-2. In the **Collection Variables** tab, create a new variable with the following settings:
-
- * Name: OSDComputerName
-
- * Clear the **Do not display this value in the Configuration Manager console** check box.
-
-3. Click **OK**.
-
- >[!NOTE]
- >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
-
- 
-
- *Figure 30. Configure a collection variable*
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
diff --git a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
deleted file mode 100644
index c1461b27eb..0000000000
--- a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Monitor the Windows 10 deployment with Configuration Manager
-description: Learn how to monitor a Windows 10 deployment with Configuration Manager. Use the Deployment Workbench to access the computer remotely.
-ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, upgrade
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Monitor the Windows 10 deployment with Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft Endpoint Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature.
-
-For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-To monitor an operating system deployment conducted through Microsoft Endpoint Configuration Manager, you will use the Deployment Workbench in MDT as follows:
-
-1. On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh).
-
- >[!NOTE]
- >It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again.
-
- 
-
- *Figure 33. PC0001 being deployed by Configuration Manager*
-
-2. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option.
-
-3. The task sequence will now run and do the following:
-
- * Install the Windows 10 operating system.
-
- * Install the Configuration Manager client and the client hotfix.
-
- * Join the machine to the domain.
-
- * Install the application added to the task sequence.
-
- >[!NOTE]
- >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
-
-4. If time permits, allow the deployment of PC0001 to complete. Then log in as Administrator in the CONTOSO domain and verify that Adobe Reader XI was installed.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
deleted file mode 100644
index 4ccb6b76ea..0000000000
--- a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ /dev/null
@@ -1,285 +0,0 @@
----
-title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10)
-description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit.
-ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: install, configure, deploy, deployment
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-This topic will walk you through the process of integrating Microsoft Endpoint Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
-
-## Prerequisites
-
-
-In this topic, you will use an existing Configuration Manager server structure to prepare for operating system deployment. In addition to the base setup, the following configurations should be made in the Configuration Manager environment:
-
-- Active Directory Schema has been extended and System Management container created.
-
-- Active Directory Forest Discovery and Active Directory System Discovery have been enabled.
-
-- IP range boundaries and a boundary group for content and site assignment have been created.
-
-- The Configuration Manager reporting services point role has been added and configured
-
-- A file system folder structure for packages has been created.
-
-- A Configuration Manager console folder structure for packages has been created.
-
-- Microsoft Endpoint Configuration Manager and any additional Windows 10 prerequisites are installed.
-
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01 and CM01 are both members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## Create the Configuration Manager service accounts
-
-
-To configure permissions for the various service accounts needed for operating system deployment in Configuration Manager, you use a role-based model. To create the Configuration Manager Join Domain account as well as the Configuration Manager Network Access account, follow these steps:
-
-1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
-
-2. Select the Service Accounts OU and create the CM\_JD account using the following settings:
-
- * Name: CM\_JD
-
- * User logon name: CM\_JD
-
- * Password: P@ssw0rd
-
- * User must change password at next logon: Clear
-
- * User cannot change password: Select
-
- * Password never expires: Select
-
-3. Repeat the step, but for the CM\_NAA account.
-
-4. After creating the accounts, assign the following descriptions:
-
- * CM\_JD: Configuration Manager Join Domain Account
-
- * CM\_NAA: Configuration Manager Network Access Account
-
-
-
-Figure 6. The Configuration Manager service accounts used for operating system deployment.
-
-## Configure Active Directory permissions
-
-
-In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01.
-
-1. On DC01, log on as Administrator in the CONTOSO domain using the password P@ssw0rd.
-
-2. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands, pressing **Enter** after each command:
-
- ```
- Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
-
- Set-Location C:\Setup\Scripts
-
- .\Set-OUPermissions.ps1 -Account CM_JD
- -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
- ```
-
-3. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted:
-
- * Scope: This object and all descendant objects
-
- * Create Computer objects
-
- * Delete Computer objects
-
- * Scope: Descendant Computer objects
-
- * Read All Properties
-
- * Write All Properties
-
- * Read Permissions
-
- * Modify Permissions
-
- * Change Password
-
- * Reset Password
-
- * Validated write to DNS host name
-
- * Validated write to service principal name
-
-## Review the Sources folder structure
-
-
-To support the packages you create in this section, the following folder structure should be created on the Configuration Manager primary site server (CM01):
-
->[!NOTE]
->In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
-
-- E:\\Sources
-
-- E:\\Sources\\OSD
-
-- E:\\Sources\\OSD\\Boot
-
-- E:\\Sources\\OSD\\DriverPackages
-
-- E:\\Sources\\OSD\\DriverSources
-
-- E:\\Sources\\OSD\\MDT
-
-- E:\\Sources\\OSD\\OS
-
-- E:\\Sources\\OSD\\Settings
-
-- E:\\Sources\\Software
-
-- E:\\Sources\\Software\\Adobe
-
-- E:\\Sources\\Software\\Microsoft
-
-
-
-Figure 7. The E:\\Sources\\OSD folder structure.
-
-## Integrate Configuration Manager with MDT
-
-
-To extend the Configuration Manager console with MDT wizards and templates, you install MDT in the default location and run the integration setup. In these steps, we assume you have downloaded MDT to the C:\\Setup\\MDT2013 folder on CM01.
-
-1. On CM01, log on as Administrator in the CONTOSO domain using the password P@ssw0rd.
-
-2. Make sure the Configuration Manager Console is closed before continuing.
-
-3. Using File Explorer, navigate to the **C:\\Setup\\MDT** folder.
-
-4. Run the MDT setup (MicrosoftDeploymentToolkit2013\_x64.msi), and use the default options in the setup wizard.
-
-5. From the Start screen, run Configure ConfigManager Integration with the following settings:
-
- * Site Server Name: CM01.contoso.com
-
- * Site code: PS1
-
-
-
-Figure 8. Set up the MDT integration with Configuration Manager.
-
-## Configure the client settings
-
-
-Most organizations want to display their name during deployment. In this section, you configure the default Configuration Manager client settings with the Contoso organization name.
-
-1. On CM01, using the Configuration Manager Console, in the Administration workspace, select **Client Settings**.
-
-2. In the right pane, right-click **Default Client Settings**, and select **Properties**.
-
-3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and click **OK**.
-
-
-
-Figure 9. Configure the organization name in client settings.
-
-
-
-Figure 10. The Contoso organization name displayed during deployment.
-
-## Configure the Network Access account
-
-
-Configuration Manager uses the Network Access account during the Windows 10 deployment process to access content on the distribution point(s). In this section, you configure the Network Access account.
-
-1. Using the Configuration Manager Console, in the Administration workspace, expand **Site Configuration** and select **Sites**.
-
-2. Right-click **PS1 - Primary Site 1**, select **Configure Site Components**, and then select **Software Distribution**.
-
-3. In the **Network Access Account** tab, configure the **CONTOSO\\CM\_NAA** user account (select New Account) as the Network Access account. Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share.
-
-
-
-Figure 11. Test the connection for the Network Access account.
-
-## Enable PXE on the CM01 distribution point
-
-
-Configuration Manager has many options for starting a deployment, but starting via PXE is certainly the most flexible in a large environment. In this section, you enable PXE on the CM01 distribution point.
-
-1. In the Configuration Manager Console, in the Administration workspace, select **Distribution Points**.
-
-2. Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**.
-
-3. In the **PXE** tab, select the following settings:
-
- * Enable PXE support for clients
-
- * Allow this distribution point to respond to incoming PXE requests
-
- * Enable unknown computer support
-
- * Require a password when computers use PXE
-
- * Password and Confirm password: Passw0rd!
-
- 
-
- Figure 12. Configure the CM01 distribution point for PXE.
-
-4. Using the Configuration Manager Trace Log Tool, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
-
- 
-
- Figure 13. The distmgr.log displays a successful configuration of PXE on the distribution point.
-
-5. Verify that you have seven files in each of the folders **E:\\RemoteInstall\\SMSBoot\\x86** and **E:\\RemoteInstall\\SMSBoot\\x64**.
-
- 
-
- Figure 14. The contents of the E:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
deleted file mode 100644
index d9550467e3..0000000000
--- a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
-description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10.
-ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: upgrade, install, installation, computer refresh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft Endpoint Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
-
-A computer refresh with Microsoft Endpoint Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps:
-
-1. Data and settings are backed up locally in a backup folder.
-
-2. The partition is wiped, except for the backup folder.
-
-3. The new operating system image is applied.
-
-4. Other applications are installed.
-
-5. Data and settings are restored.
-
-For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0003 is a machine with Windows 7 SP1, on which Windows 10 will be deployed. DC01, CM01, and PC003 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with the Configuration Manager client installed.
-
-## Create a device collection and add the PC0003 computer
-
-
-1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
-
- * General
-
- * Name: Install Windows 10 Enterprise x64
-
- * Limited Collection: All Systems
-
- * Membership rules:
-
- * Direct rule
-
- * Resource Class: System Resource
-
- * Attribute Name: Name
-
- * Value: PC0003
-
- * Select **Resources**
-
- * Select **PC0003**
-
-2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
-
- >[!NOTE]
- >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
-
-
-
-## Create a new deployment
-
-
-Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the following settings:
-
-- General
-
- - Collection: Install Windows 10 Enterprise x64
-
-- Deployment Settings
-
- - Purpose: Available
-
- - Make available to the following: Configuration Manager clients, media and PXE
-
- >[!NOTE]
- >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
-
-
-
-- Scheduling
-
- - <default>
-
-- User Experience
-
- - <default>
-
-- Alerts
-
- - <default>
-
-- Distribution Points
-
- - <default>
-
-## Initiate a computer refresh
-
-
-Now you can start the computer refresh on PC0003.
-
-1. Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**.
-
- >[!NOTE]
- >The Client Notification feature is new in Configuration Manager.
-
-2. On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**.
-
-3. In the **Software Center** warning dialog box, click **INSTALL OPERATING SYSTEM**.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
deleted file mode 100644
index b00e32b337..0000000000
--- a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ /dev/null
@@ -1,241 +0,0 @@
----
-title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
-description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager.
-ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: upgrade, install, installation, replace computer, setup
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10.
-
-For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
-
-## Create a replace task sequence
-
-
-1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
-
-2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**.
-
-3. On the **General** page, assign the following settings and click **Next**:
-
- * Task sequence name: Replace Task Sequence
-
- * Task sequence comments: USMT backup only
-
-4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
-
-5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**.
-
-6. On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
-
-7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**.
-
-8. On the **Summary** page, review the details and then click **Next**.
-
-9. On the **Confirmation** page, click **Finish**.
-
-10. Review the Replace Task Sequence.
- >[!NOTE]
- >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
-
-
-
-Figure 34. The backup-only task sequence (named Replace Task Sequence).
-
-## Associate the new machine with the old computer
-
-
-This section walks you through the process of associating a blank machine, PC0006, with an old machine, PC0004, for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine.
-
-1. Make a note of the PC0006 machine's MAC Address. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96.
-
-2. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Devices**, and then select **Import Computer Information**.
-
-3. On the **Select Source** page, select **Import single computer** and click **Next**.
-
-4. On the **Single Computer** page, use the following settings and then click **Next**:
-
- * Computer Name: PC0006
-
- * MAC Address: <the mac address from step 1>
-
- * Source Computer: PC0004
-
- 
-
- Figure 35. Creating the computer association between PC0004 and PC0006.
-
-5. On the **User Accounts** page, select **Capture and restore all user accounts** and click **Next**.
-
-6. On the **Data Preview** page, click **Next**.
-
-7. On the **Choose Target Collection** page, select the **Install Windows 10 Enterprise x64** collection and click **Next**.
-
-8. On the **Summary** page, click **Next**, and then click **Close**.
-
-9. Select the **User State Migration** node and review the computer association in the right pane.
-
-10. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not.
-
-11. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0006 machine in the collection. You might have to update and refresh the collection again.
-
-## Create a device collection and add the PC0004 computer
-
-
-1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings.
-
- * General
-
- * Name: USMT Backup (Replace)
-
- * Limited Collection: All Systems
-
- * Membership rules:
-
- * Direct rule
-
- * Resource Class: System Resource
-
- * Attribute Name: Name
-
- * Value: PC0004
-
- * Select **Resources**
-
- * Select **PC0004**
-
-2. Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection.
-
-## Create a new deployment
-
-
-Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
-
-- General
-
- - Collection: USMT Backup (Replace)
-
-- Deployment Settings
-
- - Purpose: Available
-
- - Make available to the following: Only Configuration Manager Clients
-
-- Scheduling
-
- - <default>
-
-- User Experience
-
- - <default>
-
-- Alerts
-
- - <default>
-
-- Distribution Points
-
- - <default>
-
-## Verify the backup
-
-
-This section assumes that you have a machine named PC0004 with the Configuration Manager 2012 client installed.
-
-1. Start the PC0004 machine, and using the Control Panel, start the Configuration Manager applet.
-
-2. In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
-
- >[!NOTE]
- >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
-
-3. Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**.
-
-4. In the **Software Center** dialog box, click **INSTALL OPERATING SYSTEM**.
-
-5. Allow the Replace Task Sequence to complete. It should only take about five minutes.
-
-6. On CM01, in the **D:\\MigData** folder, verify that a folder was created containing the USMT backup.
-
-7. Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
-
- >[!NOTE]
- >It may take a few minutes for the user state store location to be populated.
-
-
-
-## Deploy the new computer
-
-
-1. Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
-
- * Password: P@ssw0rd
-
- * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
-
-2. The setup now starts and does the following:
-
- * Installs the Windows 10 operating system
-
- * Installs the Configuration Manager client
-
- * Joins it to the domain
-
- * Installs the applications
-
- * Restores the PC0004 backup
-
-When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index adca6df481..4680e56b08 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -1,49 +1,39 @@
----
-title: Deploy Windows 10 (Windows 10)
-description: Deploying Windows 10 for IT professionals.
-ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
-author: greg-lindsay
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.date: 11/06/2018
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10
-
-Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available.
-
-
-|Topic |Description |
-|------|------------|
-|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
-|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
-|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
-|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
-|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
-|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). |
-|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
-|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
-|[Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
-|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
-|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
-
-## Related topics
-
-[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
-
-
-
-
-
-
-
-
-
+---
+title: Deploy Windows 10 (Windows 10)
+description: Deploying Windows 10 for IT professionals.
+ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10
+
+Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available.
+
+
+|Topic |Description |
+|------|------------|
+|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
+|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
+|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
+|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
+|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
+|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
+|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
+|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
+
+## Related topics
+
+[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
\ No newline at end of file
diff --git a/windows/deployment/images/ContosoBackground.bmp b/windows/deployment/images/ContosoBackground.bmp
new file mode 100644
index 0000000000..99c9e7c8eb
Binary files /dev/null and b/windows/deployment/images/ContosoBackground.bmp differ
diff --git a/windows/deployment/images/ContosoBackground.png b/windows/deployment/images/ContosoBackground.png
new file mode 100644
index 0000000000..12a04f0e83
Binary files /dev/null and b/windows/deployment/images/ContosoBackground.png differ
diff --git a/windows/deployment/images/acroread.png b/windows/deployment/images/acroread.png
new file mode 100644
index 0000000000..142e7b6d74
Binary files /dev/null and b/windows/deployment/images/acroread.png differ
diff --git a/windows/deployment/images/captureimage.png b/windows/deployment/images/captureimage.png
new file mode 100644
index 0000000000..e9ebbf3aad
Binary files /dev/null and b/windows/deployment/images/captureimage.png differ
diff --git a/windows/deployment/images/cm-upgrade-ts.png b/windows/deployment/images/cm-upgrade-ts.png
new file mode 100644
index 0000000000..15c6b04400
Binary files /dev/null and b/windows/deployment/images/cm-upgrade-ts.png differ
diff --git a/windows/deployment/images/cm01-content-status1.png b/windows/deployment/images/cm01-content-status1.png
new file mode 100644
index 0000000000..2aa9f3bce1
Binary files /dev/null and b/windows/deployment/images/cm01-content-status1.png differ
diff --git a/windows/deployment/images/cm01-drivers-packages.png b/windows/deployment/images/cm01-drivers-packages.png
new file mode 100644
index 0000000000..9453c20588
Binary files /dev/null and b/windows/deployment/images/cm01-drivers-packages.png differ
diff --git a/windows/deployment/images/cm01-drivers-windows.png b/windows/deployment/images/cm01-drivers-windows.png
new file mode 100644
index 0000000000..16a6c031c7
Binary files /dev/null and b/windows/deployment/images/cm01-drivers-windows.png differ
diff --git a/windows/deployment/images/cm01-drivers.png b/windows/deployment/images/cm01-drivers.png
new file mode 100644
index 0000000000..57de49530b
Binary files /dev/null and b/windows/deployment/images/cm01-drivers.png differ
diff --git a/windows/deployment/images/sccm-asset.PNG b/windows/deployment/images/configmgr-asset.png
similarity index 100%
rename from windows/deployment/images/sccm-asset.PNG
rename to windows/deployment/images/configmgr-asset.png
diff --git a/windows/deployment/images/configmgr-assets.PNG b/windows/deployment/images/configmgr-assets.PNG
new file mode 100644
index 0000000000..ac315148c5
Binary files /dev/null and b/windows/deployment/images/configmgr-assets.PNG differ
diff --git a/windows/deployment/images/configmgr-assets.png b/windows/deployment/images/configmgr-assets.png
new file mode 100644
index 0000000000..ac315148c5
Binary files /dev/null and b/windows/deployment/images/configmgr-assets.png differ
diff --git a/windows/deployment/images/sccm-client.PNG b/windows/deployment/images/configmgr-client.PNG
similarity index 100%
rename from windows/deployment/images/sccm-client.PNG
rename to windows/deployment/images/configmgr-client.PNG
diff --git a/windows/deployment/images/sccm-collection.PNG b/windows/deployment/images/configmgr-collection.PNG
similarity index 100%
rename from windows/deployment/images/sccm-collection.PNG
rename to windows/deployment/images/configmgr-collection.PNG
diff --git a/windows/deployment/images/sccm-install-os.PNG b/windows/deployment/images/configmgr-install-os.PNG
similarity index 100%
rename from windows/deployment/images/sccm-install-os.PNG
rename to windows/deployment/images/configmgr-install-os.PNG
diff --git a/windows/deployment/images/sccm-post-refresh.PNG b/windows/deployment/images/configmgr-post-refresh.PNG
similarity index 100%
rename from windows/deployment/images/sccm-post-refresh.PNG
rename to windows/deployment/images/configmgr-post-refresh.PNG
diff --git a/windows/deployment/images/sccm-pxe.PNG b/windows/deployment/images/configmgr-pxe.PNG
similarity index 100%
rename from windows/deployment/images/sccm-pxe.PNG
rename to windows/deployment/images/configmgr-pxe.PNG
diff --git a/windows/deployment/images/sccm-site.PNG b/windows/deployment/images/configmgr-site.PNG
similarity index 100%
rename from windows/deployment/images/sccm-site.PNG
rename to windows/deployment/images/configmgr-site.PNG
diff --git a/windows/deployment/images/sccm-software-cntr.PNG b/windows/deployment/images/configmgr-software-cntr.PNG
similarity index 100%
rename from windows/deployment/images/sccm-software-cntr.PNG
rename to windows/deployment/images/configmgr-software-cntr.PNG
diff --git a/windows/deployment/images/dart.png b/windows/deployment/images/dart.png
new file mode 100644
index 0000000000..f5c099e9a0
Binary files /dev/null and b/windows/deployment/images/dart.png differ
diff --git a/windows/deployment/images/dc01-cm01-pc0001.png b/windows/deployment/images/dc01-cm01-pc0001.png
new file mode 100644
index 0000000000..f6adafdf15
Binary files /dev/null and b/windows/deployment/images/dc01-cm01-pc0001.png differ
diff --git a/windows/deployment/images/deployment-workbench01.png b/windows/deployment/images/deployment-workbench01.png
new file mode 100644
index 0000000000..c68ee25db1
Binary files /dev/null and b/windows/deployment/images/deployment-workbench01.png differ
diff --git a/windows/deployment/images/downloads.png b/windows/deployment/images/downloads.png
new file mode 100644
index 0000000000..36c45c4a88
Binary files /dev/null and b/windows/deployment/images/downloads.png differ
diff --git a/windows/deployment/images/fig10-unattend.png b/windows/deployment/images/fig10-unattend.png
index a9d2bc16df..54f0b0f86f 100644
Binary files a/windows/deployment/images/fig10-unattend.png and b/windows/deployment/images/fig10-unattend.png differ
diff --git a/windows/deployment/images/fig16-contentstatus.png b/windows/deployment/images/fig16-contentstatus.png
index 5ea8ba275a..f48490b97d 100644
Binary files a/windows/deployment/images/fig16-contentstatus.png and b/windows/deployment/images/fig16-contentstatus.png differ
diff --git a/windows/deployment/images/fig16-contentstatus1.png b/windows/deployment/images/fig16-contentstatus1.png
new file mode 100644
index 0000000000..32c6023e7c
Binary files /dev/null and b/windows/deployment/images/fig16-contentstatus1.png differ
diff --git a/windows/deployment/images/fig16-contentstatus2.png b/windows/deployment/images/fig16-contentstatus2.png
new file mode 100644
index 0000000000..d28385f4ae
Binary files /dev/null and b/windows/deployment/images/fig16-contentstatus2.png differ
diff --git a/windows/deployment/images/fig18-distwindows.png b/windows/deployment/images/fig18-distwindows.png
index d8525ddd3e..07ff1b74c6 100644
Binary files a/windows/deployment/images/fig18-distwindows.png and b/windows/deployment/images/fig18-distwindows.png differ
diff --git a/windows/deployment/images/fig2-importedos.png b/windows/deployment/images/fig2-importedos.png
index ed72d2ef4d..90cf910c24 100644
Binary files a/windows/deployment/images/fig2-importedos.png and b/windows/deployment/images/fig2-importedos.png differ
diff --git a/windows/deployment/images/fig2-taskseq.png b/windows/deployment/images/fig2-taskseq.png
index 1da70bd6e7..bdd81ddbde 100644
Binary files a/windows/deployment/images/fig2-taskseq.png and b/windows/deployment/images/fig2-taskseq.png differ
diff --git a/windows/deployment/images/fig21-add-drivers1.png b/windows/deployment/images/fig21-add-drivers1.png
new file mode 100644
index 0000000000..79b797a7d3
Binary files /dev/null and b/windows/deployment/images/fig21-add-drivers1.png differ
diff --git a/windows/deployment/images/fig21-add-drivers2.png b/windows/deployment/images/fig21-add-drivers2.png
new file mode 100644
index 0000000000..2f18c5b660
Binary files /dev/null and b/windows/deployment/images/fig21-add-drivers2.png differ
diff --git a/windows/deployment/images/fig21-add-drivers3.png b/windows/deployment/images/fig21-add-drivers3.png
new file mode 100644
index 0000000000..45f97d0835
Binary files /dev/null and b/windows/deployment/images/fig21-add-drivers3.png differ
diff --git a/windows/deployment/images/fig21-add-drivers4.png b/windows/deployment/images/fig21-add-drivers4.png
new file mode 100644
index 0000000000..a6613d8718
Binary files /dev/null and b/windows/deployment/images/fig21-add-drivers4.png differ
diff --git a/windows/deployment/images/fig22-createcategories.png b/windows/deployment/images/fig22-createcategories.png
index 8912ad974f..664ffb2777 100644
Binary files a/windows/deployment/images/fig22-createcategories.png and b/windows/deployment/images/fig22-createcategories.png differ
diff --git a/windows/deployment/images/fig27-driverpackage.png b/windows/deployment/images/fig27-driverpackage.png
index c2f66669be..cfb17d05ba 100644
Binary files a/windows/deployment/images/fig27-driverpackage.png and b/windows/deployment/images/fig27-driverpackage.png differ
diff --git a/windows/deployment/images/fig28-addapp.png b/windows/deployment/images/fig28-addapp.png
index a7ba6b3709..34f6f44519 100644
Binary files a/windows/deployment/images/fig28-addapp.png and b/windows/deployment/images/fig28-addapp.png differ
diff --git a/windows/deployment/images/fig30-settingspack.png b/windows/deployment/images/fig30-settingspack.png
index 3479184140..4dd820aadf 100644
Binary files a/windows/deployment/images/fig30-settingspack.png and b/windows/deployment/images/fig30-settingspack.png differ
diff --git a/windows/deployment/images/fig32-deploywiz.png b/windows/deployment/images/fig32-deploywiz.png
index a1387b19d8..ad5052af7d 100644
Binary files a/windows/deployment/images/fig32-deploywiz.png and b/windows/deployment/images/fig32-deploywiz.png differ
diff --git a/windows/deployment/images/fig4-oob-drivers.png b/windows/deployment/images/fig4-oob-drivers.png
index b1f6924665..14d93fb278 100644
Binary files a/windows/deployment/images/fig4-oob-drivers.png and b/windows/deployment/images/fig4-oob-drivers.png differ
diff --git a/windows/deployment/images/fig8-cust-tasks.png b/windows/deployment/images/fig8-cust-tasks.png
index 378215ee2b..3ab40d730a 100644
Binary files a/windows/deployment/images/fig8-cust-tasks.png and b/windows/deployment/images/fig8-cust-tasks.png differ
diff --git a/windows/deployment/images/image-captured.png b/windows/deployment/images/image-captured.png
new file mode 100644
index 0000000000..69c5d5ef15
Binary files /dev/null and b/windows/deployment/images/image-captured.png differ
diff --git a/windows/deployment/images/iso-data.png b/windows/deployment/images/iso-data.png
new file mode 100644
index 0000000000..f188046b7f
Binary files /dev/null and b/windows/deployment/images/iso-data.png differ
diff --git a/windows/deployment/images/mdt-03-fig02.png b/windows/deployment/images/mdt-03-fig02.png
index d0fd979449..934be09dc1 100644
Binary files a/windows/deployment/images/mdt-03-fig02.png and b/windows/deployment/images/mdt-03-fig02.png differ
diff --git a/windows/deployment/images/mdt-03-fig03.png b/windows/deployment/images/mdt-03-fig03.png
index ba1de39aa0..a387923d80 100644
Binary files a/windows/deployment/images/mdt-03-fig03.png and b/windows/deployment/images/mdt-03-fig03.png differ
diff --git a/windows/deployment/images/mdt-03-fig04.png b/windows/deployment/images/mdt-03-fig04.png
index 26600a2036..437531d2f6 100644
Binary files a/windows/deployment/images/mdt-03-fig04.png and b/windows/deployment/images/mdt-03-fig04.png differ
diff --git a/windows/deployment/images/mdt-03-fig05.png b/windows/deployment/images/mdt-03-fig05.png
index 9c44837022..a7b8d6ca2e 100644
Binary files a/windows/deployment/images/mdt-03-fig05.png and b/windows/deployment/images/mdt-03-fig05.png differ
diff --git a/windows/deployment/images/mdt-06-fig06.png b/windows/deployment/images/mdt-06-fig06.png
index 324c8960c1..69e2b89c1e 100644
Binary files a/windows/deployment/images/mdt-06-fig06.png and b/windows/deployment/images/mdt-06-fig06.png differ
diff --git a/windows/deployment/images/mdt-06-fig08.png b/windows/deployment/images/mdt-06-fig08.png
index 33cb90327a..25c8a0a445 100644
Binary files a/windows/deployment/images/mdt-06-fig08.png and b/windows/deployment/images/mdt-06-fig08.png differ
diff --git a/windows/deployment/images/mdt-06-fig10.png b/windows/deployment/images/mdt-06-fig10.png
index 1d92505b96..85b448ba87 100644
Binary files a/windows/deployment/images/mdt-06-fig10.png and b/windows/deployment/images/mdt-06-fig10.png differ
diff --git a/windows/deployment/images/mdt-06-fig12.png b/windows/deployment/images/mdt-06-fig12.png
index f33eca6174..a427be3f1d 100644
Binary files a/windows/deployment/images/mdt-06-fig12.png and b/windows/deployment/images/mdt-06-fig12.png differ
diff --git a/windows/deployment/images/mdt-06-fig13.png b/windows/deployment/images/mdt-06-fig13.png
index ab578f69fe..a9f020b0da 100644
Binary files a/windows/deployment/images/mdt-06-fig13.png and b/windows/deployment/images/mdt-06-fig13.png differ
diff --git a/windows/deployment/images/mdt-06-fig14.png b/windows/deployment/images/mdt-06-fig14.png
index 13158231fd..1d06c9c7e2 100644
Binary files a/windows/deployment/images/mdt-06-fig14.png and b/windows/deployment/images/mdt-06-fig14.png differ
diff --git a/windows/deployment/images/mdt-06-fig15.png b/windows/deployment/images/mdt-06-fig15.png
index 2f1a0eba18..ffa5890a84 100644
Binary files a/windows/deployment/images/mdt-06-fig15.png and b/windows/deployment/images/mdt-06-fig15.png differ
diff --git a/windows/deployment/images/mdt-06-fig16.png b/windows/deployment/images/mdt-06-fig16.png
index 40cb46adbd..f448782602 100644
Binary files a/windows/deployment/images/mdt-06-fig16.png and b/windows/deployment/images/mdt-06-fig16.png differ
diff --git a/windows/deployment/images/mdt-06-fig20.png b/windows/deployment/images/mdt-06-fig20.png
index 475fad7597..890c421227 100644
Binary files a/windows/deployment/images/mdt-06-fig20.png and b/windows/deployment/images/mdt-06-fig20.png differ
diff --git a/windows/deployment/images/mdt-06-fig21.png b/windows/deployment/images/mdt-06-fig21.png
index 7cbd1d20bc..07b168ab89 100644
Binary files a/windows/deployment/images/mdt-06-fig21.png and b/windows/deployment/images/mdt-06-fig21.png differ
diff --git a/windows/deployment/images/mdt-06-fig31.png b/windows/deployment/images/mdt-06-fig31.png
index 5e98d623b1..306f4a7980 100644
Binary files a/windows/deployment/images/mdt-06-fig31.png and b/windows/deployment/images/mdt-06-fig31.png differ
diff --git a/windows/deployment/images/mdt-06-fig33.png b/windows/deployment/images/mdt-06-fig33.png
index 18ae4c82dd..1529426830 100644
Binary files a/windows/deployment/images/mdt-06-fig33.png and b/windows/deployment/images/mdt-06-fig33.png differ
diff --git a/windows/deployment/images/mdt-06-fig42.png b/windows/deployment/images/mdt-06-fig42.png
index 12b0e6817a..e9cfe36083 100644
Binary files a/windows/deployment/images/mdt-06-fig42.png and b/windows/deployment/images/mdt-06-fig42.png differ
diff --git a/windows/deployment/images/mdt-06-fig43.png b/windows/deployment/images/mdt-06-fig43.png
index 015edd21e3..c9a2c88306 100644
Binary files a/windows/deployment/images/mdt-06-fig43.png and b/windows/deployment/images/mdt-06-fig43.png differ
diff --git a/windows/deployment/images/mdt-07-fig01.png b/windows/deployment/images/mdt-07-fig01.png
index b2ccfec334..90635678e8 100644
Binary files a/windows/deployment/images/mdt-07-fig01.png and b/windows/deployment/images/mdt-07-fig01.png differ
diff --git a/windows/deployment/images/mdt-07-fig08.png b/windows/deployment/images/mdt-07-fig08.png
index 66e2969916..2cbfc47271 100644
Binary files a/windows/deployment/images/mdt-07-fig08.png and b/windows/deployment/images/mdt-07-fig08.png differ
diff --git a/windows/deployment/images/mdt-07-fig09.png b/windows/deployment/images/mdt-07-fig09.png
index ce320427ee..245b59072d 100644
Binary files a/windows/deployment/images/mdt-07-fig09.png and b/windows/deployment/images/mdt-07-fig09.png differ
diff --git a/windows/deployment/images/mdt-07-fig10.png b/windows/deployment/images/mdt-07-fig10.png
index 7aff3c2d76..2c61e0eb3d 100644
Binary files a/windows/deployment/images/mdt-07-fig10.png and b/windows/deployment/images/mdt-07-fig10.png differ
diff --git a/windows/deployment/images/mdt-07-fig11.png b/windows/deployment/images/mdt-07-fig11.png
index 905f8bd572..ce70374271 100644
Binary files a/windows/deployment/images/mdt-07-fig11.png and b/windows/deployment/images/mdt-07-fig11.png differ
diff --git a/windows/deployment/images/mdt-07-fig13.png b/windows/deployment/images/mdt-07-fig13.png
index 849949a2f2..dae9bd23b8 100644
Binary files a/windows/deployment/images/mdt-07-fig13.png and b/windows/deployment/images/mdt-07-fig13.png differ
diff --git a/windows/deployment/images/mdt-07-fig14.png b/windows/deployment/images/mdt-07-fig14.png
index cfe7843eeb..788e609cf6 100644
Binary files a/windows/deployment/images/mdt-07-fig14.png and b/windows/deployment/images/mdt-07-fig14.png differ
diff --git a/windows/deployment/images/mdt-07-fig16.png b/windows/deployment/images/mdt-07-fig16.png
index 80e0925a40..995eaa51c7 100644
Binary files a/windows/deployment/images/mdt-07-fig16.png and b/windows/deployment/images/mdt-07-fig16.png differ
diff --git a/windows/deployment/images/mdt-08-fig01.png b/windows/deployment/images/mdt-08-fig01.png
index 7f795c42d4..7e9e650633 100644
Binary files a/windows/deployment/images/mdt-08-fig01.png and b/windows/deployment/images/mdt-08-fig01.png differ
diff --git a/windows/deployment/images/mdt-08-fig02.png b/windows/deployment/images/mdt-08-fig02.png
index 50c97d8d0c..7a0a4a1bbb 100644
Binary files a/windows/deployment/images/mdt-08-fig02.png and b/windows/deployment/images/mdt-08-fig02.png differ
diff --git a/windows/deployment/images/mdt-08-fig14.png b/windows/deployment/images/mdt-08-fig14.png
index 21b358d1f8..4e5626280a 100644
Binary files a/windows/deployment/images/mdt-08-fig14.png and b/windows/deployment/images/mdt-08-fig14.png differ
diff --git a/windows/deployment/images/mdt-09-fig07.png b/windows/deployment/images/mdt-09-fig07.png
index 431f212f80..a2a9093ff0 100644
Binary files a/windows/deployment/images/mdt-09-fig07.png and b/windows/deployment/images/mdt-09-fig07.png differ
diff --git a/windows/deployment/images/mdt-10-fig05.png b/windows/deployment/images/mdt-10-fig05.png
index 64c0c4a6ee..8625f2972b 100644
Binary files a/windows/deployment/images/mdt-10-fig05.png and b/windows/deployment/images/mdt-10-fig05.png differ
diff --git a/windows/deployment/images/mdt-10-fig09.png b/windows/deployment/images/mdt-10-fig09.png
index ccdd05f34e..bb5010a93d 100644
Binary files a/windows/deployment/images/mdt-10-fig09.png and b/windows/deployment/images/mdt-10-fig09.png differ
diff --git a/windows/deployment/images/mdt-apps.png b/windows/deployment/images/mdt-apps.png
new file mode 100644
index 0000000000..72ee2268f2
Binary files /dev/null and b/windows/deployment/images/mdt-apps.png differ
diff --git a/windows/deployment/images/mdt-monitoring.png b/windows/deployment/images/mdt-monitoring.png
new file mode 100644
index 0000000000..c49732223a
Binary files /dev/null and b/windows/deployment/images/mdt-monitoring.png differ
diff --git a/windows/deployment/images/mdt-offline-media.png b/windows/deployment/images/mdt-offline-media.png
new file mode 100644
index 0000000000..d81ea4e0d8
Binary files /dev/null and b/windows/deployment/images/mdt-offline-media.png differ
diff --git a/windows/deployment/images/mdt-post-upg.png b/windows/deployment/images/mdt-post-upg.png
new file mode 100644
index 0000000000..f41d2ff32b
Binary files /dev/null and b/windows/deployment/images/mdt-post-upg.png differ
diff --git a/windows/deployment/images/mdt-replace.png b/windows/deployment/images/mdt-replace.png
new file mode 100644
index 0000000000..d731037d38
Binary files /dev/null and b/windows/deployment/images/mdt-replace.png differ
diff --git a/windows/deployment/images/mdt-rules.png b/windows/deployment/images/mdt-rules.png
new file mode 100644
index 0000000000..b01c519635
Binary files /dev/null and b/windows/deployment/images/mdt-rules.png differ
diff --git a/windows/deployment/images/mdt-upgrade-proc.png b/windows/deployment/images/mdt-upgrade-proc.png
new file mode 100644
index 0000000000..07a968aed0
Binary files /dev/null and b/windows/deployment/images/mdt-upgrade-proc.png differ
diff --git a/windows/deployment/images/mdt-upgrade.png b/windows/deployment/images/mdt-upgrade.png
new file mode 100644
index 0000000000..c794526ad5
Binary files /dev/null and b/windows/deployment/images/mdt-upgrade.png differ
diff --git a/windows/deployment/images/mdt.png b/windows/deployment/images/mdt.png
new file mode 100644
index 0000000000..76a00ee065
Binary files /dev/null and b/windows/deployment/images/mdt.png differ
diff --git a/windows/deployment/images/monitor-pc0001.PNG b/windows/deployment/images/monitor-pc0001.PNG
new file mode 100644
index 0000000000..072b9cb58c
Binary files /dev/null and b/windows/deployment/images/monitor-pc0001.PNG differ
diff --git a/windows/deployment/images/office-folder.png b/windows/deployment/images/office-folder.png
new file mode 100644
index 0000000000..722cc4d664
Binary files /dev/null and b/windows/deployment/images/office-folder.png differ
diff --git a/windows/deployment/images/pc0001-monitor.png b/windows/deployment/images/pc0001-monitor.png
new file mode 100644
index 0000000000..7ba8e198bf
Binary files /dev/null and b/windows/deployment/images/pc0001-monitor.png differ
diff --git a/windows/deployment/images/pc0001.png b/windows/deployment/images/pc0001.png
new file mode 100644
index 0000000000..839cd3de54
Binary files /dev/null and b/windows/deployment/images/pc0001.png differ
diff --git a/windows/deployment/images/pc0001a.png b/windows/deployment/images/pc0001a.png
new file mode 100644
index 0000000000..0f2be5a865
Binary files /dev/null and b/windows/deployment/images/pc0001a.png differ
diff --git a/windows/deployment/images/pc0001b.png b/windows/deployment/images/pc0001b.png
new file mode 100644
index 0000000000..456f6071a9
Binary files /dev/null and b/windows/deployment/images/pc0001b.png differ
diff --git a/windows/deployment/images/pc0001c.png b/windows/deployment/images/pc0001c.png
new file mode 100644
index 0000000000..d093e58d0a
Binary files /dev/null and b/windows/deployment/images/pc0001c.png differ
diff --git a/windows/deployment/images/pc0001d.png b/windows/deployment/images/pc0001d.png
new file mode 100644
index 0000000000..14f14a2e91
Binary files /dev/null and b/windows/deployment/images/pc0001d.png differ
diff --git a/windows/deployment/images/pc0001e.png b/windows/deployment/images/pc0001e.png
new file mode 100644
index 0000000000..41264f2c63
Binary files /dev/null and b/windows/deployment/images/pc0001e.png differ
diff --git a/windows/deployment/images/pc0001f.png b/windows/deployment/images/pc0001f.png
new file mode 100644
index 0000000000..8261c40953
Binary files /dev/null and b/windows/deployment/images/pc0001f.png differ
diff --git a/windows/deployment/images/pc0001g.png b/windows/deployment/images/pc0001g.png
new file mode 100644
index 0000000000..5fd7f8a4a7
Binary files /dev/null and b/windows/deployment/images/pc0001g.png differ
diff --git a/windows/deployment/images/pc0001h.png b/windows/deployment/images/pc0001h.png
new file mode 100644
index 0000000000..65bead5840
Binary files /dev/null and b/windows/deployment/images/pc0001h.png differ
diff --git a/windows/deployment/images/pc0001i.png b/windows/deployment/images/pc0001i.png
new file mode 100644
index 0000000000..76247a04df
Binary files /dev/null and b/windows/deployment/images/pc0001i.png differ
diff --git a/windows/deployment/images/pc0001j.png b/windows/deployment/images/pc0001j.png
new file mode 100644
index 0000000000..01d8fe22b7
Binary files /dev/null and b/windows/deployment/images/pc0001j.png differ
diff --git a/windows/deployment/images/pc0001k.png b/windows/deployment/images/pc0001k.png
new file mode 100644
index 0000000000..1f591d5164
Binary files /dev/null and b/windows/deployment/images/pc0001k.png differ
diff --git a/windows/deployment/images/pc0001l.png b/windows/deployment/images/pc0001l.png
new file mode 100644
index 0000000000..a2d491cef7
Binary files /dev/null and b/windows/deployment/images/pc0001l.png differ
diff --git a/windows/deployment/images/pc0001m.png b/windows/deployment/images/pc0001m.png
new file mode 100644
index 0000000000..d9e07b5d8a
Binary files /dev/null and b/windows/deployment/images/pc0001m.png differ
diff --git a/windows/deployment/images/pc0001n.png b/windows/deployment/images/pc0001n.png
new file mode 100644
index 0000000000..10819a15d9
Binary files /dev/null and b/windows/deployment/images/pc0001n.png differ
diff --git a/windows/deployment/images/pc0003a.png b/windows/deployment/images/pc0003a.png
new file mode 100644
index 0000000000..31d8d4068c
Binary files /dev/null and b/windows/deployment/images/pc0003a.png differ
diff --git a/windows/deployment/images/pc0003b.png b/windows/deployment/images/pc0003b.png
new file mode 100644
index 0000000000..8df2b066e6
Binary files /dev/null and b/windows/deployment/images/pc0003b.png differ
diff --git a/windows/deployment/images/pc0003c.png b/windows/deployment/images/pc0003c.png
new file mode 100644
index 0000000000..69db9cc567
Binary files /dev/null and b/windows/deployment/images/pc0003c.png differ
diff --git a/windows/deployment/images/pc0003d.png b/windows/deployment/images/pc0003d.png
new file mode 100644
index 0000000000..d36e293f74
Binary files /dev/null and b/windows/deployment/images/pc0003d.png differ
diff --git a/windows/deployment/images/pc0003e.png b/windows/deployment/images/pc0003e.png
new file mode 100644
index 0000000000..09be89ba61
Binary files /dev/null and b/windows/deployment/images/pc0003e.png differ
diff --git a/windows/deployment/images/pc0003f.png b/windows/deployment/images/pc0003f.png
new file mode 100644
index 0000000000..6f48f797df
Binary files /dev/null and b/windows/deployment/images/pc0003f.png differ
diff --git a/windows/deployment/images/pc0003g.png b/windows/deployment/images/pc0003g.png
new file mode 100644
index 0000000000..a5a935de32
Binary files /dev/null and b/windows/deployment/images/pc0003g.png differ
diff --git a/windows/deployment/images/pc0003h.png b/windows/deployment/images/pc0003h.png
new file mode 100644
index 0000000000..9e15738b48
Binary files /dev/null and b/windows/deployment/images/pc0003h.png differ
diff --git a/windows/deployment/images/pc0003i.png b/windows/deployment/images/pc0003i.png
new file mode 100644
index 0000000000..7c7b194399
Binary files /dev/null and b/windows/deployment/images/pc0003i.png differ
diff --git a/windows/deployment/images/pc0003j.png b/windows/deployment/images/pc0003j.png
new file mode 100644
index 0000000000..b446bff1c2
Binary files /dev/null and b/windows/deployment/images/pc0003j.png differ
diff --git a/windows/deployment/images/pc0003k.png b/windows/deployment/images/pc0003k.png
new file mode 100644
index 0000000000..ceead7b05b
Binary files /dev/null and b/windows/deployment/images/pc0003k.png differ
diff --git a/windows/deployment/images/pc0004-a.png b/windows/deployment/images/pc0004-a.png
new file mode 100644
index 0000000000..afe954d28f
Binary files /dev/null and b/windows/deployment/images/pc0004-a.png differ
diff --git a/windows/deployment/images/pc0004-b.png b/windows/deployment/images/pc0004-b.png
new file mode 100644
index 0000000000..caad109ace
Binary files /dev/null and b/windows/deployment/images/pc0004-b.png differ
diff --git a/windows/deployment/images/pc0004-c.png b/windows/deployment/images/pc0004-c.png
new file mode 100644
index 0000000000..21490d55a3
Binary files /dev/null and b/windows/deployment/images/pc0004-c.png differ
diff --git a/windows/deployment/images/pc0004-d.png b/windows/deployment/images/pc0004-d.png
new file mode 100644
index 0000000000..db10b4ccdc
Binary files /dev/null and b/windows/deployment/images/pc0004-d.png differ
diff --git a/windows/deployment/images/pc0004-e.png b/windows/deployment/images/pc0004-e.png
new file mode 100644
index 0000000000..d6472a4209
Binary files /dev/null and b/windows/deployment/images/pc0004-e.png differ
diff --git a/windows/deployment/images/pc0004-f.png b/windows/deployment/images/pc0004-f.png
new file mode 100644
index 0000000000..7752a700e0
Binary files /dev/null and b/windows/deployment/images/pc0004-f.png differ
diff --git a/windows/deployment/images/pc0004-g.png b/windows/deployment/images/pc0004-g.png
new file mode 100644
index 0000000000..93b4812149
Binary files /dev/null and b/windows/deployment/images/pc0004-g.png differ
diff --git a/windows/deployment/images/pc0004b.png b/windows/deployment/images/pc0004b.png
new file mode 100644
index 0000000000..f1fb129bbe
Binary files /dev/null and b/windows/deployment/images/pc0004b.png differ
diff --git a/windows/deployment/images/pc0005-vm-office.png b/windows/deployment/images/pc0005-vm-office.png
new file mode 100644
index 0000000000..bb8e96f5af
Binary files /dev/null and b/windows/deployment/images/pc0005-vm-office.png differ
diff --git a/windows/deployment/images/pc0005-vm.png b/windows/deployment/images/pc0005-vm.png
new file mode 100644
index 0000000000..4b2af635c4
Binary files /dev/null and b/windows/deployment/images/pc0005-vm.png differ
diff --git a/windows/deployment/images/pc0006.png b/windows/deployment/images/pc0006.png
new file mode 100644
index 0000000000..6162982966
Binary files /dev/null and b/windows/deployment/images/pc0006.png differ
diff --git a/windows/deployment/images/pc0006a.png b/windows/deployment/images/pc0006a.png
new file mode 100644
index 0000000000..399f99885f
Binary files /dev/null and b/windows/deployment/images/pc0006a.png differ
diff --git a/windows/deployment/images/pc0006b.png b/windows/deployment/images/pc0006b.png
new file mode 100644
index 0000000000..bef284d211
Binary files /dev/null and b/windows/deployment/images/pc0006b.png differ
diff --git a/windows/deployment/images/pc0006c.png b/windows/deployment/images/pc0006c.png
new file mode 100644
index 0000000000..1e8f075262
Binary files /dev/null and b/windows/deployment/images/pc0006c.png differ
diff --git a/windows/deployment/images/pc0006d.png b/windows/deployment/images/pc0006d.png
new file mode 100644
index 0000000000..dca5a58c2a
Binary files /dev/null and b/windows/deployment/images/pc0006d.png differ
diff --git a/windows/deployment/images/pc0006e.png b/windows/deployment/images/pc0006e.png
new file mode 100644
index 0000000000..3b3ef3be99
Binary files /dev/null and b/windows/deployment/images/pc0006e.png differ
diff --git a/windows/deployment/images/pc0006f.png b/windows/deployment/images/pc0006f.png
new file mode 100644
index 0000000000..8da05473b3
Binary files /dev/null and b/windows/deployment/images/pc0006f.png differ
diff --git a/windows/deployment/images/pc0006g.png b/windows/deployment/images/pc0006g.png
new file mode 100644
index 0000000000..0cc69e2626
Binary files /dev/null and b/windows/deployment/images/pc0006g.png differ
diff --git a/windows/deployment/images/pc0006h.png b/windows/deployment/images/pc0006h.png
new file mode 100644
index 0000000000..3ae86b01ed
Binary files /dev/null and b/windows/deployment/images/pc0006h.png differ
diff --git a/windows/deployment/images/pc0006i.png b/windows/deployment/images/pc0006i.png
new file mode 100644
index 0000000000..42c8e2adfa
Binary files /dev/null and b/windows/deployment/images/pc0006i.png differ
diff --git a/windows/deployment/images/ps100009-1.png b/windows/deployment/images/ps100009-1.png
new file mode 100644
index 0000000000..6bd970c352
Binary files /dev/null and b/windows/deployment/images/ps100009-1.png differ
diff --git a/windows/deployment/images/ps100009-2.png b/windows/deployment/images/ps100009-2.png
new file mode 100644
index 0000000000..e960ad91d4
Binary files /dev/null and b/windows/deployment/images/ps100009-2.png differ
diff --git a/windows/deployment/images/ref-image.png b/windows/deployment/images/ref-image.png
new file mode 100644
index 0000000000..773a21e150
Binary files /dev/null and b/windows/deployment/images/ref-image.png differ
diff --git a/windows/deployment/images/sccm-assets.PNG b/windows/deployment/images/sccm-assets.PNG
deleted file mode 100644
index 264606c2ab..0000000000
Binary files a/windows/deployment/images/sccm-assets.PNG and /dev/null differ
diff --git a/windows/deployment/images/thinkstation.png b/windows/deployment/images/thinkstation.png
new file mode 100644
index 0000000000..7a144ec5b3
Binary files /dev/null and b/windows/deployment/images/thinkstation.png differ
diff --git a/windows/deployment/images/upgrademdt-fig1-machines.png b/windows/deployment/images/upgrademdt-fig1-machines.png
deleted file mode 100644
index ef553b6595..0000000000
Binary files a/windows/deployment/images/upgrademdt-fig1-machines.png and /dev/null differ
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index 4414c1e8fe..d503946e6f 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -27,7 +27,7 @@ sections:
- href: windows-10-deployment-scenarios
html: Understand the different ways that Windows 10 can be deployed
image:
- src: https://docs.microsoft.com/media/common/i_deploy.svg"
+ src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10 deployment scenarios
- href: update
html: Update Windows 10 in the enterprise
@@ -45,7 +45,7 @@ sections:
text: "
- | [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) | Check out the new Modern Deskop Deployment Center and discover content to help you with your Windows 10 and Office 365 ProPlus deployments. |
+ | [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) | Check out the new Modern Deskop Deployment Center and discover content to help you with your Windows 10 and Microsoft 365 Apps for enterprise deployments. |
| [What's new in Windows 10 deployment](deploy-whats-new.md) | See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
| [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) | To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
| [Windows Autopilot](windows-autopilot/windows-autopilot.md) | Windows Autopilot enables an IT department to pre-configure new devices and repurpose existing devices with a simple process that requires little to no infrastructure. |
@@ -68,7 +68,7 @@ sections:
| [Windows 10 deployment test lab](windows-10-poc.md) | This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
| [Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
| [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) | This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
- | [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) | If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
+ | [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-cm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) | If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
| [Windows 10 deployment tools](windows-10-deployment-tools-reference.md) | Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
"
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 5dc23ca66e..45e00f7007 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -233,7 +233,7 @@ The following steps illustrate high-level phases of the MBR-to-GPT conversion pr
1. Disk validation is performed.
2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist.
3. UEFI boot files are installed to the ESP.
-4. GPT metatdata and layout information is applied.
+4. GPT metadata and layout information is applied.
5. The boot configuration data (BCD) store is updated.
6. Drive letter assignments are restored.
@@ -427,6 +427,9 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from
For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window:
+ > [!NOTE]
+ > You can access the ReAgent files if you have installed the User State Migration Tool (USMT) as a feature while installing Windows Assessment and Deployment Kit.
+
**Command 1:**
```cmd
copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32"
diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.pdf b/windows/deployment/media/Windows10DeploymentConfigManager.pdf
index ac27941579..3a4c5f022e 100644
Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.pdf and b/windows/deployment/media/Windows10DeploymentConfigManager.pdf differ
diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx
index 5c5328cb5f..8b2db358ff 100644
Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx and b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx differ
diff --git a/windows/deployment/media/windows10-deployment-config-manager.png b/windows/deployment/media/windows10-deployment-config-manager.png
index af6c8313e0..509e041741 100644
Binary files a/windows/deployment/media/windows10-deployment-config-manager.png and b/windows/deployment/media/windows10-deployment-config-manager.png differ
diff --git a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
deleted file mode 100644
index afb65c8724..0000000000
--- a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Change history for Plan for Windows 10 deployment (Windows 10)
-description: This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for Windows 10 and Windows 10 Mobile.
-ms.assetid: 70D9F4F8-F2A4-4FB4-9459-5B2BE7BCAC66
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 07/19/2017
-ms.topic: article
----
-
-# Change history for Plan for Windows 10 deployment
-
-
-This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
-
-
-## RELEASE: Windows 10, version 1703
-
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following is a new topic:
-- [Windows 10 Enterprise - FAQ for IT Professionals](windows-10-enterprise-faq-itpro.md)
-
-## January 2017
-
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 Infrastructure Requirements](windows-10-infrastructure-requirements.md) | Added link for Windows Server 2008 R2 and Windows 7 activation and a link to Windows Server 2016 Volume Activation Tips |
-
-## September 2016
-
-| New or changed topic | Description |
-| --- | --- |
-| Windows 10 servicing overview | New content replaced this topic; see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) |
-| Windows Update for BusinessSetup and deployment of Windows Update for BusinessIntegration of Windows Update for Business with management solutions | New content replaced these topics; see [Manage updates using Windows Update for Business](https://technet.microsoft.com/itpro/windows/manage/waas-manage-updates-wufb) |
-
-
-## RELEASE: Windows 10, version 1607
-
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update).
-
-
-## July 2016
-
-
-| New or changed topic | Description |
-|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) |Redirected deprecated content to the [Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md) content. Only Standard User Analyzer and Compatibility Administrator continue to be supported.|
-| [Windows 10 servicing overview](../update/waas-overview.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) page. |
-
-
-## May 2016
-
-
-| New or changed topic | Description |
-|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-| [Deploy Windows 10 in a school](/education/windows/deploy-windows-10-in-a-school) | New|
-
-## December 2015
-
-
-| New or changed topic | Description |
-|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-| [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) | New |
-
-
-## November 2015
-
-
-| New or changed topic | Description |
-|--------------------------------------------------------------------------------------------------|-------------|
-| [Chromebook migration guide](/education/windows/chromebook-migration-guide) | New |
-| [Windows Update for Business](../update/waas-manage-updates-wufb.md) (multiple topics) | New |
-| [Windows To Go: feature overview](windows-to-go-overview.md) (multiple topics) | Updated |
-
-
-
-## Related topics
-
-
-[Change history for What's new in Windows 10](/windows/whats-new/change-history-for-what-s-new-in-windows-10)
-
-[Change history for Deploy Windows 10](../change-history-for-deploy-windows-10.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
index 022ac067c8..d57413d357 100644
--- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
@@ -60,7 +60,7 @@ DirectAccess can be used to ensure that the user can login with their domain cre
### Image deployment and drive provisioning considerations
-The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center Configuration Manager 2012 Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive.
+The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center 2012 Configuration Manager Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive.
diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md
index 6f28178063..76f55d16c6 100644
--- a/windows/deployment/planning/index.md
+++ b/windows/deployment/planning/index.md
@@ -27,9 +27,9 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
## Related topics
- [Windows 10 servicing options for updates and upgrades](../update/index.md)
-- [Deploy Windows 10 with MDT 2013 Update 1](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Deploy Windows 10 with Configuration Manager and MDT 2013 Update 1](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-- [Upgrade to Windows 10 with MDT 2013 Update 1](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Deploy Windows 10 with MDT](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+- [Upgrade to Windows 10 with MDT](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Upgrade to Windows 10 with Configuration Manager](../upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911)
diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
index 08cbf28585..80928366c3 100644
--- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
+++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
@@ -74,7 +74,7 @@ Because Windows To Go requires no additional software and minimal configuration,
Windows To Go uses volume activation. You can use either Active Directory-based activation or KMS activation with Windows To Go. The Windows To Go workspace counts as another installation when assessing compliance with application licensing agreements.
-Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Office 365 ProPlus, Office 365 ProPlus subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Office 365 ProPlus or Office 365 Enterprise SKUs containing Office 365 ProPlus via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](https://go.microsoft.com/fwlink/p/?LinkId=618922).
+Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Microsoft 365 Apps for enterprise, Microsoft 365 Apps for enterprise subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Microsoft 365 Apps for enterprise or Office 365 Enterprise SKUs containing Microsoft 365 Apps for enterprise via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](https://go.microsoft.com/fwlink/p/?LinkId=618922).
You should investigate other software manufacturer’s licensing requirements to ensure they are compatible with roaming usage before deploying them to a Windows To Go workspace.
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index 4b2d75eae6..5a34226e0f 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -21,14 +21,14 @@ The features described below are no longer being actively developed, and might b
**The following list is subject to change and might not include every affected feature or functionality.**
->If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
+> [!NOTE]
+> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
|Feature | Details and mitigation | Announced in version |
| ----------- | --------------------- | ---- |
| Hyper-V vSwitch on LBFO | In a future release, the Hyper-V vSwitch will no longer have the capability to be bound to an LBFO team. Instead, it can be bound via [Switch Embedded Teaming](https://docs.microsoft.com/windows-server/virtualization/hyper-v-virtual-switch/rdma-and-switch-embedded-teaming#bkmk_sswitchembedded) (SET).| 1909 |
| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
| My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 |
-| TSF1/TSF2 IME | TSF1 and TSF2 IME will be replaced by TSF3 IME in a future release. [Text Services Framework](https://docs.microsoft.com/windows/win32/tsf/what-is-text-services-framework) (TSF) enables language technologies. TSF IME are Windows components that you can add to enable typing text for Japanese, Simplified Chinese, Traditional Chinese, and Korean languages. | 1909 |
| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](https://docs.microsoft.com/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 |
| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information about implementing a remote indirect display driver, ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | 1903 |
| Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 |
@@ -48,7 +48,6 @@ The features described below are no longer being actively developed, and might b
|Business Scanning| This feature is also called Distributed Scan Management (DSM) **(Added 05/03/2018)**
The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| 1803 |
|IIS 6 Management Compatibility* | We recommend that users use alternative scripting tools and a newer management console. | 1709 |
|IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 |
-|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 |
|RSA/AES Encryption for IIS | We recommend that users use CNG encryption provider. | 1709 |
|Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
|Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 |
@@ -64,3 +63,4 @@ The features described below are no longer being actively developed, and might b
|TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](https://docs.microsoft.com/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
|TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](https://docs.microsoft.com/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
|IPsec Task Offload| [IPsec Task Offload](https://docs.microsoft.com/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 |
+|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.|
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index 484aa23fe6..b5615f4412 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -53,7 +53,7 @@ For System Center Configuration Manager, Windows 10 support is offered with var
> Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require Microsoft Endpoint Configuration Manager current branch for supported management.
-For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
+For more details about Microsoft Endpoint Configuration Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
## Management tools
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
index 3063058112..1c93c41731 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -18,7 +18,7 @@ ms.topic: article
Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10. **The list below is subject to change and might not include every affected feature or functionality.**
-For information about features that might be removed in a future release, see [Windows 10 features we’re no longer developing](windows-10-deprecated-features.md)
+For information about features that might be removed in a future release, see [Windows 10 features we’re no longer developing](windows-10-deprecated-features.md).
> [!NOTE]
> Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself.
@@ -50,12 +50,13 @@ The following features and functionalities have been removed from the installed
|Reading List | Functionality to be integrated into Microsoft Edge. | 1709 |
|Screen saver functionality in Themes | This functionality is disabled in Themes, and classified as **Removed** in this table. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
|Syskey.exe | Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window). | 1709 |
-|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193).| 1709 |
+|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| 1709 |
|Tile Data Layer |To be replaced by the Tile Store.| 1709 |
+|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 |
|Apps Corner| This Windows 10 mobile application is removed in the version 1703 release. | 1703 |
|By default, Flash autorun in Edge is turned off. | Use the Click-to-Run (C2R) option instead. (This setting can be changed by the user.) | 1703 |
|Interactive Service Detection Service| See [Interactive Services](https://docs.microsoft.com/windows/win32/services/interactive-services?redirectedfrom=MSDN) for guidance on how to keep software up to date. | 1703 |
|Microsoft Paint | This application will not be available for languages that are not on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 |
|NPN support in TLS | This feature is superseded by Application-Layer Protocol Negotiation (ALPN). | 1703 |
|Windows Information Protection "AllowUserDecryption" policy | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. | 1703 |
-|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 |
\ No newline at end of file
+|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 |
diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md
index 7e35245a09..760c0f0182 100644
--- a/windows/deployment/update/feature-update-mission-critical.md
+++ b/windows/deployment/update/feature-update-mission-critical.md
@@ -1,6 +1,6 @@
---
-title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices
-description: Learn how to deploy feature updates to your mission critical devices
+title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices
+description: Learn how to deploy feature updates to your mission-critical devices
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
@@ -8,7 +8,6 @@ itproauthor: jaimeo
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.date: 07/10/2018
ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
@@ -21,7 +20,7 @@ ms.topic: article
Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
-For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates).
+For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service).
Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods:
@@ -32,9 +31,9 @@ You can use Configuration Manager to deploy feature updates to Windows 10 device
- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments.
-- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs.
+- **Language pack installations.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs.
-If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method.
+If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this useful in deploying software updates.
Use the following information:
diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md
index 9dbe7740b3..d125672d4a 100644
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@@ -1,6 +1,6 @@
---
-title: Windows 10 - How to make FoD and language packs available when you're using WSUS/SCCM
-description: Learn how to make FoD and language packs available when you're using WSUS/SCCM
+title: Windows 10 - How to make FoD and language packs available when you're using WSUS or Configuration Manager
+description: Learn how to make FoD and language packs available when you're using WSUS or Configuration Manager
ms.prod: w10
ms.mktglfcycl: manage
@@ -14,7 +14,7 @@ ms.reviewer:
manager: laurawi
ms.topic: article
---
-# How to make Features on Demand and language packs available when you're using WSUS/SCCM
+# How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
> Applies to: Windows 10
@@ -26,6 +26,6 @@ In Windows 10 version 1709 and 1803, changing the **Specify settings for optiona
In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It’s currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location.
-For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS or SCCM or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
+For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/).
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index ac597ae387..7284fecba7 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -106,7 +106,7 @@ When users start scanning in Windows Update through the Settings panel, the foll
|MU|7971f918-a847-4430-9279-4a52d1efe18d|
|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289|
|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552|
-|WSUS or SCCM|Via ServerSelection::ssManagedServer
3DA21691-E39D-4da6-8A4B-B43877BCB1B7 |
+|WSUS or Configuration Manager|Via ServerSelection::ssManagedServer
3DA21691-E39D-4da6-8A4B-B43877BCB1B7 |
|Offline scan service|Via IUpdateServiceManager::AddScanPackageService|
#### Finds network faults
@@ -117,9 +117,9 @@ Common update failure is caused due to network issues. To find the root of the i
- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting.
> [!NOTE]
- > Warning messages for SLS can be ignored if the search is against WSUS/SCCM.
+ > Warning messages for SLS can be ignored if the search is against WSUS or Configuration Manager.
-- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured.
+- On sites that only use WSUS or Configuration Manager, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS or Configuration Manager, since it’s locally configured.
## Downloading updates
diff --git a/windows/deployment/update/images/UC-vid-crop.jpg b/windows/deployment/update/images/UC-vid-crop.jpg
deleted file mode 100644
index 47e74febbc..0000000000
Binary files a/windows/deployment/update/images/UC-vid-crop.jpg and /dev/null differ
diff --git a/windows/deployment/update/images/UC_00_marketplace_search.PNG b/windows/deployment/update/images/UC_00_marketplace_search.PNG
deleted file mode 100644
index dcdf25d38a..0000000000
Binary files a/windows/deployment/update/images/UC_00_marketplace_search.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_01_marketplace_create.PNG b/windows/deployment/update/images/UC_01_marketplace_create.PNG
deleted file mode 100644
index 4b34311112..0000000000
Binary files a/windows/deployment/update/images/UC_01_marketplace_create.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_02_workspace_create.PNG b/windows/deployment/update/images/UC_02_workspace_create.PNG
deleted file mode 100644
index ed3eeeebbb..0000000000
Binary files a/windows/deployment/update/images/UC_02_workspace_create.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_03_workspace_select.PNG b/windows/deployment/update/images/UC_03_workspace_select.PNG
deleted file mode 100644
index d00864b861..0000000000
Binary files a/windows/deployment/update/images/UC_03_workspace_select.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG b/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG
deleted file mode 100644
index 3ea9f57531..0000000000
Binary files a/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_commercialID.png b/windows/deployment/update/images/UC_commercialID.png
deleted file mode 100644
index 6896be03e6..0000000000
Binary files a/windows/deployment/update/images/UC_commercialID.png and /dev/null differ
diff --git a/windows/deployment/update/images/UC_commercialID_GP.png b/windows/deployment/update/images/UC_commercialID_GP.png
deleted file mode 100644
index 95d92cf6df..0000000000
Binary files a/windows/deployment/update/images/UC_commercialID_GP.png and /dev/null differ
diff --git a/windows/deployment/update/images/UC_telemetrylevel.png b/windows/deployment/update/images/UC_telemetrylevel.png
deleted file mode 100644
index a11e68a5f8..0000000000
Binary files a/windows/deployment/update/images/UC_telemetrylevel.png and /dev/null differ
diff --git a/windows/deployment/update/images/UC_workspace_WDAV_status.PNG b/windows/deployment/update/images/UC_workspace_WDAV_status.PNG
deleted file mode 100644
index 40dcaef949..0000000000
Binary files a/windows/deployment/update/images/UC_workspace_WDAV_status.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-01-wdav.png b/windows/deployment/update/images/uc-01-wdav.png
deleted file mode 100644
index c0ef37ebc6..0000000000
Binary files a/windows/deployment/update/images/uc-01-wdav.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-01.png b/windows/deployment/update/images/uc-01.png
deleted file mode 100644
index 7f4df9f6d7..0000000000
Binary files a/windows/deployment/update/images/uc-01.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-02.png b/windows/deployment/update/images/uc-02.png
deleted file mode 100644
index 8317f051c3..0000000000
Binary files a/windows/deployment/update/images/uc-02.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-02a.png b/windows/deployment/update/images/uc-02a.png
deleted file mode 100644
index d12544e3a0..0000000000
Binary files a/windows/deployment/update/images/uc-02a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-03.png b/windows/deployment/update/images/uc-03.png
deleted file mode 100644
index 58494c4128..0000000000
Binary files a/windows/deployment/update/images/uc-03.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-03a.png b/windows/deployment/update/images/uc-03a.png
deleted file mode 100644
index 39412fc8f3..0000000000
Binary files a/windows/deployment/update/images/uc-03a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-04.png b/windows/deployment/update/images/uc-04.png
deleted file mode 100644
index ef9a37d379..0000000000
Binary files a/windows/deployment/update/images/uc-04.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-04a.png b/windows/deployment/update/images/uc-04a.png
deleted file mode 100644
index 537d4bbe72..0000000000
Binary files a/windows/deployment/update/images/uc-04a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-05.png b/windows/deployment/update/images/uc-05.png
deleted file mode 100644
index 21c8e9f9e0..0000000000
Binary files a/windows/deployment/update/images/uc-05.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-05a.png b/windows/deployment/update/images/uc-05a.png
deleted file mode 100644
index 2271181622..0000000000
Binary files a/windows/deployment/update/images/uc-05a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-06.png b/windows/deployment/update/images/uc-06.png
deleted file mode 100644
index 03a559800b..0000000000
Binary files a/windows/deployment/update/images/uc-06.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-06a.png b/windows/deployment/update/images/uc-06a.png
deleted file mode 100644
index 15df1cfea0..0000000000
Binary files a/windows/deployment/update/images/uc-06a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-07.png b/windows/deployment/update/images/uc-07.png
deleted file mode 100644
index de1ae35e82..0000000000
Binary files a/windows/deployment/update/images/uc-07.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-07a.png b/windows/deployment/update/images/uc-07a.png
deleted file mode 100644
index c0f2d9fd73..0000000000
Binary files a/windows/deployment/update/images/uc-07a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-08.png b/windows/deployment/update/images/uc-08.png
deleted file mode 100644
index 877fcd64c0..0000000000
Binary files a/windows/deployment/update/images/uc-08.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-08a.png b/windows/deployment/update/images/uc-08a.png
deleted file mode 100644
index 89da287d3d..0000000000
Binary files a/windows/deployment/update/images/uc-08a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-09.png b/windows/deployment/update/images/uc-09.png
deleted file mode 100644
index 37d7114f19..0000000000
Binary files a/windows/deployment/update/images/uc-09.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-09a.png b/windows/deployment/update/images/uc-09a.png
deleted file mode 100644
index f6b6ec5b60..0000000000
Binary files a/windows/deployment/update/images/uc-09a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-10.png b/windows/deployment/update/images/uc-10.png
deleted file mode 100644
index ea065590b9..0000000000
Binary files a/windows/deployment/update/images/uc-10.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-10a.png b/windows/deployment/update/images/uc-10a.png
deleted file mode 100644
index 1c6b8b01dc..0000000000
Binary files a/windows/deployment/update/images/uc-10a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-11.png b/windows/deployment/update/images/uc-11.png
deleted file mode 100644
index 8b4fc568ea..0000000000
Binary files a/windows/deployment/update/images/uc-11.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-12.png b/windows/deployment/update/images/uc-12.png
deleted file mode 100644
index 4198684c99..0000000000
Binary files a/windows/deployment/update/images/uc-12.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-13.png b/windows/deployment/update/images/uc-13.png
deleted file mode 100644
index 117f9b9fd8..0000000000
Binary files a/windows/deployment/update/images/uc-13.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-14.png b/windows/deployment/update/images/uc-14.png
deleted file mode 100644
index 66047984e7..0000000000
Binary files a/windows/deployment/update/images/uc-14.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-15.png b/windows/deployment/update/images/uc-15.png
deleted file mode 100644
index c241cd9117..0000000000
Binary files a/windows/deployment/update/images/uc-15.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-16.png b/windows/deployment/update/images/uc-16.png
deleted file mode 100644
index e7aff4d4ed..0000000000
Binary files a/windows/deployment/update/images/uc-16.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-17.png b/windows/deployment/update/images/uc-17.png
deleted file mode 100644
index cb8e42ca5e..0000000000
Binary files a/windows/deployment/update/images/uc-17.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-18.png b/windows/deployment/update/images/uc-18.png
deleted file mode 100644
index 5eff59adc9..0000000000
Binary files a/windows/deployment/update/images/uc-18.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-19.png b/windows/deployment/update/images/uc-19.png
deleted file mode 100644
index 791900eafc..0000000000
Binary files a/windows/deployment/update/images/uc-19.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-20.png b/windows/deployment/update/images/uc-20.png
deleted file mode 100644
index 7dbb027b9f..0000000000
Binary files a/windows/deployment/update/images/uc-20.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-21.png b/windows/deployment/update/images/uc-21.png
deleted file mode 100644
index 418db41fe4..0000000000
Binary files a/windows/deployment/update/images/uc-21.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-22.png b/windows/deployment/update/images/uc-22.png
deleted file mode 100644
index 2ca5c47a61..0000000000
Binary files a/windows/deployment/update/images/uc-22.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-23.png b/windows/deployment/update/images/uc-23.png
deleted file mode 100644
index 58b82db82d..0000000000
Binary files a/windows/deployment/update/images/uc-23.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-24.png b/windows/deployment/update/images/uc-24.png
deleted file mode 100644
index 00bc61e3e1..0000000000
Binary files a/windows/deployment/update/images/uc-24.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-25.png b/windows/deployment/update/images/uc-25.png
deleted file mode 100644
index 4e0f0bdb03..0000000000
Binary files a/windows/deployment/update/images/uc-25.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-DO-status.png b/windows/deployment/update/images/uc-DO-status.png
deleted file mode 100644
index d4b47be324..0000000000
Binary files a/windows/deployment/update/images/uc-DO-status.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-emptyworkspacetile.PNG b/windows/deployment/update/images/uc-emptyworkspacetile.PNG
deleted file mode 100644
index 24c37d4279..0000000000
Binary files a/windows/deployment/update/images/uc-emptyworkspacetile.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-featureupdatestatus.PNG b/windows/deployment/update/images/uc-featureupdatestatus.PNG
deleted file mode 100644
index ae6a38502f..0000000000
Binary files a/windows/deployment/update/images/uc-featureupdatestatus.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-filledworkspacetile.PNG b/windows/deployment/update/images/uc-filledworkspacetile.PNG
deleted file mode 100644
index 7293578b1a..0000000000
Binary files a/windows/deployment/update/images/uc-filledworkspacetile.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-filledworkspaceview.PNG b/windows/deployment/update/images/uc-filledworkspaceview.PNG
deleted file mode 100644
index 8d99e52e02..0000000000
Binary files a/windows/deployment/update/images/uc-filledworkspaceview.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-needattentionoverview.PNG b/windows/deployment/update/images/uc-needattentionoverview.PNG
deleted file mode 100644
index 50b6d04699..0000000000
Binary files a/windows/deployment/update/images/uc-needattentionoverview.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-overviewblade.PNG b/windows/deployment/update/images/uc-overviewblade.PNG
deleted file mode 100644
index dca364daf6..0000000000
Binary files a/windows/deployment/update/images/uc-overviewblade.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png b/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png
deleted file mode 100644
index f52087a4a7..0000000000
Binary files a/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-securityupdatestatus.PNG b/windows/deployment/update/images/uc-securityupdatestatus.PNG
deleted file mode 100644
index 75e9d10fd8..0000000000
Binary files a/windows/deployment/update/images/uc-securityupdatestatus.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG b/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG
deleted file mode 100644
index e3f6990348..0000000000
Binary files a/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/update-catalog.png b/windows/deployment/update/images/update-catalog.png
new file mode 100644
index 0000000000..e199b3a23a
Binary files /dev/null and b/windows/deployment/update/images/update-catalog.png differ
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index a81d83a38c..6c8417f572 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -36,7 +36,7 @@ Windows as a service provides a new way to think about building, deploying, and
| [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. |
| [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. |
| [Assign devices to servicing branches for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-servicing-channels-windows-10-updates) | Explains how to assign devices to the Semi-Annual Channel for feature and quality updates, and how to enroll devices in Windows Insider. |
-| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization. |
+| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. |
| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
| [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. |
| [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
@@ -48,5 +48,5 @@ Windows as a service provides a new way to think about building, deploying, and
>[!TIP]
>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
->With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709).
+>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709).
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
new file mode 100644
index 0000000000..c981469bef
--- /dev/null
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -0,0 +1,452 @@
+---
+title: Update Windows 10 media with Dynamic Update
+description: Learn how to deploy feature updates to your mission critical devices
+ms.prod: w10
+ms.mktglfcycl: manage
+audience: itpro
+itproauthor: jaimeo
+author: SteveDiAcetis
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Update Windows 10 media with Dynamic Update
+
+**Applies to**: Windows 10
+
+This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images prior to deployment and includes Windows PowerShell scripts you can use to automate this process.
+
+Volume-licensed media is available for each release of Windows 10 in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows 10 devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
+
+## Dynamic Update
+
+Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows 10 Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages includes the following kinds of updates:
+
+- Updates to Setup.exe binaries or other files that Setup uses for feature updates
+- Updates for the "safe operating system" (SafeOS) that is used for the Windows recovery environment
+- Updates to the servicing stack necessary to complete the feature update (see [Servicing stack updates](servicing-stack-updates.md) for more information)
+- The latest cumulative (quality) update
+- Updates to applicable drivers already published by manufacturers specifically intended for Dynamic Update
+
+Dynamic Update preserves language pack and Features on Demand packages by reacquiring them.
+
+Devices must be able to connect to the internet to obtain Dynamic Updates. In some environments, it's not an option to obtain Dynamic Updates. You can still do a media-based feature update by acquiring Dynamic Update packages and applying it to the image prior to starting Setup on the device.
+
+## Acquire Dynamic Update packages
+
+You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. For example, you could enter *1809 Dynamic Update x64*, which would return results like this:
+
+
+
+The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the s. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in bold the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
+
+
+|To find this Dynamic Update packages, search for or check the results here--> |Title |Product |Description (select the **Title** link to see **Details**) |
+|---------|---------|---------|---------|
+|Safe OS Dynamic Update | 2019-08 Dynamic Update... | Windows 10 Dynamic Update,Windows **Safe OS Dynamic Update** | ComponentUpdate: |
+|Setup Dynamic Update | 2019-08 Dynamic Update... | Windows 10 Dynamic Update | **SetupUpdate** |
+|Latest cumulative update | 2019-08 **Cumulative Update for Windows 10** | Windows 10 | Install this update to resolve issues in Windows... |
+|Servicing stack Dynamic Update | 2019-09 **Servicing Stack Update for Windows 10** | Windows 10... | Install this update to resolve issues in Windows... |
+
+If you want to customize the image with additional languages or Features on Demand, download supplemental media ISO files from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx). For example, since Dynamic Update will be disabled for your devices, and if users require specific Features on Demand, you can preinstall these into the image.
+
+## Update Windows 10 installation media
+
+Properly updating the installation media involves a large number of actions operating on several different targets (image files). Some actions are repeated on different targets. The target images files include:
+
+- Windows Preinstallation Environment (WinPE): a small operating system used to install, deploy, and repair Windows operating systems
+- Windows Recovery Environment (WinRE): repairs common causes of unbootable operating systems. WinRE is based on WinPE and can be customized with additional drivers, languages, optional packages, and other troubleshooting or diagnostic tools.
+- Windows operating system: one or more editions of Windows 10 stored in \sources\install.wim
+- Windows installation media: the complete collection of files and folders in the Windows 10 installation media. For example, \sources folder, \boot folder, Setup.exe, and so on.
+
+This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding the Dynamic Update for Setup to the new media (26).
+
+|Task |WinRE (winre.wim) |WinPE (boot.wim) |Operating system (install.wim) | New media |
+|---------|---------|---------|---------|------|
+|Add servicing stack Dynamic Update | 1 | 9 | 18 |
+|Add language pack | 2 | 10 | 19 |
+|Add localized optional packages | 3 | 11 | |
+|Add font support | 4 | 12 | |
+|Add text-to-speech | 5 | 13 | |
+|Update Lang.ini | | 14 | |
+|Add Features on Demand | | | 20 |
+|Add Safe OS Dynamic Update | 6 | | |
+|Add Setup Dynamic Update | | | | 26
+|Add latest cumulative update | | 15 | 21 |
+|Clean up the image | 7 | 16 | 22 |
+|Add Optional Components | | | 23 |
+|Add .Net and .Net cumulative updates | | | 24 |
+|Export image | 8 | 17 | 25 |
+
+### Multiple Windows editions
+
+The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
+
+### Additional languages and features
+
+You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
+
+Optional Components, along with the .Net feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .Net and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
+
+## Windows PowerShell scripts to apply Dynamic Updates to an existing image
+
+These examples are for illustration only, and therefore lack error handling. The script assumes that the following packages is stored locally in this folder structure:
+
+
+|Folder |Description |
+|---------|---------|
+|C:\mediaRefresh | Parent folder that contains the PowerShell script |
+|C:\mediaRefresh\oldMedia | Folder that contains the original media that will be refreshed. For example, contains Setup.exe, and \sources folder. |
+|C:\mediaRefresh\newMedia | Folder that will contain the updated media. It is copied from \oldMedia, then used as the target for all update and cleanup operations. |
+
+### Get started
+
+The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
+
+```
+function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
+
+Write-Host "$(Get-TS): Starting media refresh"
+
+# Declare media for FOD and LPs
+$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
+$LP_ISO_PATH = "C:\mediaRefresh\packages\CLIENTLANGPACKDVD_OEM_MULTI.iso"
+
+# Declare language for showcasing adding optional localized components
+$LANG = "ja-jp"
+$LANG_FONT_CAPABILITY = "jpan"
+
+# Declare Dynamic Update packages
+$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu"
+$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu"
+$SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab"
+$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\SafeOS_DU.cab"
+$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu"
+
+# Declare folders for mounted images and temp files
+$WORKING_PATH = "C:\mediaRefresh\temp"
+$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
+$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
+$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount"
+$WINRE_MOUNT = $WORKING_PATH + "\WinREMount"
+$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount"
+
+# Mount the language pack ISO
+Write-Host "$(Get-TS): Mounting LP ISO"
+$LP_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
+
+# Declare language related cabs
+$WINPE_OC_PATH = Join-Path $LP_ISO_DRIVE_LETTER":" -ChildPath "Windows Preinstallation Environment" | Join-Path -ChildPath "x64" | Join-Path -ChildPath "WinPE_OCs"
+$WINPE_OC_LANG_PATH = Join-Path $WINPE_OC_PATH $LANG
+$WINPE_OC_LANG_CABS = Get-ChildItem $WINPE_OC_LANG_PATH -name
+$WINPE_OC_LP_PATH = Join-Path $WINPE_OC_LANG_PATH "lp.cab"
+$WINPE_FONT_SUPPORT_PATH = Join-Path $WINPE_OC_PATH "WinPE-FontSupport-$LANG.cab"
+$WINPE_SPEECH_TTS_PATH = Join-Path $WINPE_OC_PATH "WinPE-Speech-TTS.cab"
+$WINPE_SPEECH_TTS_LANG_PATH = Join-Path $WINPE_OC_PATH "WinPE-Speech-TTS-$LANG.cab"
+$OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "Microsoft-Windows-Client-Language-Pack_x64_" + $LANG + ".cab"
+
+# Mount the Features on Demand ISO
+Write-Host "$(Get-TS): Mounting FOD ISO"
+$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
+$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
+
+# Create folders for mounting images and storing temporary files
+New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null
+New-Item -ItemType directory -Path $MAIN_OS_MOUNT -ErrorAction stop | Out-Null
+New-Item -ItemType directory -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
+New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
+
+# Keep the original media, make a copy of it for the new, updateed media.
+Write-Host "$(Get-TS): Copying original media to new media path"
+Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
+Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
+```
+### Update WinRE
+
+The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its s are used for updating other s. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
+
+It finishes by cleaning and exporting the image to reduce the image size.
+
+> [!NOTE]
+> Skip adding the latest cumulative update to Winre.wim because it contains unnecessary s in the recovery environment. The s that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small.
+
+```
+# Mount the main operating system, used throughout the script
+Write-Host "$(Get-TS): Mounting main OS"
+Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
+
+#
+# update Windows Recovery Environment (WinRE)
+#
+Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
+Write-Host "$(Get-TS): Mounting WinRE"
+Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
+
+# Add servicing stack update
+Write-Host "$(Get-TS): Adding package $SSU_PATH"
+Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+
+#
+# Optional: Add the language to recovery environment
+#
+# Install lp.cab cab
+Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
+Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
+
+# Install language cabs for each optional package installed
+$WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT
+Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
+
+ if ( ($PACKAGE.PackageState -eq "Installed") `
+ -and ($PACKAGE.PackageName.startsWith("WinPE-")) `
+ -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
+
+ $INDEX = $PACKAGE.PackageName.IndexOf("-Package")
+ if ($INDEX -ge 0) {
+ $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
+ if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
+ $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
+ Write-Host "$(Get-TS): Adding package $OC_CAB_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
+ }
+ }
+ }
+}
+
+# Add font support for the new language
+if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
+ Write-Host "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
+}
+
+# Add TTS support for the new language
+if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
+ if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
+
+ Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
+
+ Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
+ }
+}
+
+# Add Safe OS
+Write-Host "$(Get-TS): Adding package $SAFE_OS_DU_PATH"
+Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null
+
+# Perform image cleanup
+Write-Host "$(Get-TS): Performing image cleanup on WinRE"
+DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
+
+# Dismount
+Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
+
+# Export
+Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim"
+Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
+Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
+```
+### Update WinPE
+
+This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media.
+
+```
+#
+# update Windows Preinstallation Environment (WinPE)
+#
+
+# Get the list of images contained within WinPE
+$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim"
+
+Foreach ($IMAGE in $WINPE_IMAGES) {
+
+ # update WinPE
+ Write-Host "$(Get-TS): Mounting WinPE"
+ Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
+
+ # Add SSU
+ Write-Host "$(Get-TS): Adding package $SSU_PATH"
+ Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+
+ # Install lp.cab cab
+ Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
+ Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
+
+ # Install language cabs for each optional package installed
+ $WINPE_INSTALLED_OC = Get-WindowsPackage -Path $WINPE_MOUNT
+ Foreach ($PACKAGE in $WINPE_INSTALLED_OC) {
+
+ if ( ($PACKAGE.PackageState -eq "Installed") `
+ -and ($PACKAGE.PackageName.startsWith("WinPE-")) `
+ -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
+
+ $INDEX = $PACKAGE.PackageName.IndexOf("-Package")
+ if ($INDEX -ge 0) {
+
+ $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
+ if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
+ $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
+ Write-Host "$(Get-TS): Adding package $OC_CAB_PATH"
+ Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
+ }
+ }
+ }
+ }
+
+ # Add font support for the new language
+ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
+ Write-Host "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
+ Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
+ }
+
+ # Add TTS support for the new language
+ if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
+ if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
+
+ Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
+ Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
+
+ Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
+ Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
+ }
+ }
+
+ # Generates a new Lang.ini file which is used to define the language packs inside the image
+ if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") ) {
+ Write-Host "$(Get-TS): Updating lang.ini"
+ DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
+ }
+
+ # Add latest cumulative update
+ Write-Host "$(Get-TS): Adding package $LCU_PATH"
+ Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
+
+ # Perform image cleanup
+ Write-Host "$(Get-TS): Performing image cleanup on WinPE"
+ DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
+
+ # Dismount
+ Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null
+
+ #Export WinPE
+ Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
+ Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
+
+}
+
+Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
+```
+### Update the main operating system
+
+For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
+
+Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .Net), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
+
+You can install Optional Components, along with the .Net feature, offline, but that will require the device to be restarted. This is why the script installs .Net and Optional Components after cleanup and before export.
+
+```
+#
+# update Main OS
+#
+
+# Add servicing stack update
+Write-Host "$(Get-TS): Adding package $SSU_PATH"
+Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+
+# Optional: Add language to main OS
+Write-Host "$(Get-TS): Adding package $OS_LP_PATH"
+Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
+
+# Optional: Add a Features on Demand to the image
+Write-Host "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0"
+Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+Write-Host "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0"
+Add-WindowsCapability -Name "Language.Basic~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+Write-Host "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0"
+Add-WindowsCapability -Name "Language.OCR~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+Write-Host "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0"
+Add-WindowsCapability -Name "Language.Handwriting~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+Write-Host "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0"
+Add-WindowsCapability -Name "Language.TextToSpeech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+Write-Host "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0"
+Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+# Note: If I wanted to enable additional Features on Demand, I'd add these here.
+
+# Add latest cumulative update
+Write-Host "$(Get-TS): Adding package $LCU_PATH"
+Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
+
+# Copy our updated recovery image from earlier into the main OS
+# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file
+# into each edition to enable single instancing
+Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
+
+# Perform image cleanup
+Write-Host "$(Get-TS): Performing image cleanup on main OS"
+DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
+
+#
+# Note: If I wanted to enable additional Optional Components, I'd add these here.
+# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require
+# the image to be booted, and thus if we tried to cleanup after installation, it would fail.
+#
+
+Write-Host "$(Get-TS): Adding NetFX3~~~~"
+Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+# Add .Net Cumulative Update
+Write-Host "$(Get-TS): Adding package $DOTNET_CU_PATH"
+Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
+
+# Dismount
+Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
+
+# Export
+Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
+Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
+Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
+```
+
+### Update remaining media files
+
+This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup.exe as needed, along with the latest compatibility database, and replacement component manifests.
+
+```
+#
+# update remaining files on media
+#
+
+# Add Setup DU by copy the files from the package into the newMedia
+Write-Host "$(Get-TS): Adding package $SETUP_DU_PATH"
+cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null
+```
+### Finish up
+
+As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs.
+
+```
+#
+# Perform final cleanup
+#
+
+# Remove our working folder
+Remove-Item -Path $WORKING_PATH -Recurse -Force -ErrorAction stop | Out-Null
+
+# Dismount ISO images
+Write-Host "$(Get-TS): Dismounting ISO images"
+Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
+Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
+
+Write-Host "$(Get-TS): Media refresh completed!"
+```
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
new file mode 100644
index 0000000000..fc22965271
--- /dev/null
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -0,0 +1,77 @@
+---
+title: Manually configuring devices for Update Compliance
+ms.reviewer:
+manager: laurawi
+description: Manually configuring devices for Update Compliance
+keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+author: jaimeo
+ms.author: jaimeo
+ms.localizationpriority: medium
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# Manually Configuring Devices for Update Compliance
+
+There are a number of requirements to consider when manually configuring Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
+
+The requirements are separated into different categories:
+
+1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured.
+2. Devices in every network topography needs to send data to the [**required endpoints**](#required-endpoints) for Update Compliance, for example both devices in main and satellite offices, which may have different network configurations.
+3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality.
+
+## Required policies
+
+> [!NOTE]
+> Windows 10 MDM and Group Policies are backed by registry keys. It is not recommended you set these registry keys directly for configuration as it can lead to unexpected behavior, so the exact registry key locations are not provided, though they are referenced for troubleshooting configuration issues with the [Update Compliance Configuration Script](update-compliance-configuration-script.md).
+
+Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) or Group Policy. For both tables:
+
+- **Policy** corresponds to the location and name of the policy.
+- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) telemetry, but can function off Enhanced or Full (or Optional).
+- **Function** details why the policy is required and what function it serves for Update Compliance. It will also detail a minimum version the policy is required, if any.
+
+### Mobile Device Management policies
+
+Each MDM Policy links to its documentation in the CSP hierarchy, providing its exact location in the hierarchy and more details.
+
+| Policy | Value | Function |
+|---------------------------|-|------------------------------------------------------------|
+|**Provider/*ProviderID*/**[**CommercialID**](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
+|**System/**[**AllowTelemetry**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |1- Basic |Configures the maximum allowed telemetry to be sent to Microsoft. Individual users can still set this lower than what the policy defines, see the below policy for more information. |
+|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | Disable Telemetry opt-in Settings | (*Windows 10 1803+*) Determines whether end-users of the device can adjust telemetry to levels lower than the level defined by AllowTelemetry. It is recommended you disable this policy order the effective telemetry level on devices may not be sufficient. |
+|**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
+
+### Group Policies
+
+All Group Policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.
+
+| Policy | Value | Function |
+|---------------------------|-|-----------------------------------------------------------|
+|**Configure the Commercial ID** |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) | Identifies the device as belonging to your organization. |
+|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed telemetry to be sent to Microsoft. Individual users can still set this lower than what the policy defines, see the below policy for more information. |
+|**Configure telemetry opt-in setting user interface** | Disable telemetry opt-in Settings |(*Windows 10 1803+*) Determines whether end-users of the device can adjust telemetry to levels lower than the level defined by AllowTelemetry. It is recommended you disable this policy order the effective telemetry level on devices may not be sufficient. |
+|**Allow device name to be sent in Windows diagnostic data** | Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
+
+## Required endpoints
+
+To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to allow devices to contact the below endpoints.
+
+| **Endpoint** | **Function** |
+|---------------------------------------------------------|-----------|
+| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. Census.exe must run on a regular cadence and contact this endpoint in order to receive the majority of [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md) information for Update Compliance. |
+| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
+| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. |
+| `http://adl.windows.com` | Required for Windows Update functionality. |
+| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. |
+| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. |
+| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. This also requires Microsoft Account Sign-in Assistant service to be running (wlidsvc). |
+
+## Required services
+
+Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It is recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically.
diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md
new file mode 100644
index 0000000000..2167039e0c
--- /dev/null
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@@ -0,0 +1,99 @@
+---
+title: Update Compliance Configuration Script
+ms.reviewer:
+manager: laurawi
+description: Downloading and using the Update Compliance Configuration Script
+keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+author: jaimeo
+ms.author: jaimeo
+ms.localizationpriority: medium
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# Configuring devices through the Update Compliance Configuration Script
+
+The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more.
+
+You can [**download the script here**](https://www.microsoft.com/en-us/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
+
+## How the script is organized
+
+The script is organized into two folders **Pilot** and **Deployment**. Both folders have the same key files: `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the .bat itself, which will then execute `ConfigScript.ps1` with the parameters entered to RunConfig.bat.
+
+- The **Pilot** folder and its contents are intended to be used on an initial set of single devices in specific environments (main office & satellite office, for example) for testing and troubleshooting prior to broader deployment. This script is configured to collect and output detailed logs for every device it runs on.
+- The **Deployment** folder is intended to be deployed across an entire device population in a specific environment once devices in that environment have been validated with the Pilot script.
+
+## How to use the script
+
+### Piloting and Troubleshooting
+
+> [!IMPORTANT]
+> If you encounter an issue with Update Compliance, the first step should be to run the script in Pilot mode on a device you are encountering issues with, and save these Logs for reference with Support.
+
+When using the script in the context of troubleshooting, use `Pilot`. Enter `RunConfig.bat`, and configure it as follows:
+
+1. Configure `logPath` to a path where the script will have write access and a place you can easily access. This specifies the output of the log files generated when the script is in Verbose mode.
+2. Configure `commercialIDValue` to your CommercialID. To get your CommercialID, see [Getting your CommercialID](update-compliance-get-started.md#get-your-commercialid).
+3. Run the script. The script must be run in System context.
+4. Examine the Logs output for any issues. If there were issues:
+ - Compare Logs output with the required settings covered in [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
+ - Examine the script errors and refer to the [script error reference](#script-error-reference) on how to interpret the codes.
+ - Make the necessary corrections and run the script again.
+5. When you no longer have issues, proceed to using the script for more broad deployment with the `Deployment` folder.
+
+
+### Broad deployment
+
+After verifying on a set of devices in a specific environment that everything is configured correctly, you can proceed to broad deployment.
+
+1. Configure `commercialIDValue` in `RunConfig.bat` to [your CommercialID](update-compliance-get-started.md#get-your-commercialid).
+2. Use a management tool like Configuration Manager or Intune to broadly deploy the script to your entire target population.
+
+## Script Error Reference
+
+|Error |Description |
+|-|-------------------|
+| 27 | Not system account. |
+| 37 | Unexpected exception when collecting logs|
+| 1 | General unexpected error|
+| 6 | Invalid CommercialID|
+| 48 | CommercialID is not a GUID|
+| 8 | Couldn't create registry key path to setup CommercialID|
+| 9 | Couldn't write CommercialID at registry key path|
+| 53 | There are conflicting CommercialID values.|
+| 11 | Unexpected result when setting up CommercialID.|
+| 62 | AllowTelemetry registry key is not of the correct type `REG_DWORD`|
+| 63 | AllowTelemetry is not set to the appropriate value and it could not be set by the script.|
+| 64 | AllowTelemetry is not of the correct type `REG_DWORD`.|
+| 99 | Device is not Windows 10.|
+| 40 | Unexpected exception when checking and setting telemetry.|
+| 12 | CheckVortexConnectivity failed, check Log output for more information.|
+| 12 | Unexpected failure when running CheckVortexConnectivity.|
+| 66 | Failed to verify UTC connectivity and recent uploads.|
+| 67 | Unexpected failure when verifying UTC CSP connectivity of the WMI Bridge.|
+| 41 | Unable to impersonate logged-on user.|
+| 42 | Unexpected exception when attempting to impersonate logged-on user.|
+| 43 | Unexpected exception when attempting to impersonate logged-on user.|
+| 16 | Reboot is pending on device, restart device and restart script.|
+| 17 | Unexpected exception in CheckRebootRequired.|
+| 44 | Error when running CheckDiagTrack service.|
+| 45 | DiagTrack.dll not found.|
+| 50 | DiagTrack service not running.|
+| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.|
+| 55 | Failed to create new registry path for `SetDeviceNameOptIn` of the PowerShell script.|
+| 56 | Failed to create property for `SetDeviceNameOptIn` of the PowerShell script at registry path.|
+| 57 | Failed to update value for `SetDeviceNameOptIn` of the PowerShell script.|
+| 58 | Unexpected exception in `SetDeviceNameOptIn` of the PowerShell script.|
+| 59 | Failed to delete `LastPersistedEventTimeOrFirstBoot` property at registry path when attempting to clean up OneSettings.|
+| 60 | Failed to delete registry key when attempting to clean up OneSettings.|
+| 61 | Unexpected exception when attempting to clean up OneSettings.|
+| 52 | Could not find Census.exe|
+| 51 | Unexpected exception when attempting to run Census.exe|
+| 34 | Unexpected exception when attempting to check Proxy settings.|
+| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.|
+| 35 | Unexpected exception when checking User Proxy.|
diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md
index 612c44e92a..c3c6abb633 100644
--- a/windows/deployment/update/update-compliance-delivery-optimization.md
+++ b/windows/deployment/update/update-compliance-delivery-optimization.md
@@ -17,7 +17,7 @@ ms.topic: article
# Delivery Optimization in Update Compliance
-The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
+The Update Compliance solution provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
## Delivery Optimization Status
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index 2d3216901c..1fc602e081 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -37,9 +37,7 @@ Refer to the following list for what each state means:
## Compatibility holds
-Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device’s upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release.
-
-To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status).
+Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device's upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release.
### Opting out of compatibility hold
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 5e81c8e5a0..4e77a4d513 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -1,8 +1,8 @@
---
-title: Get started with Update Compliance (Windows 10)
+title: Get started with Update Compliance
ms.reviewer:
manager: laurawi
-description: Configure Update Compliance in Azure Portal to see the status of updates and antimalware protection on devices in your network.
+description: Prerequisites, Azure onboarding, and configuring devices for Update Compliance
keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
ms.prod: w10
ms.mktglfcycl: deploy
@@ -16,113 +16,68 @@ ms.topic: article
---
# Get started with Update Compliance
-This topic explains the steps necessary to configure your environment for Update Compliance.
-Steps are provided in sections that follow the recommended setup process:
+This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow.
-1. Ensure you meet the [Update Compliance prerequisites](#update-compliance-prerequisites).
-2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription).
-3. [Enroll devices in Update Compliance](#enroll-devices-in-update-compliance).
-4. [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and get Delivery Optimization insights.
+1. Ensure you can [meet the requirements](#update-compliance-prerequisites) to use Update Compliance.
+2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription.
+3. [Configure devices](#enroll-devices-in-update-compliance) to send data to Update Compliance.
+
+After adding the solution to Azure and configuring devices, there will be a waiting period of up to 72 hours before you can begin to see devices in the solution. Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
## Update Compliance prerequisites
+
Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites:
-1. Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc.
-2. Update Compliance provides detailed deployment data for devices on the Semi-Annual Channel and the Long-term Servicing Channel. Update Compliance will show Windows Insider Preview devices, but currently will not provide detailed deployment information for them.
-3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device.
-4. For Windows 10 1803+, device names will not appear in Update Compliance unless you opt in. The steps to accomplish this is outlined in the [Enroll devices in Update Compliance](#enroll-devices-in-update-compliance) section.
+
+1. **Compatible Operating Systems and Editions**: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](https://docs.microsoft.com/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc.
+2. **Compatible Windows 10 Servicing Channels**: Update Compliance supports Windows 10 devices on the Semi-Annual Channel (SAC) and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview (WIP) devices, but does not currently provide detailed deployment insights for them.
+3. **Diagnostic data requirements**: Update Compliance requires devices be configured to send diagnostic data at *Required* level (previously *Basic*). To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
+4. **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
+5. **Showing Device Names in Update Compliance**: For Windows 10 1803+, device names will not appear in Update Compliance unless you individually opt-in devices via policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
## Add Update Compliance to your Azure subscription
-Update Compliance is offered as a solution which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps:
-1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal.
+Update Compliance is offered as an Azure Marketplace application which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps:
+
+1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You may need to login to your Azure subscription to access this.
+2. Select **Get it now**.
+3. Choose an existing or configure a new Log Analytics Workspace. While an Azure subscription is required, you will not be charged for ingestion of Update Compliance data.
+ - [Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance.
+ - [Azure Update Management](https://docs.microsoft.com/azure/automation/automation-update-management) customers are advised to use the same workspace for Update Compliance.
+4. After your workspace is configured and selected, select **Create**. You will receive a notification when the solution has been successfully created.
> [!NOTE]
-> Update Compliance is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Update Compliance, but no Azure charges are expected to accrue to the subscription as a result of using Update Compliance.
+> It is not currently supported to programmatically enroll to Update Compliance via the [Azure CLI](https://docs.microsoft.com/cli/azure) or otherwise. You must manually add Update Compliance to your Azure subscription.
-2. In the Azure portal select **+ Create a resource**, and search for “Update Compliance". You should see it in the results below.
+### Get your CommercialID
-
+A CommercialID is a globally-unique identifier assigned to a specific Log Analytics workspace. The CommercialID is copied to an MDM or Group Policy and is used to identify devices in your environment.
-3. Select **Update Compliance** and a blade will appear summarizing the solution’s offerings. At the bottom, select **Create** to begin adding the solution to Azure.
+To find your CommercialID within Azure:
-
+1. Navigate to the **Solutions** tab for your workspace, and then select the **WaaSUpdateInsights** solution.
+2. From there, select the Update Compliance Settings page on the navbar.
+3. Your CommercialID is available in the settings page.
-4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution.
- - [Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance.
- - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started:
- - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
- - For the resource group setting select **Create new** and use the same name you chose for your new workspace.
- - For the location setting, choose the Azure region where you would prefer the data to be stored.
- - For the pricing tier select **per GB**.
-
-
-
-5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**.
-
-
-
-6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**.
-
-
+> [!IMPORTANT]
+> Regenerate your CommercialID only if your original ID can no longer be used or if you want to completely reset your workspace. Regenerating your CommercialID cannot be undone and will result in you losing data for all devices that have the current CommercialID until the new CommercialID is deployed to devices.
## Enroll devices in Update Compliance
-Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are three key steps to ensure successful enrollment:
-### Deploy your Commercial ID to devices
-A Commercial ID is a globally-unique identifier assigned to a specific Log Analytics workspace. This is used to identify devices as part of your environment.
+Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance.
-To find your Commercial ID within Azure:
-1. Navigate to the **Solutions** tab for your workspace, and then select the **WaaSUpdateInsights** solution.
-2. From there, select the Update Compliance Settings page on the navbar.
-3. Your Commercial ID is available in the settings page.
+> [!NOTE]
+> After configuring devices via one of the two methods below, it can take up to 72 hours before devices are visible in the solution. Until then, Update Compliance will indicate it is still assessing devices.
-
+### Configure devices using the Update Compliance Configuration Script
->**Important**
->
->Regenerate your Commercial ID only if your Original ID key can no longer be used or if you want to completely reset your workspace. Regenerating your Commercial ID cannot be undone and will result in you losing data for all devices that have the current Commercial ID until the new Commercial ID is deployed to devices.
+The recommended way to configure devices to send data to Update Compliance is using the [Update Compliance Configuration Script](update-compliance-configuration-script.md). The script configures required policies via Group Policy. The script comes with two versions:
-#### Deploying Commercial ID using Group Policy
-Commercial ID can be deployed using Group Policy. The Group Policy for Commercial ID is under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure the Commercial ID**.
+- Pilot is more verbose and is intended to be use on an initial set of devices and for troubleshooting.
+- Deployment is intended to be deployed across the entire device population you want to monitor with Update Compliance.
-
+To download the script and learn what you need to configure and how to troubleshoot errors, see [Configuring Devices using the Update Compliance Configuration Script](update-compliance-configuration-script.md).
-#### Deploying Commercial ID using MDM
-Commercial ID can be deployed through a [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) policy beginning with Windows 10, version 1607. Commercial ID is under the [DMClient configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
+### Configure devices manually
-### Ensure endpoints are whitelisted
-To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to whitelist the following endpoints. You may need security group approval to do this.
-
-| **Endpoint** | **Function** |
-|---------------------------------------------------------|-----------|
-| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. |
-| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
-| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. |
-| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
-| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. |
-| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. |
-| `https://login.live.com` | This endpoint is optional but allows for the Update Compliance service to more reliably identify and process devices. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. |
-
-### Set diagnostic data levels
-Update Compliance requires that devices are configured to send Microsoft at least the Basic level of diagnostic data in order to function. For more information on Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
-
-#### Configuring Telemetry level using Group Policy
-You can set Allow Telemetry through Group Policy, this setting is in the same place as the Commercial ID policy, under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry**. Update Compliance requires at least Basic (level 1) to function.
-
-
-
-#### Configuring Telemetry level using MDM
-Telemetry level can additionally be configured through a [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) policy. Allow Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry).
-
-### Enabling Device Name in telemetry
-Beginning with Windows 10, version 1803, Device Name is no longer collected as part of normal Windows Diagnostic Data and must explicitly be allowed to be sent to Microsoft. If devices do not have this policy enabled, their device name will appear as '#' instead.
-
-#### Allow Device Name in Telemetry with Group Policy
-Allow Device Name in Telemetry is under the same node as Commercial ID and Allow Telemetry policies in Group Policy, listed as **Allow device name to be sent in Windows diagnostic data**.
-
-#### Allow Device Name in Telemetry with MDM
-Allow Device Name in Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry).
-
->[!NOTE]
->After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices.
\ No newline at end of file
+It is possible to manually configure devices to send data to Update Compliance, but the recommended method of configuration is to use the [Update Compliance Configuration Script](update-compliance-configuration-script.md). To learn more about configuring devices manually, see [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 731828c027..55e6f693d9 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -17,7 +17,10 @@ ms.topic: article
# Monitor Windows Updates with Update Compliance
-
+> [!IMPORTANT]
+> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. Two planned feature removals for Update Compliance – Windows Defender Antivirus reporting and Perspectives – are now scheduled to be removed beginning Monday, May 11, 2020.
+> * The retirement of Windows Defender Antivirus reporting will begin Monday, May 11, 2020. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
+> * The Perspectives feature of Update Compliance will be retired Monday, May 11, 2020. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
## Introduction
@@ -29,30 +32,15 @@ Update Compliance enables organizations to:
Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites).
-Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal).
+Update Compliance uses Windows 10 diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience.
See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:
-- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
-- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
+- [Get started with Update Compliance](update-compliance-get-started.md) provides directions on adding Update Compliance to your Azure subscription and configuring devices to send data to Update Compliance.
+- [Using Update Compliance](update-compliance-using.md) breaks down every aspect of the Update Compliance experience.
-## Update Compliance architecture
-
-The Update Compliance architecture and data flow follows this process:
-
-1. User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
-2. Diagnostic data is analyzed by the Update Compliance Data Service.
-3. Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.
-4. Diagnostic data is available in the Update Compliance solution.
-
-
->[!NOTE]
->This process assumes that Windows diagnostic data is enabled and data sharing is enabled as outlined in the enrollment section of [Get started with Update Compliance](update-compliance-get-started.md).
-
-
-
-
## Related topics
-[Get started with Update Compliance](update-compliance-get-started.md)
-[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
\ No newline at end of file
+* [Get started with Update Compliance](update-compliance-get-started.md)
+* [Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
+* [Update Compliance Schema Reference](update-compliance-schema.md)
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
index a4b940a236..b3a4ca35a7 100644
--- a/windows/deployment/update/update-compliance-need-attention.md
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -19,8 +19,8 @@ ms.topic: article
The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section.
->[!NOTE]
->The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up.
+> [!NOTE]
+> The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up.
The different issues are broken down by Device Issues and Update Issues:
@@ -39,8 +39,8 @@ The different issues are broken down by Device Issues and Update Issues:
Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue.
->[!NOTE]
->This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful.
+> [!NOTE]
+> This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful.
## List of Queries
diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md
deleted file mode 100644
index b38df5c5af..0000000000
--- a/windows/deployment/update/update-compliance-perspectives.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Update Compliance - Perspectives
-ms.reviewer:
-manager: laurawi
-description: an overview of Update Compliance Perspectives
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
-itproauthor: jaimeo
-author: jaimeo
-ms.author: jaimeo
-ms.collection: M365-analytics
-ms.topic: article
----
-
-# Perspectives
-
-
-
-Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance.
-
-There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates.
-
-The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered.
-
-The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any).
-
-## Deployment status
-
-The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows:
-
-| State | Description |
-| --- | --- |
-| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. |
-| In Progress | Devices that report they are “In Progress” are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. |
-| Deferred | When a device’s Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. |
-| Progress stalled | Devices that report as “Progress stalled” have been stuck at “In progress” for more than 7 days. |
-| Cancelled | The update was cancelled. |
-| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. |
-| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. |
-| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. |
-| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). |
-
-## Detailed deployment status
-
-The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report:
-
-| State | Description |
-| --- | --- |
-| Update deferred | When a device’s Windows Update for Business policy dictates the update is deferred. |
-| Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. |
-| Update offered | The device has been offered the update, but has not begun downloading it. |
-| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. |
-| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) |
-| Download Started | The update has begun downloading on the device. |
-| Download Succeeded | The update has successfully completed downloading. |
-| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. |
-| Install Started | Installation of the update has begun. |
-| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed.
-| Reboot Pending | The device has a scheduled reboot to apply the update. |
-| Reboot Initiated | The scheduled reboot has been initiated. |
-| Update Completed/Commit | The update has successfully installed. |
-
->[!NOTE]
->Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking “Not configured (-1)” devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar.
diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md
new file mode 100644
index 0000000000..a455261f8c
--- /dev/null
+++ b/windows/deployment/update/update-compliance-privacy.md
@@ -0,0 +1,55 @@
+---
+title: Privacy in Update Compliance
+ms.reviewer:
+manager: laurawi
+description: an overview of the Feature Update Status report
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# Privacy in Update Compliance
+
+Update Compliance is fully committed to privacy, centering on these tenets:
+
+- **Transparency:** Windows 10 diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details).
+- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics.
+- **Security:** Your data is protected with strong security and encryption.
+- **Trust:** Update Compliance supports the Online Services Terms.
+
+## Data flow for Update Compliance
+
+The data flow sequence is as follows:
+
+1. Diagnostic data is sent from devices to the Microsoft Diagnostic Data Management service, which is hosted in the US.
+2. An IT Administrator creates an Azure Log Analytics workspace. They then choose the location this workspace will store data and receives a Commercial ID for that workspace. The Commercial ID is added to each device in an organization by way of Group Policy, MDM or registry key.
+3. Each day Microsoft produces a "snapshot" of IT-focused insights for each workspace in the Diagnostic Data Management Service, identifying devices by Commercial ID.
+4. These snapshots are copied to transient storage, used solely for Update Compliance where they are partitioned by Commercial ID.
+5. The snapshots are then copied to the appropriate Azure Log Analytics workspace, where the Update Compliance experience pulls the information from to populate visuals.
+
+## FAQ
+
+### Can Update Compliance be used without a direct client connection to the Microsoft Data Management Service?
+
+No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity.
+
+### Can I choose the data center location?
+
+Yes for Azure Log Analytics, but no for the Microsoft Data Management Service (which is hosted in the US).
+
+## Related topics
+
+See related topics for additional background information on privacy and treatment of diagnostic data:
+
+- [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance)
+- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
+- [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview)
+- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31)
+- [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/)
+- [Trust Center](https://www.microsoft.com/trustcenter)
diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
new file mode 100644
index 0000000000..3cbcbbeb28
--- /dev/null
+++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
@@ -0,0 +1,46 @@
+---
+title: Update Compliance Schema - WaaSDeploymentStatus
+ms.reviewer:
+manager: laurawi
+description: WaaSDeploymentStatus schema
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# WaaSDeploymentStatus
+
+WaaSDeploymentStatus records track a specific update's installation progress on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, as well as one tracking a Windows Quality Update, at the same time.
+
+|Field |Type |Example |Description |
+|-|-|-----|------------------------|
+|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). |
+|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
+|**DeferralDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). |
+|**DeploymentError** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there is either no string matching the error or there is no error. |
+|**DeploymentErrorCode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there is either no error or there is *no error code*, meaning that the issue raised does not correspond to an error, but some inferred issue. |
+|**DeploymentStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Failed` |The high level status of installing this update on this device. Possible values are:
**Update completed**: Device has completed the update installation. **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`. **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update. **Cancelled**: The update was cancelled. **Blocked**: There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that have not sent any deployment data for that update will have the status `Unknown`. **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update. **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.|
+|**DetailedStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
**Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred. **Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered. **Update offered**: The device has been offered the update, but has not begun downloading it. **Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update. **Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds). **Download started**: The update has begun downloading on the device. **Download Succeeded**: The update has successfully completed downloading. **Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed. **Install Started**: Installation of the update has begun. **Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed. **Reboot Pending**: The device has a scheduled reboot to apply the update. **Reboot Initiated**: The scheduled reboot has been initiated. **Commit**: Changes are being committed post-reboot. This is another step of the installation process. **Update Completed**: The update has successfully installed.|
+|**ExpectedInstallDate** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. |
+|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. |
+|**OriginBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build originally installed on the device when this Update Session began. |
+|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build currently installed on the device. |
+|**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`719` |The revision of the OSBuild installed on the device. |
+|**OSServicingBranch** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Semi-Annual` |The Servicing Branch or [Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. |
+|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. |
+|**PauseState** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.
**Expired**: The pause period has expired. **NotConfigured**: Pause is not configured. **Paused**: The device was last reported to be pausing this content type. **NotPaused**: The device was last reported to not have any pause on this content type. |
+|**RecommendedAction** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |The recommended action to take in the event this device needs attention, if any. |
+|**ReleaseName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`KB4551762` |The KB Article corresponding to the TargetOSRevision, if any. |
+|**TargetBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The target OSBuild, the update being installed or considered as part of this WaaSDeploymentStatus record. |
+|**TargetOSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The target OSVersion. |
+|**TargetOSRevision** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |The target OSRevisionNumber. |
+|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. |
+|**UpdateCategory** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Quality` |The high-level category of content type this Windows Update belongs to. Possible values are **Feature** and **Quality**. |
+|**UpdateClassification** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Security` |Similar to UpdateCategory, this more specifically determines whether a Quality update is a security update or not. |
+|**UpdateReleasedDate** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime) |`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the time the update came available on Windows Update. |
diff --git a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
new file mode 100644
index 0000000000..2ddf505e62
--- /dev/null
+++ b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
@@ -0,0 +1,35 @@
+---
+title: Update Compliance Schema - WaaSInsiderStatus
+ms.reviewer:
+manager: laurawi
+description: WaaSInsiderStatus schema
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# WaaSInsiderStatus
+
+WaaSInsiderStatus records contain device-centric data and acts as the device record for devices on Windows Insider Program builds in Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. Insider devices have fewer fields than [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md).
+
+
+|Field |Type |Example |Description |
+|--|--|---|--|
+|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). |
+|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
+|**OSArchitecture** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. |
+|**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. |
+|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. |
+|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-information/). |
+|**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device. |
+|**OSEdition** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Enterprise` |The Windows 10 Edition or SKU. |
+|**OSFamily** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows.Desktop` |The Device Family of the device. Only `Windows.Desktop` is currently supported. |
+|**OSServicingBranch** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Semi-Annual` |The Servicing Branch or [Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. |
+|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|3/22/`2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. |
+|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|3/22/`2020, 2:00:00.436 AM`|A DateTime corresponding to the last time the device sent data to Microsoft. This does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent, this is more like a "heartbeat". |
diff --git a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md
new file mode 100644
index 0000000000..0b5adb4096
--- /dev/null
+++ b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md
@@ -0,0 +1,46 @@
+---
+title: Update Compliance Schema - WaaSUpdateStatus
+ms.reviewer:
+manager: laurawi
+description: WaaSUpdateStatus schema
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# WaaSUpdateStatus
+
+WaaSUpdateStatus records contain device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention.
+
+|Field |Type |Example |Description |
+|--|-|----|------------------------|
+|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). |
+|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
+|**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Simple (99)` |The device's Delivery Optimization DownloadMode. To learn about possible values, see [Delivery Optimization Reference - Download mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) |
+|**FeatureDeferralDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |The on-client Windows Update for Business Deferral Policy days.
- **<0**: A value below 0 indicates the policy is disabled.
- **0**: A value of 0 indicates the policy is enabled, but the deferral period is 0 days.
- **1+**: A value of 1 and above indicates the deferral setting, in days. |
+|**FeaturePauseDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |*Deprecated* This provides the count of days left in a pause |
+|**FeaturePauseState** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.
**Expired**: The pause period has expired. **NotConfigured**: Pause is not configured. **Paused**: The device was last reported to be pausing this content type. **NotPaused**: The device was last reported to not have any pause on this content type. |
+|**QualityDeferralDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |The on-client Windows Update for Business Deferral Policy days.
**<0**: A value below 0 indicates the policy is disabled. **0**: A value of 0 indicates the policy is enabled, but the deferral period is 0 days. **1+**: A value of 1 and above indicates the deferral setting, in days. |
+|**QualityPauseDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |**Deprecated**. This provides the count of days left in a pause period.|
+|**QualityPauseState** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Quality Updates.
**Expired**: The pause period has expired. **NotConfigured**: Pause is not configured.**Paused**: The device was last reported to be pausing this content type.**NotPaused**: The device was last reported to not have any pause on this content type. |
+|**NeedAttentionStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |Indicates any reason a device needs attention; if empty, there are no [Device Issues](https://docs.microsoft.com/windows/deployment/update/update-compliance-need-attention#device-issues) for this device. |
+|**OSArchitecture** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. |
+|**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. |
+|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. |
+|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-information/). |
+|**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device. |
+|**OSCurrentStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Current` |*Deprecated* Whether or not the device is on the latest Windows Feature Update available, as well as the latest Quality Update for that Feature Update. |
+|**OSEdition** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Enterprise` |The Windows 10 Edition or SKU. |
+|**OSFamily** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows.Desktop` |The Device Family of the device. Only `Windows.Desktop` is currently supported. |
+|**OSFeatureUpdateStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Up-to-date` |Indicates whether or not the device is on the latest available Windows 10 Feature Update. |
+|**OSQualityUpdateStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Up-to-date` |Indicates whether or not the device is on the latest available Windows 10 Quality Update (for its Feature Update). |
+|**OSSecurityUpdateStatus**|[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Up-to-date` |Indicates whether or not the device is on the latest available Windows 10 Quality Update **that is classified as containing security fixes**. |
+|**OSServicingBranch** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Semi-Annual` |The Servicing Branch or [Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. |
+|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. |
+|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 2:00:00.436 AM`|A DateTime corresponding to the last time the device sent data to Microsoft. This does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent, this is more like a "heartbeat". |
diff --git a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
new file mode 100644
index 0000000000..6aa934c711
--- /dev/null
+++ b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
@@ -0,0 +1,34 @@
+---
+title: Update Compliance Schema - WUDOAggregatedStatus
+ms.reviewer:
+manager: laurawi
+description: WUDOAggregatedStatus schema
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# WUDOAggregatedStatus
+
+WUDOAggregatedStatus records provide information, across all devices, on their bandwidth utilization for a specific content type in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq), over the past 28 days.
+
+These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference).
+
+|Field |Type |Example |Description |
+|-|-|-|-|
+|**DeviceCount** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`9999` |Total number of devices in this aggregated record. |
+|**BWOptPercent28Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`68.72` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *across all devices*, computed on a rolling 28-day basis. |
+|**BWOptPercent7Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`13.58` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *across all devices*, computed on a rolling 7-day basis. |
+|**BytesFromCDN** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`254139` |Total number of bytes downloaded from a CDN versus a Peer. This counts against bandwidth optimization.|
+|**BytesFromGroupPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`523132` |Total number of bytes downloaded from Group Peers. |
+|**BytesFromIntPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. |
+|**BytesFromPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. |
+|**ContentType** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded.|
+|**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this device. |
+|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace.|
diff --git a/windows/deployment/update/update-compliance-schema-wudostatus.md b/windows/deployment/update/update-compliance-schema-wudostatus.md
new file mode 100644
index 0000000000..f3d6dc0e2a
--- /dev/null
+++ b/windows/deployment/update/update-compliance-schema-wudostatus.md
@@ -0,0 +1,57 @@
+---
+title: Update Compliance Schema - WUDOStatus
+ms.reviewer:
+manager: laurawi
+description: WUDOStatus schema
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# WUDOStatus
+
+> [!NOTE]
+> Currently all location-based fields are not working properly. This is a known issue.
+
+WUDOStatus records provide information, for a single device, on their bandwidth utilization for a specific content type in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq), and other information to create more detailed reports and splice on certain common characteristics.
+
+These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference).
+
+|Field |Type |Example |Description |
+|-|-|-|-|
+|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). |
+|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
+|**City** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |Approximate city device was in while downloading content, based on IP Address. |
+|**Country** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |Approximate country device was in while downloading content, based on IP Address. |
+|**ISP** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |The Internet Service Provider estimation. |
+|**BWOptPercent28Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`68.72` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *for this device*, computed on a rolling 28-day basis. |
+|**BWOptPercent7Days** |[real](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/real) |`13.58` |Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using Delivery Optimization *for this device*, computed on a rolling 7-day basis. |
+|**BytesFromCDN** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`254139` |Total number of bytes downloaded from a CDN versus a Peer. This counts against bandwidth optimization. |
+|**BytesFromGroupPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`523132` |Total number of bytes downloaded from Group Peers. |
+|**BytesFromIntPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. |
+|**BytesFromPeers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. |
+|**ContentDownloadMode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this content. |
+|**ContentType** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded. |
+|**DOStatusDescription** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |A short description of DO's status, if any. |
+|**DownloadMode** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference#download-mode) configuration for this device. |
+|**DownloadModeSrc** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Default` |The source of the DownloadMode configuration. |
+|**GroupID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) | |The DO Group ID. |
+|**NoPeersCount** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) | |The number of peers this device interacted with. |
+|**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. |
+|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. |
+|**PeerEligibleTransfers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |Total number of eligible transfers by Peers. |
+|**PeeringStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`On` |The DO Peering Status |
+|**PeersCannotConnectCount**|[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers this device was unable to connect to. |
+|**PeersSuccessCount** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers this device successfully connected to. |
+|**PeersUnknownCount** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The number of peers for which there is an unknown relation. |
+|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the last time the device sent data to Microsoft. This does not necessarily mean all data that is needed to populate all fields Update Compliance uses was sent, this is more like a "heartbeat". |
+|**TimeGenerated** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace. |
+|**TotalTimeForDownload** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`0:00:00` |The total time it took to download the content. |
+|**TotalTransfers** |[long](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/long) |`0` |The total number of data transfers to download this content. |
+
diff --git a/windows/deployment/update/update-compliance-schema.md b/windows/deployment/update/update-compliance-schema.md
new file mode 100644
index 0000000000..2be2ac0e78
--- /dev/null
+++ b/windows/deployment/update/update-compliance-schema.md
@@ -0,0 +1,29 @@
+---
+title: Update Compliance Data Schema
+ms.reviewer:
+manager: laurawi
+description: an overview of Update Compliance data schema
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# Update Compliance Schema
+
+When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Update Compliance and have a high-level understanding of the capabilities of [Azure Monitor log queries](https://docs.microsoft.com/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more.
+
+The table below summarizes the different tables that are part of the Update Compliance solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-queries).
+
+|Table |Category |Description |
+|--|--|--|
+|[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. |
+|[**WaaSInsiderStatus**](update-compliance-schema-waasinsiderstatus.md) |Device record |This table houses device-centric data specifically for devices enrolled to the Windows Insider Program. Devices enrolled to the Windows Insider Program do not currently have any WaaSDeploymentStatus records, so do not have Update Session data to report on update deployment progress. |
+|[**WaaSDeploymentStatus**](update-compliance-schema-waasdeploymentstatus.md) |Update Session record |This table tracks a specific update on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, as well as one tracking a Windows Quality Update, at the same time. |
+|[**WUDOStatus**](update-compliance-schema-wudostatus.md) |Delivery Optimization record |This table provides information, for a single device, on their bandwidth utilization across content types in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq). |
+|[**WUDOAggregatedStatus**](update-compliance-schema-wudoaggregatedstatus.md) |Delivery Optimization record |This table aggregates all individual WUDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled to Delivery Optimization. |
diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md
index fa252c9db1..67cc9067ac 100644
--- a/windows/deployment/update/update-compliance-security-update-status.md
+++ b/windows/deployment/update/update-compliance-security-update-status.md
@@ -22,49 +22,4 @@ The **Overall Security Update Status** blade provides a visualization of devices
The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows 10, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization.
-The various deployment states reported by devices are as follows:
-
-## Deployment status
-Deployment status summarizes detailed status into higher-level states to get a quick sense of the status the given device was last reported to be in relative to this specific update. Note that with the latency of deployment data, devices might have since moved on from the reported deployment status.
-
-|Deployment status |Description |
-|---------|---------|
-|Failed | The device encountered a failure during the update process. Note that due to latency, devices reporting this status may have since retried the update. |
-|Progress stalled | he device started the update process, but no progress has been reported in the last 7 days. |
-|Deferred | The device is currently deferring the update process due to Windows Update for Business policies. |
-|In progress | The device has begun the updating process for this update. This status appears if the device is in any stage of the update process including and after download, but before completing the update. If no progress has been reported in the last 7 days, devices will move to **Progress stalled**.** |
-|Update completed | The device has completed the update process. |
-|Update paused | The device is prevented from being offered the update due to updates being paused on the device. |
-|Unknown | No record is available for this device relative to this update. This is a normal status if an update has recently been released or if the device does not use Windows Update. |
-
-
-## Detailed status
-Detailed status provides a detailed stage-level representation of where in the update process the device was last reported to be in relative to this specific update. Note that with the latency of deployment data, devices might have since moved on from the reported detailed status.
-
-
-|Detaild status |Description |
-|---------|---------|
-|Scheduled in next X days | The device is currently deferring the update with Windows Update for Business policies but will be offered the update within the next X days. |
-|Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) |
-|Update deferred | The device is currently deferring the update with Windows Update for Business policies. |
-|Update paused | The device is prevented from being offered the update due to updates being paused on the device. |
-|Update offered | The device has been offered the update by Windows Update but has not yet begun to download it. |
-|Download started | The device has begun downloading the update. |
-|Download succeeded | The device has finished downloading the update but has not yet begun installing the update. |
-|Install started | The device has begun installing the update. |
-|PreInstall task passed | The device has passed checks prior to beginning the rest of the installation process after a restart. |
-|Reboot required | The device requires a restart to install the update, but one has not yet been scheduled. |
-|Reboot pending | The device is pending a restart to install the update. |
-|Reboot initiated | The device reports "Reboot initiated" just before actually restarting specifically to apply the update. |
-|Commit | The device, after a restart, is committing changes relevant to the update. |
-|Finalize succeeded | The device has finished final tasks after a restart to apply the update. |
-|Update successful | The device has successfully applied the update. |
-|Cancelled | The update was cancelled at some point in the update process. |
-|Uninstalled | The update was successfully uninstalled from the device. |
-|Rollback | The update failed to apply during the update process, causing the device to roll back changes and revert to the previous update. |
-
-
-
-
-
The rows of each tile in this section are interactive; selecting them will navigate you to the query that is representative of that row and section.
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index 3f9b6fbcbb..47ea2040ed 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -21,14 +21,13 @@ In this section you'll learn how to use Update Compliance to monitor your device
Update Compliance:
-- Provides detailed deployment data for Windows 10 security, quality, and feature updates.
-- Reports when devices have issues related to updates that need attention.
-- Shows Windows Defender AV status information for devices that use it and meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites).
+- Provides detailed deployment monitoring for Windows 10 Feature and Quality updates.
+- Reports when devices need attention due to issues related to update deployment.
- Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md).
- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities.
## The Update Compliance tile
-After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you’ll see this tile:
+After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you'll see this tile:
@@ -48,7 +47,7 @@ When you select this tile, you will be redirected to the Update Compliance works
-Update Compliance’s overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items:
+Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items:
* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10.
* Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability.
* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus.
@@ -84,9 +83,9 @@ This means you should generally expect to see new data device data every 24 hour
Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within Azure Portal, can deeply enhance your experience and complement Update Compliance.
See below for a few topics related to Log Analytics:
-* Learn how to effectively execute custom Log Searches by referring to Microsoft Azure’s excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches).
+* Learn how to effectively execute custom Log Searches by referring to Microsoft Azure's excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches).
* To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-dashboards).
-* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about.
+* [Gain an overview of Log Analytics' alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about.
## Related topics
diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md
deleted file mode 100644
index edc9156531..0000000000
--- a/windows/deployment/update/update-compliance-wd-av-status.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Update Compliance - Windows Defender AV Status report
-ms.reviewer:
-manager: laurawi
-description: an overview of the Windows Defender AV Status report
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
-itproauthor: jaimeo
-author: jaimeo
-ms.author: jaimeo
-ms.collection: M365-analytics
-ms.topic: article
----
-
-# Windows Defender AV Status
-
-
-
-The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus.
-
->[!NOTE]
->Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx).
-
-## Windows Defender AV Status sections
-The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query.
-
-The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation.
-
-Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance:
-* **Signature out of date** devices are devices with a signature older than 14 days.
-* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection.
-* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days.
-* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team.
-* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared.
-
-## Windows Defender data latency
-Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days.
-
-## Related topics
-
-- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites)
diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md
index e7d8d21550..a5d605d778 100644
--- a/windows/deployment/update/waas-delivery-optimization-reference.md
+++ b/windows/deployment/update/waas-delivery-optimization-reference.md
@@ -110,7 +110,7 @@ Download mode dictates which download sources clients are allowed to use when do
| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
| Internet (3) | Enable Internet peer sources for Delivery Optimization. |
| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. |
-|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using SCCM. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. |
+|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. |
>[!NOTE]
>Group mode is a best-effort optimization and should not be relied on for an authentication of identity of devices participating in the group.
@@ -119,7 +119,7 @@ Download mode dictates which download sources clients are allowed to use when do
By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
-[//]: # (SCCM Boundary Group option; GroupID Source policy)
+[//]: # (Configuration Manager Boundary Group option; GroupID Source policy)
>[!NOTE]
>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)
@@ -135,7 +135,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
- 4 = DNS Suffix
- 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
-When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-4, the policy is ignored.
+When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
### Minimum RAM (inclusive) allowed to use Peer Caching
diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md
index 61a6af8b7c..ac14bcf549 100644
--- a/windows/deployment/update/waas-delivery-optimization-setup.md
+++ b/windows/deployment/update/waas-delivery-optimization-setup.md
@@ -6,7 +6,6 @@ description: Delivery Optimization is a new peer-to-peer distribution method in
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
-
audience: itpro
author: jaimeo
ms.localizationpriority: medium
@@ -183,7 +182,7 @@ Log entries are written to the PowerShell pipeline as objects. To dump logs to a
### Monitor with Update Compliance
-The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
+Update Compliance provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index 9de80024c2..d37589c3e6 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -54,7 +54,7 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Windows Defender definition updates | 1511 |
| Office Click-to-Run updates | 1709 |
| Win32 apps for Intune | 1709 |
-| SCCM Express Updates | 1709 + Configuration Manager version 1711 |
+| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 |
+* [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem)
+* [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands)
+* [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb)
+* [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)
+* [Block Office communication applications from creating child processes](attack-surface-reduction.md#block-office-communication-application-from-creating-child-processes)
+* [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes)
+* [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription)
+
+**What are some good recommendations for getting started with ASR?**
+
+It is generally best to first test how ASR rules will impact your organization before enabling them, by running them in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR.
+
+Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly-broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool.
+
+**How long should I test an ASR rule in audit mode before enabling it?**
+
+You should keep the rule in audit mode for about 30 days. This amount of time gives you a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them.
+
+**I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR?**
+
+Rather than attempting to import sets of rules from another security solution, it is, in most cases, easier and safer to start with the baseline recommendations suggested for your organization by Microsoft Defender ATP, then use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. The default configuration for most ASR rules, combined with Defender's real-time protection, will protect against a large number of exploits and vulnerabilities.
+
+From within Microsoft Defender ATP, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked.
+
+**Does ASR support file or folder exclusions that include system variables and wildcards in the path?**
+
+Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths.
+
+**Do ASR rules cover all applications by default?**
+
+It depends on the rule. Most ASR rules cover the behavior of Microsoft Office products and services, such as Word, Excel, PowerPoint, and OneNote, or Outlook. Certain ASR rules, such as *Block execution of potentially obfuscated scripts*, are more general in scope.
+
+**Does ASR support third-party security solutions?**
+
+ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time.
+
+**I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline?**
+
+Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP.
+
+**I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.**
+
+Try opening the indexing options directly from Windows 10.
+
+1. Select the **Search** icon on the Windows taskbar.
+
+1. Enter **Indexing options** into the search box.
+
+**Are the criteria used by the rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*, configurable by an admin?**
+
+No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up-to-date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered.
+
+**I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?**
+
+This rule relies upon each application having a known reputation, as measured by prevalence, age, or inclusion on a list of trusted apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria.
+
+Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode.
+
+**I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?**
+
+A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies.
+
+Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning.
+
+**Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?**
+
+Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe.
+
+## Related topics
+
+* [Attack surface reduction overview](attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+* [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
index 8d2f79fd76..13b0faad70 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
@@ -1,6 +1,6 @@
---
title: Use attack surface reduction rules in Windows 10 Enterprise E3
-description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
+description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 10/15/2018
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -21,34 +20,35 @@ ms.custom: asr
**Applies to:**
+- Windows 10 Enterprise E5
- Windows 10 Enterprise E3
-Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license.
+Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction includes the rules, monitoring, reporting, and analytics necessary for deployment, and this is included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). These capabilities require the Windows 10 Enterprise E5 license.
-A limited subset of basic attack surface reduction rules can technically be used with Windows 10 Enterprise E3. They can be used without the benefits of reporting, monitoring, and analytics, which provide the ease of deployment and management capabilities necessary for enterprises.
+A limited subset of basic attack surface reduction rules can be used with Windows 10 Enterprise E3 (without the benefits of reporting, monitoring, and analytics). The table below lists attack surface reduction rules available in Windows E3 and Windows E5.
+
+|Rule |Windows E3 |Windows E5 |
+|--|--|--|
+[Block executable content from email client and webmail](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail) |Yes |Yes |
+|[Block all Office applications from creating child processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes) |Yes |Yes |
+|[Block Office applications from creating executable content](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content) |Yes |Yes |
+|[Block Office applications from injecting code into other processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes) |Yes |Yes |
+|[Block JavaScript or VBScript from launching downloaded executable content](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content) |Yes |Yes |
+|[Block execution of potentially obfuscated scripts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts) |Yes |Yes |
+|[Block Win32 API calls from Office macros](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-win32-api-calls-from-office-macros) |Yes |Yes |
+|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | |Yes |
+|[Use advanced protection against ransomware](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#use-advanced-protection-against-ransomware) |Yes |Yes |
+|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem) |Yes |Yes |
+|[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands) |Yes |Yes |
+|[Block untrusted and unsigned processes that run from USB](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-untrusted-and-unsigned-processes-that-run-from-usb) |Yes |Yes |
+|[Block Office communication applications from creating child processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-communication-application-from-creating-child-processes) | |Yes |
+|[Block Adobe Reader from creating child processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-adobe-reader-from-creating-child-processes) | |Yes |
+|[Block persistence through WMI event subscription](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription) | |Yes |
Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
-The limited subset of rules that can be used in Windows 10 Enterprise E3 include:
-
-- Block executable content from email client and webmail
-- Block all Office applications from creating child processes
-- Block Office applications from creating executable content
-- Block Office applications from injecting code into other processes
-- Block JavaScript or VBScript from launching downloaded executable content
-- Block execution of potentially obfuscated scripts
-- Block Win32 API calls from Office macro
-- Use advanced protection against ransomware
-- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
-- Block process creations originating from PSExec and WMI commands
-- Block untrusted and unsigned processes that run from USB
-
-For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md).
-
- ## Related topics
-
-Topic | Description
----|---
-[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created.
-[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network.
-[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file.
+ ## Related articles
+- [Attack surface reduction rules](attack-surface-reduction.md)
+- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+- [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index 0da23ce0b5..da5160567b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -1,7 +1,7 @@
---
title: Use attack surface reduction rules to prevent malware infection
-description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware
-keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
+description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware.
+keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -26,27 +26,35 @@ ms.custom: asr
> [!IMPORTANT]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019.
+Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks.
-To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can use Event Viewer to review attack surface reduction rule events.
+Attack surface reduction rules target software behaviors that are often abused by attackers, such as:
-Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
+- Launching executable files and scripts that attempt to download or run files
+- Running obfuscated or otherwise suspicious scripts
+- Performing behaviors that apps don't usually initiate during normal day-to-day work
-* Executable files and scripts used in Office apps or web mail that attempt to download or run files
-* Obfuscated or otherwise suspicious scripts
-* Behaviors that apps don't usually initiate during normal day-to-day work
+These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe.
-You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
+Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
-Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 security center.
+Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center.
-For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+
+## Attack surface reduction features across Windows versions
+
+You can set attack surface reduction rules for computers running the following versions of Windows:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
+- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) (Semi-Annual Channel) or later
+
+To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
## Review attack surface reduction events in the Microsoft Defender Security Center
-Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
+Microsoft Defender ATP provides detailed reporting for events and blocks, as part of its alert investigation scenarios.
-You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
+You can query Microsoft Defender ATP data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
Here is an example query:
@@ -57,219 +65,266 @@ DeviceEvents
## Review attack surface reduction events in Windows Event Viewer
-You can review the Windows event log to view events that are created when attack surface reduction rules fire:
+You can review the Windows event log to view events generated by attack surface reduction rules:
1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
-2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer.
+2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer.
-3. Click **Import custom view...** on the left panel, under **Actions**.
+3. Under **Actions**, select **Import custom view...**.
4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md).
-5. Click **OK**.
+5. Select **OK**.
-This will create a custom view that filters to only show the following events related to controlled folder access:
+This will create a custom view that filters events to only show the following, all of which are related to controlled folder access:
-Event ID | Description
--|-
-5007 | Event when settings are changed
-1121 | Event when rule fires in Block-mode
-1122 | Event when rule fires in Audit-mode
+|Event ID | Description |
+|---|---|
+|5007 | Event when settings are changed |
+|1121 | Event when rule fires in Block-mode |
+|1122 | Event when rule fires in Audit-mode |
-The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed.
+The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.
## Attack surface reduction rules
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs:
- Rule name | GUID | File & folder exclusions
------------|------|--------------------------
-Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
-Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
-Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
-Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported
-Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported
-Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported
-Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported
-Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported
-Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported
-Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported
-Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported
-Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
-Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
-Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
-Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported
-
-Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps.
+| Rule name | GUID | File & folder exclusions | Minimum OS supported |
+|-----|----|---|---|
+|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Not supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
### Block executable content from email client and webmail
-This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers:
+This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
-* Executable files (such as .exe, .dll, or .scr)
-* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+- Executable files (such as .exe, .dll, or .scr)
+- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Microsoft Endpoint Configuration Manager CB 1710
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail
-GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`
### Block all Office applications from creating child processes
This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
-This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings.
+Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Office apps launching child processes
Configuration Manager name: Block Office application from creating child processes
-GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A`
### Block Office applications from creating executable content
-This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
+This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
-This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
+ Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)
Intune name: Office apps/macros creating executable content
-Configuration Manager name: Block Office applications from creating executable content
+SCCM name: Block Office applications from creating executable content
-GUID: 3B576869-A4EC-4529-8536-B80A7769E899
+GUID: `3B576869-A4EC-4529-8536-B80A7769E899`
### Block Office applications from injecting code into other processes
-Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection.
+This rule blocks code injection attempts from Office apps into other processes.
+
+Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process.
+
+There are no known legitimate business purposes for using code injection.
This rule applies to Word, Excel, and PowerPoint.
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Office apps injecting code into other processes (no exceptions)
Configuration Manager name: Block Office applications from injecting code into other processes
-GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`
### Block JavaScript or VBScript from launching downloaded executable content
-Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
+This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
-Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
+Although not common, line-of-business applications sometimes use scripts to download and launch installers.
> [!IMPORTANT]
> File and folder exclusions don't apply to this attack surface reduction rule.
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content
-GUID: D3E037E1-3EB8-44C8-A917-57927947596D
+GUID: `D3E037E1-3EB8-44C8-A917-57927947596D`
### Block execution of potentially obfuscated scripts
-Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script.
+This rule detects suspicious properties within an obfuscated script.
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
+Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
+
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Obfuscated js/vbs/ps/macro code
Configuration Manager name: Block execution of potentially obfuscated scripts.
-GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`
### Block Win32 API calls from Office macros
-Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface.
+This rule prevents VBA macros from calling Win32 APIs.
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
+Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
+
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Win32 imports from Office macro code
Configuration Manager name: Block Win32 API calls from Office macros
-GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
-This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list:
+This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
-* Executable files (such as .exe, .dll, or .scr)
+- Executable files (such as .exe, .dll, or .scr)
-> [!NOTE]
-> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
+Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.
> [!IMPORTANT]
-> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
+> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
>
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
-This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
+This rule was introduced in:
+- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
-GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
+GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
### Use advanced protection against ransomware
-This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
+This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list.
> [!NOTE]
> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
-This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
+This rule was introduced in:
+- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Advanced ransomware protection
Configuration Manager name: Use advanced protection against ransomware
-GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
+GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
-### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
+### Block credential stealing from the Windows local security authority subsystem
-Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
+This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).
+
+LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
> [!NOTE]
> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
-This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
+This rule was introduced in:
+- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Flag credential stealing from the Windows local security authority subsystem
Configuration Manager name: Block credential stealing from the Windows local security authority subsystem
-GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
+GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
### Block process creations originating from PSExec and WMI commands
-This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
-
-> [!IMPORTANT]
-> File and folder exclusions do not apply to this attack surface reduction rule.
+This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.
> [!WARNING]
> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
-This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019
+This rule was introduced in:
+- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: Process creation from PSExec and WMI commands
Configuration Manager name: Not applicable
-GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
+GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c`
### Block untrusted and unsigned processes that run from USB
@@ -278,55 +333,77 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
* Executable files (such as .exe, .dll, or .scr)
* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
-This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
+This rule was introduced in:
+- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Untrusted and unsigned processes that run from USB
Configuration Manager name: Block untrusted and unsigned processes that run from USB
-GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
+GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
### Block Office communication application from creating child processes
-This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
+This rule prevents Outlook from creating child processes, while till allowing legitimate Outlook functions.
+
+This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
> [!NOTE]
> This rule applies to Outlook and Outlook.com only.
-This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
+This rule was introduced in:
+- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: Process creation from Office communication products (beta)
Configuration Manager name: Not yet available
-GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
+GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
### Block Adobe Reader from creating child processes
-Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
+This rule prevents attacks by blocking Adobe Reader from creating additional processes.
-This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
+Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
+
+This rule was introduced in:
+- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: Process creation from Adobe Reader (beta)
Configuration Manager name: Not yet available
-GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
+GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
### Block persistence through WMI event subscription
-Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository.
+This rule prevents malware from abusing WMI to attain persistence on a device.
-This rule was introduced in: Windows 10 1903, Windows Server 1903
+Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
+
+This rule was introduced in:
+- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
+- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
Intune name: Block persistence through WMI event subscription
Configuration Manager name: Not yet available
-GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
+GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
## Related topics
-* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
+- [Attack surface reduction FAQ](attack-surface-reduction.md)
+
+- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+
+- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+
+- [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index 67192e12e8..eceb1d2833 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -1,14 +1,14 @@
---
-title: Manage actions related to automated investigation and remediation
-description: Use the action center to manage actions related to automated investigation and response
+title: View details and results of automated investigations
+description: Use the action center to view details and results following an automated investigation
keywords: action, center, autoir, automated, investigation, response, remediation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
+ms.author: deniseb
+author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -16,36 +16,146 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Manage actions related to automated investigation and remediation
+# View details and results of automated investigations
-The Action center aggregates all investigations that require an action for an investigation to proceed or be completed.
+During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically.
-
+If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
-The action center consists of two main tabs:
-- Pending actions - Displays a list of ongoing investigations that require attention. A recommended action is presented to the analyst, which they can approve or reject.
-- History - Acts as an audit log for:
- - All actions taken by AutoIR or approved by an analyst with ability to undo actions that support this capability (for example, quarantine file).
- - All commands ran and remediation actions applied in Live Response with ability to undo actions that support this capability.
- - Remediation actions applied by Windows Defender AV with ability to undo actions that support this capability.
+>[!NOTE]
+>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
-Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
+## The Action center
+
+
+
+The action center consists of two main tabs: **Pending actions** and **History**.
+- **Pending actions** Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. The Pending tab appears only if there are pending actions to be approved (or rejected).
+- **History** Acts as an audit log for all of the following items:
+ - Remediation actions that were taken as a result of an automated investigation
+ - Remediation actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone)
+ - Commands that were run and remediation actions that were applied in Live Response sessions (some actions can be undone)
+ - Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone)
+
+Use the **Customize columns** menu to select columns that you'd like to show or hide.
+
+You can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
+
+## The Investigations page
+
+
+
+On the **Investigations** page, you'll find a list of all automated investigations. Select an item in the list to view additional information about that automated investigation.
+
+By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
+
+Use the **Customize columns** menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
+### Filters for the list of investigations
->[!NOTE]
->The tab will only appear if there are pending actions for that category.
+On the **Investigations** page, you can view details and use filters to focus on specific information. The following table lists available filters:
-### Approve or reject an action
-You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
+|Filter |Description |
+|---------|---------|
+|**Status** |(See [Automated investigation status](#automated-investigation-status)) |
+|**Triggering alert** | The alert that initiated the automated investigation |
+|**Detection source** |The source of the alert that initiated the automated investigation |
+|**Entities** | Entities can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that were created. |
+|**Threat** |The category of threat detected during the automated investigation |
+|**Tags** |Filter using manually added tags that capture the context of an automated investigation|
+|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't|
-Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
+## Automated investigation status
-From the panel, you can click on the Open investigation page link to see the investigation details.
+An automated investigation can have one of the following status values:
-You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
+|Status |Description |
+|---------|---------|
+| Running | The investigation process has started and is underway. Malicious artifacts that are found are remediated. |
+| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for specific details. |
+| No threats found | The investigation has finished and no threats were identified.
If you suspect something was missed (such as a false negative), you can use [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). |
+| Pending action | The investigation has found a threat, and an action to remediate that threat is awaiting approval. The Pending Action state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to see if other items are still pending completion. |
+| Remediated | The investigation finished and all actions were approved (fully remediated). |
+| Partially remediated | The investigation resulted in remediation actions, and some were approved and completed. Other actions are still pending. |
+| Terminated by system | The investigation stopped. An investigation can stop for several reasons:
- The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time.
- There are too many actions in the list.
Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions. |
+| Failed | At least one investigation analyzer ran into a problem where it could not complete properly.
If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results. |
+| Queued | An investigation is being held in a queue. When other investigations complete, queued investigations begin. |
+| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
+| Terminated by user | A user stopped the investigation before it could complete. |
-## Related topics
-- [Automated investigation and investigation](automated-investigations.md)
-- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
+
+## View details about an automated investigation
+
+
+
+You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
+
+In this view, you'll see the name of the investigation, when it started and ended.
+
+### Investigation graph
+
+The investigation graph provides a graphical representation of an automated investigation. All investigation-related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
+
+A progress ring shows two status indicators:
+- Orange ring - shows the pending portion of the investigation
+- Green ring - shows the running time portion of the investigation
+
+
+
+In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds.
+
+The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval.
+
+From this view, you can also view and add comments and tags about the investigation.
+
+### Alerts
+
+The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned.
+
+Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing.
+
+Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history.
+
+Clicking on an alert title brings you the alert page.
+
+### Machines
+
+The **Machines** tab Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
+
+Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
+
+Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
+
+Clicking on a machine name brings you the machine page.
+
+### Evidence
+
+The **Evidence** tab shows details related to threats associated with this investigation.
+
+### Entities
+
+The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean.
+
+### Log
+
+The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
+
+As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
+
+Available filters include action type, action, status, machine name, and description.
+
+You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.
+
+### Pending actions
+
+If there are pending actions on an automated investigation, you'll see a pop-up similar to the following image.
+
+
+
+When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**.
+
+## Next steps
+
+[View and approve remediation actions](manage-auto-investigation.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 96cf4bd271..17a56b7252 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -19,6 +19,8 @@ ms.topic: conceptual
# Overview of automated investigations
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
+
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually.
The automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when the investigation was initiated.
@@ -26,10 +28,7 @@ The automated investigation feature leverages various inspection algorithms, and
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
-
-## Understand the automated investigation flow
-
-### How the automated investigation starts
+## How the automated investigation starts
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (Malicious, Suspicious, and Clean) are available during and after the automated investigation.
@@ -40,7 +39,7 @@ When an alert is triggered, a security playbook goes into effect. Depending on t
>- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
>- Later versions of Windows 10
-### Details of an automated investigation
+## Details of an automated investigation
During and after an automated investigation, you can view details about the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Evidence**, **Entities**, and **Log** tabs.
@@ -56,13 +55,13 @@ During and after an automated investigation, you can view details about the inve
> [!IMPORTANT]
> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
-### How an automated investigation expands its scope
+## How an automated investigation expands its scope
While an investigation is running, any other alerts generated from the machine are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation.
If an incriminated entity is seen in another machine, the automated investigation process will expand its scope to include that machine, and a general security playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
-### How threats are remediated
+## How threats are remediated
Depending on how you set up the machine groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats.
@@ -86,3 +85,9 @@ When a pending action is approved, the entity is then remediated and this new st
## Next step
- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
+
+## Related articles
+
+- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
+
+- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
new file mode 100644
index 0000000000..db8a4231aa
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
@@ -0,0 +1,49 @@
+---
+title: Behavioral blocking and containment
+description: Learn about behavioral blocking and containment capabilities in Microsoft Defender ATP
+keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+ms.reviewer: shwetaj
+audience: ITPro
+ms.topic: article
+ms.prod: w10
+ms.localizationpriority: medium
+ms.custom:
+- next-gen
+- edr
+ms.collection:
+---
+
+# Behavioral blocking and containment
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Behavioral blocking and containment overview
+
+Not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats with machine learning, pre- and post-breach. In almost real time, when a suspicious behavior or artifact is detected and determined to be malicious, the threat is blocked. Pre-execution models learn about that threat, and prevent it from running on other endpoints.
+
+## Behavioral blocking and containment capabilities
+
+Behavioral blocking and containment capabilities include the following:
+
+- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center (https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
+
+- **Client behavioral blocking**. Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
+
+- **Feedback-loop blocking** (also referred to as rapid protection). Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
+
+- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in [limited private preview](edr-in-block-mode.md#can-i-participate-in-the-preview-of-edr-in-block-mode), is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
+
+As Microsoft continues to improve threat protection features and capabilities, you can expect more to come in the area of behavioral blocking and containment. Visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap) to see what's rolling out now and what's in development.
+
+## Next steps
+
+- [Configure your attack surface reduction rules](attack-surface-reduction.md)
+
+- [Enable EDR in block mode](edr-in-block-mode.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
index 2830d49f18..de0e22cee2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
@@ -77,7 +77,6 @@ Not currently available.
## Integrations
Integrations with the following Microsoft products are not currently available:
-- Azure Security Center
- Azure Advanced Threat Protection
- Azure Information Protection
- Office 365 Advanced Threat Protection
diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
index 9049705849..b58503a9c9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
@@ -28,6 +28,8 @@ ms.topic: article
Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications.
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4byD1]
+
With Conditional Access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications.
You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
index a040722887..06bd8455af 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@@ -1,6 +1,6 @@
---
title: Overview of Configuration score in Microsoft Defender Security Center
-description: Expand your visibility into the overall security configuration posture of your organization
+description: Your configuration score shows the collective security configuration state of your machines across application, operating system, network, accounts, and security controls
keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -8,49 +8,66 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/11/2019
---
# Configuration score
+
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be available for a few weeks.
+> Secure score is now part of Threat & Vulnerability Management as Configuration score.
-The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over the security posture of your organization based on security best practices. High configuration score means your endpoints are more resilient from cybersecurity threat attacks.
+Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your machines across the following categories:
-Your configuration score widget shows the collective security configuration state of your machines across the following categories:
- Application
- Operating system
- Network
- Accounts
- Security controls
-## How it works
->[!NOTE]
-> Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.
+Select a category to go to the [**Security recommendations**](tvm-security-recommendation.md) page and view the relevant recommendations.
+
+## How it works
+
+>[!NOTE]
+> Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.
+
+The data in the configuration score card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
-The data in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
- Compare collected configurations to the collected benchmarks to discover misconfigured assets
-- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration
+- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction)
- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)
- Collect and monitor changes of security control configuration state from all assets
-From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks.
+## Improve your security configuration
-## Improve your configuration score
-The goal is to remediate the issues in the security recommendations list to improve your configuration score. You can filter the view based on:
-- **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls**
-- **Remediation type** — **Configuration change** or **Software update**
+You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
-See how you can [improve your security configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
+1. From the Configuration score card in the Threat & Vulnerability Management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
+
+2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.
+
+ 
+
+3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up.
+
+4. **Submit request**. You will see a confirmation message that the remediation task has been created.
+ >
+
+5. Save your CSV file.
+ 
+
+6. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
+
+7. Review the **Configuration score** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:
@@ -64,18 +81,15 @@ See how you can [improve your security configuration](https://docs.microsoft.com
>2. Key-in the security update KB number that you need to download, then click **Search**.
## Related topics
+
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
index 0b7d271c77..70890b48ee 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
@@ -1,7 +1,7 @@
---
-title: Configure HP ArcSight to pull Microsoft Defender ATP detections
-description: Configure HP ArcSight to receive and pull detections from Microsoft Defender Security Center
-keywords: configure hp arcsight, security information and events management tools, arcsight
+title: Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections
+description: Configure Micro Focus ArcSight to receive and pull detections from Microsoft Defender Security Center
+keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Configure HP ArcSight to pull Microsoft Defender ATP detections
+# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections
**Applies to:**
@@ -28,14 +28,15 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
-You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP detections.
+You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Microsoft Defender ATP detections.
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
## Before you begin
-Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
+
+Configuring the Micro Focus ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
This section guides you in getting the necessary information to set and use the required configuration files correctly.
@@ -50,7 +51,7 @@ This section guides you in getting the necessary information to set and use the
- WDATP-connector.properties
- WDATP-connector.jsonparser.properties
- You would have saved a .zip file which contains these two files when you chose HP ArcSight as the SIEM type you use in your organization.
+ You would have saved a .zip file which contains these two files when you chose Micro Focus ArcSight as the SIEM type you use in your organization.
- Make sure you generate the following tokens and have them ready:
- Access token
@@ -58,7 +59,8 @@ This section guides you in getting the necessary information to set and use the
You can generate these tokens from the **SIEM integration** setup section of the portal.
-## Install and configure HP ArcSight FlexConnector
+## Install and configure Micro Focus ArcSight FlexConnector
+
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
@@ -79,8 +81,9 @@ The following steps assume that you have completed all the required steps in [Be
- WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\
- NOTE:
- You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
+ > [!NOTE]
+ >
+ > You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
@@ -114,30 +117,36 @@ The following steps assume that you have completed all the required steps in [Be
|
|
-
7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.
- If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https. If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
+
+
+7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.
-7. Continue with the connector setup by returning to the HP ArcSight Connector Setup window.
+ If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.
+
+ If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
-8. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
+8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window.
-9. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
+9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
-10. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
+10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
-11. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
+11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
-12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
+12. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
-13. Select **Install as a service** and click **Next**.
+13. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
-14. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
+14. Select **Install as a service** and click **Next**.
-15. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
+15. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
-16. Finish the installation by selecting **Exit** and **Next**.
+16. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
+
+17. Finish the installation by selecting **Exit** and **Next**.
+
+## Install and configure the Micro Focus ArcSight console
-## Install and configure the HP ArcSight console
1. Follow the installation wizard through the following tasks:
- Introduction
- License Agreement
@@ -158,18 +167,19 @@ The following steps assume that you have completed all the required steps in [Be
7. Click **Done** to quit the installer.
-8. Login to the HP ArcSight console.
+8. Login to the Micro Focus ArcSight console.
9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**.
10. Set **Device Product = Microsoft Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
-You can now run queries in the HP ArcSight console.
+You can now run queries in the Micro Focus ArcSight console.
Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
-## Troubleshooting HP ArcSight connection
+## Troubleshooting Micro Focus ArcSight connection
+
**Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`.
**Symptom:** You get the following error message:
@@ -177,7 +187,9 @@ Microsoft Defender ATP detections will appear as discrete events, with "Microsof
`Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token`
**Solution:**
+
1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?".
+
2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value:
`reauthenticate=true`.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
index 8fafbb0b85..96650774c3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
@@ -100,5 +100,4 @@ This section lists various issues that you may encounter when using email notifi
## Related topics
- [Update data retention settings](data-retention-settings.md)
- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-- [Enable Secure Score security controls](enable-secure-score.md)
- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
index 09cd520b12..c5d535a96e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
@@ -34,7 +34,7 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh
## Before you begin
If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully.
-For more information on enabling MDM with Microsoft Intune, see [Setup Windows Device Management](https://docs.microsoft.com/intune-classic/deploy-use/set-up-windows-device-management-with-microsoft-intune).
+For more information on enabling MDM with Microsoft Intune, see [Device enrollment (Microsoft Intune)](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment).
## Onboard machines using Microsoft Intune
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
index 738c296ba1..28eb5db87f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
@@ -1,7 +1,7 @@
---
-title: Onboard Windows 10 machines using System Center Configuration Manager
-description: Use System Center Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service.
-keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines, sccm
+title: Onboard Windows 10 machines using Configuration Manager
+description: Use Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service.
+keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -15,42 +15,34 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 12/11/2018
+ms.date: 02/07/2020
---
-# Onboard Windows 10 machines using System Center Configuration Manager
+# Onboard Windows 10 machines using Configuration Manager
**Applies to:**
-
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- System Center 2012 Configuration Manager or later versions
+- Microsoft Endpoint Configuration Manager current branch
+- System Center 2012 R2 Configuration Manager
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
-## Onboard Windows 10 machines using System Center Configuration Manager (current branch) version 1606
-System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Microsoft Defender ATP on machines. For more information, see Support for Microsoft Defender Advanced Threat Protection service.
-
->[!NOTE]
-> If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
-> Starting with version 1606 of Configuration Manager, see [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/sccm/protect/deploy-use/windows-defender-advanced-threat-protection) for ATP configuration.
+## Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager current branch
+Configuration Manager current branch has integrated support to configure and manage Microsoft Defender ATP on managed devices. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection).
-## Onboard Windows 10 machines using System Center Configuration Manager earlier versions
-You can use existing System Center Configuration Manager functionality to create a policy to configure your machines. This is supported in the following System Center Configuration Manager versions:
+## Onboard Windows 10 machines using earlier versions of System Center Configuration Manager
-- System Center 2012 Configuration Manager
-- System Center 2012 R2 Configuration Manager
-- System Center Configuration Manager (current branch), version 1511
-- System Center Configuration Manager (current branch), version 1602
+You can use existing Configuration Manager functionality to create a policy to configure your machines. This action is supported in System Center 2012 R2 Configuration Manager.
### Onboard machines using System Center Configuration Manager
-1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
+1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@@ -62,7 +54,7 @@ You can use existing System Center Configuration Manager functionality to create
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
-3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic.
+3. Deploy the package by following the steps in the [Packages and Programs in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg699369\(v=technet.10\)) article.
a. Choose a predefined device collection to deploy the package to.
@@ -72,15 +64,15 @@ You can use existing System Center Configuration Manager functionality to create
>[!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md).
>
-> Note that it is possible to create a detection rule within ConfigMgr to continuously check if a machine has been onboarded.
-> If a machine is not yet onboarded (due to pending OOBE completion or any other reason), ConfigMgr will retry to onboard the machine until the rule detects the status change.
+> Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a machine has been onboarded. An application is a different type of object than a package and program.
+> If a machine is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the machine until the rule detects the status change.
>
-> This can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1.
+> This behavior can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1.
> This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status".
-Refer to the following ConfigMgr article for more information: https://docs.microsoft.com/configmgr/apps/deploy-use/create-applications#bkmk_detect-rule
-
+For more information, see [Configure Detection Methods in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682159\(v=technet.10\)#step-4-configure-detection-methods-to-indicate-the-presence-of-the-deployment-type).
### Configure sample collection settings
+
For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine.
@@ -101,17 +93,23 @@ Possible values are:
The default value in case the registry key doesn’t exist is 1.
-For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings).
+For more information about System Center Configuration Manager Compliance see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
-## Offboard machines using System Center Configuration Manager
+## Offboard machines using Configuration Manager
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
+### Offboard machines using Microsoft Endpoint Configuration Manager current branch
+
+If you use Microsoft Endpoint Configuration Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file).
+
+### Offboard machines using System Center 2012 R2 Configuration Manager
+
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
@@ -124,7 +122,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
-3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic.
+3. Deploy the package by following the steps in the [Packages and Programs in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg699369\(v=technet.10\)) article.
a. Choose a predefined device collection to deploy the package to.
@@ -132,16 +130,19 @@ For security reasons, the package used to Offboard machines will expire 30 days
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
-### Monitor machine configuration
-Monitoring with SCCM consists of two parts:
+## Monitor machine configuration
+
+If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Microsoft Defender ATP dashboard in the Configuration Manager console. For more information, see [Microsoft Defender Advanced Threat Protection - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor).
+
+If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts:
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the machines in your network.
2. Checking that the machines are compliant with the Microsoft Defender ATP service (this ensures the machine can complete the onboarding process and can continue to report data to the service).
-**To confirm the configuration package has been correctly deployed:**
+### Confirm the configuration package has been correctly deployed
-1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane.
+1. In the Configuration Manager console, click **Monitoring** at the bottom of the navigation pane.
2. Click **Overview** and then **Deployments**.
@@ -151,10 +152,11 @@ Monitoring with SCCM consists of two parts:
If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
- 
+ 
-**Check that the machines are compliant with the Microsoft Defender ATP service:**
-You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment.
+### Check that the machines are compliant with the Microsoft Defender ATP service
+
+You can set a compliance rule for configuration item in System Center 2012 R2 Configuration Manager to monitor your deployment.
This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines.
@@ -164,7 +166,7 @@ Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
Name: “OnboardingState”
Value: “1”
```
-For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings).
+For more information, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 449dd5010c..2c8c2b2f66 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 04/24/2018
+ms.date: 04/16/2020
---
# Onboard non-persistent virtual desktop infrastructure (VDI) machines
@@ -23,7 +23,8 @@ ms.date: 04/24/2018
**Applies to:**
- Virtual desktop infrastructure (VDI) machines
-
+>[!WARNING]
+> Micrsosoft Defender ATP currently does not support Windows Virtual Desktop multi-user session.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
@@ -80,26 +81,62 @@ The following steps will guide you through onboarding VDI machines and will high
6. Test your solution:
- a. Create a pool with one machine.
+ a. Create a pool with one machine.
- b. Logon to machine.
+ b. Logon to machine.
- c. Logoff from machine.
+ c. Logoff from machine.
- d. Logon to machine with another user.
+ d. Logon to machine with another user.
- e. **For single entry for each machine**: Check only one entry in Microsoft Defender Security Center.
+ e. **For single entry for each machine**: Check only one entry in Microsoft Defender Security Center.
**For multiple entries for each machine**: Check multiple entries in Microsoft Defender Security Center.
7. Click **Machines list** on the Navigation pane.
8. Use the search function by entering the machine name and select **Machine** as search type.
+## Updating non-persistent virtual desktop infrastructure (VDI) images
+As a best practice, we recommend using offline servicing tools to patch golden/master images.
+For example, you can use the below commands to install an update while the image remains offline:
+
+```
+DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
+DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
+DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit
+```
+
+For more information on DISM commands and offline servicing, please refer to the articles below:
+- [Modify a Windows image using DISM](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
+- [DISM Image Management Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14)
+- [Reduce the Size of the Component Store in an Offline Windows Image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image)
+
+If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health:
+
+1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script).
+
+2. Ensure the sensor is stopped by running the command below in a CMD window:
+
+ ```
+ sc query sense
+ ```
+
+3. Service the image as needed.
+
+4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:
+
+ ```
+ PsExec.exe -s cmd.exe
+ cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
+ del *.* /f /s /q
+ exit
+ ```
+
+5. Re-seal the golden/master image as you normally would.
+
## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
index ff9e39088c..dea1185d9b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@@ -1,6 +1,6 @@
---
title: Optimize ASR rule deployment and detections
-description: Ensure your attack surface reduction (ASR) rules are fully optimized to identify and prevent typical actions taken by malware during the exploitation phase.
+description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits.
keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -23,33 +23,31 @@ ms.topic: article
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink).
-[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
+[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives.
*Attack surface management card*
-The **Attack surface management** card is an entry point to tools in Microsoft 365 security center that you can use to:
+The *Attack surface management card* is an entry point to tools in Microsoft 365 security center that you can use to:
-* Understand how ASR rules are currently deployed in your organization
-* Review ASR detections and identify possible incorrect detections
-* Analyze the impact of exclusions and generate the list of file paths to exclude
+* Understand how ASR rules are currently deployed in your organization.
+* Review ASR detections and identify possible incorrect detections.
+* Analyze the impact of exclusions and generate the list of file paths to exclude.
-Selecting **Go to attack surface management** takes you to **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
+Select **Go to attack surface management** > **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
-*Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center*
+The ***Add exclusions** tab in the Attack surface reduction rules page in Microsoft 365 security center*
> [!NOTE]
-> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
+> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions).
-For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
+For more information about ASR rule deployment in Microsoft 365 security center, see [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections).
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
-
-## Related topics
+**Related topics**
* [Ensure your machines are configured properly](configure-machines.md)
* [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
-* [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
+* [Monitor compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
index c25ee5cfa4..1ae1fc060d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
@@ -35,13 +35,16 @@ If you're already a Microsoft Defender ATP customer, you can apply through the M
1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**.
-2. Click **Apply**.
+2. Click **Apply**.
+
-3. Enter your name and email address so that Microsoft can get back to you on your application.
+3. Enter your name and email address so that Microsoft can get back to you on your application.
+
-4. Read the privacy statement, then click **Submit** when you're done. You will receive a welcome email once your application is approved.
+4. Read the [privacy statement](https://privacy.microsoft.com/en-us/privacystatement), then click **Submit** when you're done. You will receive a welcome email once your application is approved.
+
6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**.
@@ -67,22 +70,25 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert
## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard.
->[!NOTE]
->Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
+> [!NOTE]
+> - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
+> - You will need to have the "Manage security settings" permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry.
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request.
2. From the upper right-hand menu, click **?**. Then, select **Consult a threat expert**.
->
+ 
->A flyout screen opens. The following screen shows when you are on a trial subscription.
->
+ A flyout screen opens. The following screen shows when you are on a trial subscription.
-> The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand subscription.
->
+ 
->The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or machine details page that you were at when you made the request.
+ The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand subscription.
+
+ 
+
+ The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or machine details page that you were at when you made the request.
3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation.
@@ -125,4 +131,3 @@ It is crucial to respond in a timely manner to keep the investigation moving.
## Related topic
- [Microsoft Threat Experts overview](microsoft-threat-experts.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index c8ddf79198..66efa55144 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -38,8 +38,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
- Transparent proxy
- Web Proxy Auto-discovery Protocol (WPAD)
-> [!NOTE]
-> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
+ > [!NOTE]
+ > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
- Manual static proxy configuration:
- Registry based configuration
@@ -102,7 +102,8 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/
## Enable access to Microsoft Defender ATP service URLs in the proxy server
-If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443:
+If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed below to the allowed domains list.
+If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning.
> [!NOTE]
> settings-win.data.microsoft.com is only needed if you have Windows 10 machines running version 1803 or earlier.
@@ -120,9 +121,19 @@ United States | ```us.vortex-win.data.microsoft.com```
```ussus1eastprod.bl
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
+### Log analytics agent requirements
+
+The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.
+
+|Agent Resource|Ports |Direction |Bypass HTTPS inspection|
+|------|---------|--------|--------|
+|*.ods.opinsights.azure.com |Port 443 |Outbound|Yes |
+|*.oms.opinsights.azure.com |Port 443 |Outbound|Yes |
+|*.blob.core.windows.net |Port 443 |Outbound|Yes |
+
## Microsoft Defender ATP service backend IP range
-If your network devices don't support the URLs white-listed in the prior section, you can use the following information.
+If your network devices don't support the URLs added to an "allow" list in the prior section, you can use the following information.
Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index f6e320c931..c0c8157b48 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -25,44 +25,37 @@ ms.topic: article
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
-- Windows Server, 2019
+- Windows Server, 2019 and later
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink)
-Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security Center console.
+Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console.
The service supports the onboarding of the following servers:
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
-- Windows Server 2019
+- Windows Server 2019 and later
For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
-> [!NOTE]
-> An Azure Security Center Standard license is required, per node, to enroll Microsoft Defender ATP on a supported Windows Server platform, see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services)
-## Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016
+## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016
There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP:
-- **Option 1**: Onboard through Azure Security Center
-- **Option 2**: Onboard through Microsoft Defender Security Center
+- **Option 1**: Onboard through Microsoft Defender Security Center
+- **Option 2**: Onboard through Azure Security Center
-### Option 1: Onboard servers through Azure Security Center
-1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
+> [!NOTE]
+> Microsoft defender ATP standalone server license is required, per node, in order to onboard the server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
-2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.
-3. Click **Onboard Servers in Azure Security Center**.
-
-4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
-
-### Option 2: Onboard servers through Microsoft Defender Security Center
+### Option 1: Onboard servers through Microsoft Defender Security Center
You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center.
- For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
@@ -77,17 +70,15 @@ You'll need to take the following steps if you choose to onboard servers through
> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
- Turn on server monitoring from Microsoft Defender Security Center.
-- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
+- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
> [!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
### Configure and update System Center Endpoint Protection clients
-> [!IMPORTANT]
-> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
-Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
+Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
@@ -100,7 +91,7 @@ The following steps are required to enable this integration:
2. Select Windows Server 2012 R2 and 2016 as the operating system.
-3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
+3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
@@ -113,7 +104,7 @@ The following steps are required to enable this integration:
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
-3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
+3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md).
Once completed, you should see onboarded servers in the portal within an hour.
@@ -125,25 +116,38 @@ Once completed, you should see onboarded servers in the portal within an hour.
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
+
+### Option 2: Onboard servers through Azure Security Center
+1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
+
+2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.
+
+3. Click **Onboard Servers in Azure Security Center**.
+
+4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
+
+
+
## Windows Server, version 1803 and Windows Server 2019
-To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below.
+To onboard Windows Server, version 1803 or Windows Server 2019, refer to the supported methods and versions below.
> [!NOTE]
-> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Microsoft Endpoint Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
+> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
Supported tools include:
- Local script
- Group Policy
+- Microsoft Endpoint Configuration Manager
- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602
- VDI onboarding scripts for non-persistent machines
For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
-Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
+Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
-2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
+2. If you're running a third-party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings. Verify that it was configured correctly:
a. Set the following registry entry:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
@@ -152,27 +156,29 @@ Support for Windows Server, version 1803 and Windows 2019 provides deeper insigh
b. Run the following PowerShell command to verify that the passive mode was configured:
- ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```
+ ```PowerShell
+ Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
+ ```
c. Confirm that a recent event containing the passive mode event is found:
- 
+ 
3. Run the following command to check if Windows Defender AV is installed:
```sc query Windefend```
- If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
+ If the result is 'The specified service does not exist as an installed service', then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
## Integration with Azure Security Center
-Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
+Microsoft Defender ATP can integrate with Azure Security Center to provide a comprehensive server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
The following capabilities are included in this integration:
- Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
-> [!NOTE]
-> Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
+ > [!NOTE]
+ > Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016.
- Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
index fd5efbf9ea..10c69301a9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
@@ -78,7 +78,7 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP detec
URL to authenticate the azure app (Default : https://login.microsoftonline.com) |
Endpoint |
- Depending on the location of your datacenter, select any of the following URL: For EU: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts
For US:https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts
For UK:https://wdatp-alertexporter-uk.securitycenter.windows.com/api/alerts
+ | Depending on the location of your datacenter, select any of the following URL: For EU: https://wdatp-alertexporter-eu.securitycenter.windows.com
For US:https://wdatp-alertexporter-us.securitycenter.windows.com
For UK:https://wdatp-alertexporter-uk.securitycenter.windows.com
|
| Tenant ID |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
index 2e5c7cec45..0a85cb240c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
@@ -24,8 +24,9 @@ ms.topic: article
## API description
-Creates new [Alert](alerts.md).
-
Microsoft Defender ATP Event is a required parameter for the alert creation.
+Creates new [Alert](alerts.md) on top of **Event**.
+
**Microsoft Defender ATP Event** is required for the alert creation.
+
You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
You can use an event found in Advanced Hunting API or Portal.
If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with it.
An automatic investigation starts automatically on alerts created via the API.
@@ -68,13 +69,13 @@ In the request body, supply the following values (all are required):
Property | Type | Description
:---|:---|:---
+eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. e.g. ```2018-08-03T16:45:21.7115183Z``` **Required**.
+reportId | String | The reportId of the event, as obtained from advanced hunting. **Required**.
machineId | String | Id of the machine on which the event was identified. **Required**.
severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
title | String | Title for the alert. **Required**.
description | String | Description of the alert. **Required**.
recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**.
-eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
-reportId | String | The reportId, as obtained from the advanced query. **Required**.
category| String | Category of the alert. The property values are: "General", "CommandAndControl", "Collection", "CredentialAccess", "DefenseEvasion", "Discovery", "Exfiltration", "Exploit", "Execution", "InitialAccess", "LateralMovement", "Malware", "Persistence", "PrivilegeEscalation", "Ransomware", "SuspiciousActivity" **Required**.
## Response
@@ -91,16 +92,16 @@ Here is an example of the request.
```
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
-Content-Length: application/json
-
+```
+```json
{
- "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "severity": "Low",
- "title": "test alert",
- "description": "test alert",
- "recommendedAction": "test alert",
- "eventTime": "2018-08-03T16:45:21.7115183Z",
- "reportId": "20776",
- "category": "None"
+ "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "severity": "Low",
+ "title": "example",
+ "description": "example alert",
+ "recommendedAction": "nothing",
+ "eventTime": "2018-08-03T16:45:21.7115183Z",
+ "reportId": "20776",
+ "category": "Exploit"
}
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index c5a436c489..b2fc09e758 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -1,7 +1,7 @@
---
title: Create and manage custom detection rules in Microsoft Defender ATP
ms.reviewer:
-description: Learn how to create and manage custom detections rules based on advanced hunting queries
+description: Learn how to create and manage custom detection rules based on advanced hunting queries
keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -19,7 +19,7 @@ ms.topic: article
---
-# Create and manage custom detections rules
+# Create and manage custom detection rules
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -34,7 +34,7 @@ Custom detection rules built from [Advanced hunting](advanced-hunting-overview.m
In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
#### Required columns in the query results
-To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
+To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine.
@@ -63,14 +63,14 @@ With the query in the query editor, select **Create detection rule** and specify
For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
#### Rule frequency
-When saved, custom detections rules immediately run. They then run again at fixed intervals based on the frequency you choose. Rules that run less frequently will have longer lookback durations:
+When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
-- **Every 24 hours** — checks data from the past 30 days
-- **Every 12 hours** — checks data from the past 24 hours
-- **Every 3 hours** — checks data from the past 6 hours
-- **Every hour** — checks data from the past 2 hours
+- **Every 24 hours** — runs every 24 hours, checking data from the past 30 days
+- **Every 12 hours** — runs every 12 hours, checking data from the past 24 hours
+- **Every 3 hours** — runs every 3 hours, checking data from the past 6 hours
+- **Every hour** — runs hourly, checking data from the past 2 hours
-Whenever a rule runs, similar detections on the same machine could be aggregated into fewer alerts, so running a rule less frequently can generate fewer alerts. Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
+Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
### 3. Specify actions on files or machines.
Your custom detection rule can automatically take actions on files or machines that are returned by the query.
@@ -88,7 +88,7 @@ These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1`
- **Quarantine file** — deletes the file from its current location and places a copy in quarantine
### 4. Click **Create** to save and turn on the rule.
-When saved, the custom detection rule immediately runs. It runs again every 24 hours to check for matches, generate alerts, and take response actions.
+After reviewing the rule, click **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
## Manage existing custom detection rules
In **Settings** > **Custom detections**, you can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
index 839daef3d1..0786bb44f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
@@ -1,5 +1,5 @@
---
-title: Configure how attack surface reduction rules work to finetune protection in your network
+title: Configure how attack surface reduction rules work to fine-tune protection in your network
description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
@@ -26,11 +26,11 @@ manager: dansimp
> [!IMPORTANT]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
+Attack surface reduction rules help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture.
-This topic describes how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
+Learn how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
-You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
+Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
@@ -39,12 +39,12 @@ You can exclude files and folders from being evaluated by attack surface reducti
> [!WARNING]
> This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
-An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules.
+An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to a specific rule.
An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
-If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
+If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
Rule description | GUID
-|-|-
@@ -76,6 +76,9 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail
4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+> [!WARNING]
+> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
+
### Use PowerShell to exclude files and folders
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
@@ -103,3 +106,4 @@ See the [Windows Security](../windows-defender-security-center/windows-defender-
* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+* [Attack surface reduction FAQ](attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
index 64a77031bf..30dd08b49c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
@@ -89,7 +89,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
>
> Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
>
-> The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
+> The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
>
>
> * **Example 2**
@@ -100,8 +100,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
>
> Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
>
->The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
->CFG will be enabled for *miles.exe*.
+> The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*.
> [!NOTE]
> If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
index 703b8a3412..9cc9cb48ba 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
@@ -1,6 +1,6 @@
---
-title: Update how long data is stored by MDATP
-description: Update data retention settings for Microsoft Defender Advanced Threat Protection (MDATP) by selecting between 30 days to 180 days.
+title: Verify data storage location and update data retention settings
+description: Verify data storage location and update data retention settings for Microsoft Defender Advanced Threat Protection
keywords: data, storage, settings, retention, update
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -15,9 +15,8 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/24/2018
---
-# Update data retention settings for Microsoft Defender ATP
+# Verify data storage location and update data retention settings for Microsoft Defender ATP
**Applies to:**
@@ -25,10 +24,18 @@ ms.date: 04/24/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-gensettings-abovefoldlink)
-During the onboarding process, a wizard takes you through the general settings of Microsoft Defender ATP. After onboarding, you might want to update the data retention settings.
+During the onboarding process, a wizard takes you through the data storage and retention settings of Microsoft Defender ATP.
+
+After completing the onboarding, you can verify your selection in the data retention settings page.
+
+## Verify data storage location
+During the [Set up phase](production-deployment.md), you would have selected the location to store your data.
+
+You can verify the data location by navigating to **Settings** > **Data retention**.
+
+## Update data retention settings
1. In the navigation pane, select **Settings** > **Data retention**.
@@ -44,5 +51,4 @@ During the onboarding process, a wizard takes you through the general settings o
- [Update data retention settings](data-retention-settings.md)
- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md)
- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-- [Enable Secure Score security controls](enable-secure-score.md)
- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
index f59264a083..eec05ff19b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
@@ -46,15 +46,18 @@ Microsoft does not use your data for advertising.
## Data protection and encryption
The Microsoft Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure.
-
There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview).
In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
-## Do I have the flexibility to select where to store my data?
+## Data storage location
-When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States, or dedicated Azure Government data centers (soon to be in preview). Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States.
+Microsoft Defender ATP operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Microsoft Defender ATP uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service.
+
+Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States.
+
+Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside.
## Is my data isolated from other customer data?
Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
@@ -84,12 +87,10 @@ Your data will be kept and will be available to you while the license is under g
## Can Microsoft help us maintain regulatory compliance?
-Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP is ISO 27001 certified and has a roadmap for obtaining national, regional and industry-specific certifications.
-
-Microsoft Defender ATP for Government (soon to be in preview) is currently undergoing audit for achieving FedRAMP High accreditation as well as Provisional Authorization (PA) at Impact Levels 4 and 5.
+Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional and industry-specific certifications.
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run.
-For more information on the Microsoft Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/trustcenter/compliance/iso-iec-27001).
+For more information on the Microsoft Defender ATP certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
new file mode 100644
index 0000000000..a04a30abf0
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
@@ -0,0 +1,62 @@
+---
+title: Deployment phases
+description: Learn how deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service
+keywords: deploy, prepare, setup, onboard, phase, deployment, deploying, adoption, configuring
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Deployment phases
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+There are three phases in deploying Microsoft Defender ATP:
+
+|Phase | Desription |
+|:-------|:-----|
+| 
[Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Microsoft Defender ATP:
- Stakeholders and sign-off
- Environment considerations
- Access
- Adoption order
+| 
[Phase 2: Setup](production-deployment.md)| Take the initial steps to access Microsoft Defender Security Center. You'll be guided on:
- Validating the licensing
- Completing the setup wizard within the portal
- Network configuration|
+| 
[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them. You'll be guided on:
- Using Microsoft Endpoint Configuration Manager to onboard devices
- Configure capabilities
+
+
+
+ The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP.
+
+There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
+
+## In Scope
+
+The following is in scope for this deployment guide:
+- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service
+- Enabling Microsoft Defender ATP endpoint protection platform (EPP)
+ capabilities
+
+ - Next Generation Protection
+
+ - Attack Surface Reduction
+
+- Enabling Microsoft Defender ATP endpoint detection and response (EDR)
+ capabilities including automatic investigation and remediation
+
+- Enabling Microsoft Defender ATP threat and vulnerability management (TVM)
+
+
+## Out of scope
+
+The following are out of scope of this deployment guide:
+
+- Configuration of third-party solutions that might integrate with Microsoft
+ Defender ATP
+
+- Penetration testing in production environment
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
new file mode 100644
index 0000000000..47e19acae2
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
@@ -0,0 +1,47 @@
+---
+title: Plan your Microsoft Defender ATP deployment strategy
+description: Select the best Microsoft Defender ATP deployment strategy for your environment
+keywords: deploy, plan, deployment strategy, cloud native, management, on prem, evaluation, onboarding, local, group policy, gp, endpoint manager, mem
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Plan your Microsoft Defender ATP deployment strategy
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
+
+Depending on the requirements of your environment, we've put together material to help guide you through the various options you can adopt to deploy Microsoft Defender ATP.
+
+
+You can deploy Microsoft Defender ATP using various management tools. In general the following management tools are supported:
+
+- Group policy
+- Microsoft Endpoint Configuration Manager
+- Mobile Device Management tools
+- Local script
+
+
+## Microsoft Defender ATP deployment strategy
+
+Depending on your environment, some tools are better suited for certain architectures.
+
+
+|**Item**|**Description**|
+|:-----|:-----|
+|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)
[PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: - Cloud-native
- Co-management
- On-premise
- Evaluation and local onboarding
+
+
+## Related topics
+- [Deployment phases](deployment-phases.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf
new file mode 100644
index 0000000000..0b904a9ae6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx
new file mode 100644
index 0000000000..1973043e7e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
new file mode 100644
index 0000000000..adcfad4d3e
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
@@ -0,0 +1,95 @@
+---
+title: Endpoint detection and response in block mode
+description: Learn about endpoint detection and response in block mode
+keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+ms.reviewer: shwetaj
+audience: ITPro
+ms.topic: article
+ms.prod: w10
+ms.localizationpriority: medium
+ms.custom:
+- next-gen
+- edr
+ms.collection:
+---
+
+# Endpoint detection and response (EDR) in block mode
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## What is EDR in block mode?
+
+When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
+
+> [!NOTE]
+> EDR in block mode is currently in **[limited private preview](#can-i-participate-in-the-preview-of-edr-in-block-mode)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
+
+## What happens when something is detected?
+
+When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center).
+
+The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:
+
+:::image type="content" source="images/edr-in-block-mode.jpg" alt-text="EDR in block mode detected something":::
+
+
+## Enable EDR in block mode
+
+> [!IMPORTANT]
+> Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning on EDR in block mode.
+
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
+
+2. Choose **Settings** > **Advanced features**.
+
+3. Turn on **EDR in block mode**.
+
+> [!NOTE]
+> EDR in block mode can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode.
+
+## Requirements for EDR in block mode
+
+|Requirement |Details |
+|---------|---------|
+|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). |
+|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later |
+|Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
+|Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled.
See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). |
+|Windows Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
+|Windows Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
+
+> [!IMPORTANT]
+> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features.
+
+
+## Frequently asked questions
+
+### Will EDR in block mode have any impact on a user's antivirus protection?
+
+No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Windows Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
+
+### Why do I need to keep Windows Defender Antivirus up to date?
+
+Because Windows Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Windows Defender Antivirus up to date.
+
+### Why do we need cloud protection on?
+
+Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and machine learning models.
+
+### Can I participate in the preview of EDR in block mode?
+
+EDR in block mode is currently in limited private preview. If you would like to participate in this private preview program, send email to `shwjha@microsoft.com`.
+
+## Related articles
+
+[Behavioral blocking and containment](behavioral-blocking-containment.md)
+
+[Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index 1b8c03d660..9115bc352e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -1,6 +1,6 @@
---
-title: Enable ASR rules individually to protect your organization
-description: Enable ASR rules to protect your devices from attacks the use macros, scripts, and common injection techniques
+title: Enable attack surface reduction rules individually to protect your organization
+description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques.
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -12,14 +12,14 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/13/2019
+ms.date: 05/05/2020
ms.reviewer:
manager: dansimp
---
# Enable attack surface reduction rules
-[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
+[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuse to compromise devices and networks. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
Each ASR rule contains three settings:
@@ -43,26 +43,20 @@ Enterprise-level management such as Intune or Microsoft Endpoint Configuration M
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
-> [!WARNING]
+> [!IMPORTANT]
> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
->
> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
-> [!IMPORTANT]
-> File and folder exclusions do not apply to the following ASR rules:
->
-> * Block process creations originating from PSExec and WMI commands
-> * Block JavaScript or VBScript from launching downloaded executable content
-You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
+You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
## Intune
-1. In Intune, select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**.
+1. Select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**.
2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
@@ -76,7 +70,7 @@ The following procedures for enabling ASR rules include instructions for how to
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
-The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules).
+The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules).
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
@@ -131,10 +125,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+> [!WARNING]
+> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
+
## PowerShell
->[!WARNING]
->If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
+> [!WARNING]
+> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.
@@ -186,4 +183,5 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
-* [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
+* [Attack surface reduction FAQ](attack-surface-reduction.md)
+* [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index db54d852de..2322ed9300 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -17,24 +17,56 @@ audience: ITPro
manager: dansimp
---
-# Enable network protection
+# Turning on network protection
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
-You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.
+You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.
+
+## Check if network protection is enabled
+
+You can see if network protection has been enabled on a local device by using Registry editor.
+
+1. Select the **Start** button in the task bar and type **regedit** to open Registry editor
+1. Choose **HKEY_LOCAL_MACHINE** from the side menu
+1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** **Windows Defender** > **Policy Manager**
+1. Select **EnableNetworkProtection** to see the current state of network protection on the device
+
+ * 0, or **Off**
+ * 1, or **On**
+ * 2, or **Audit** mode
+
+## Enable network protection
You can enable network protection by using any of these methods:
+* [PowerShell](#powershell)
* [Microsoft Intune](#intune)
* [Mobile Device Management (MDM)](#mdm)
* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
-* [PowerShell](#powershell)
-## Intune
+### PowerShell
+
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+ ```PowerShell
+ Set-MpPreference -EnableNetworkProtection Enabled
+ ```
+
+You can enable the feature in audit mode using the following cmdlet:
+
+```PowerShell
+Set-MpPreference -EnableNetworkProtection AuditMode
+```
+
+Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off.
+
+### Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
@@ -45,7 +77,7 @@ You can enable network protection by using any of these methods:
1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
-## MDM
+### MDM
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
@@ -58,13 +90,13 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d
1. Review the settings and click **Next** to create the policy.
1. After the policy is created, click **Close**.
-## Group Policy
+### Group Policy
You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
1. On a standalone computer, click **Start**, type and then click **Edit group policy**.
- -Or-
+ *-Or-*
On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -89,23 +121,6 @@ You can confirm network protection is enabled on a local computer by using Regis
* 1=On
* 2=Audit
-## PowerShell
-
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
-2. Enter the following cmdlet:
-
- ```PowerShell
- Set-MpPreference -EnableNetworkProtection Enabled
- ```
-
-You can enable the feature in audit mode using the following cmdlet:
-
-```PowerShell
-Set-MpPreference -EnableNetworkProtection AuditMode
-```
-
-Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off.
-
## Related topics
* [Network protection](network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md
index 8829cf492a..76c04110e7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md
@@ -38,7 +38,7 @@ Set the baselines for calculating the score of security controls on the Secure S
3. Click **Save preferences**.
## Related topics
-- [View the Secure Score dashboard](secure-score-dashboard.md)
+- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Update data retention settings for Microsoft Defender ATP](data-retention-settings.md)
- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md)
- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
index a003bd5a09..f408e29140 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
@@ -67,6 +67,8 @@ Enable security information and event management (SIEM) integration so you can p
> [!NOTE]
> You'll need to generate a new Refresh token every 90 days.
+6. Follow the instructions for [creating an Azure AD app registration for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) and assign the correct permissions to it to read alerts.
+
You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center.
## Integrate Microsoft Defender ATP with IBM QRadar
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index 271622f774..70a03c74e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -23,9 +23,9 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
+Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
-This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization.
+Learn how to evaluate attack surface reduction rules, by enabling audit mode to test the feature directly in your organization.
> [!TIP]
> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
@@ -36,21 +36,20 @@ You can enable attack surface reduction rules in audit mode. This lets you see a
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
-To enable audit mode, use the following PowerShell cmdlet:
+To enable all attack surface reduction rules in audit mode, use the following PowerShell cmdlet:
```PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
```
-This enables all attack surface reduction rules in audit mode.
-
> [!TIP]
> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md).
## Review attack surface reduction events in Windows Event Viewer
-To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
+To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.
Event ID | Description
-|-
@@ -68,3 +67,4 @@ See the [Customize attack surface reduction rules](customize-attack-surface-redu
* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
* [Use audit mode to evaluate Windows Defender](audit-windows-defender.md)
+* [Attack surface reduction FAQ](attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
index da28a46770..1d9da1a791 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
@@ -58,6 +58,9 @@ Event ID | Description
1124 | Audited controlled folder access event
1123 | Blocked controlled folder access event
+> [!TIP]
+> You can configure a [Windows Event Forwarding subscription](https://docs.microsoft.com/windows/win32/wec/setting-up-a-source-initiated-subscription) to collect the logs centrally.
+
## Customize protected folders and apps
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index 42ce3aa2b6..702d9e6c4e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -23,8 +23,7 @@ ms.topic: article
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
-The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
- focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
+The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
When you get started with the lab, you'll be guided through a simple set-up process where you can specify the type of configuration that best suits your needs.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
index c0073ce75e..28689c33c8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
@@ -24,7 +24,7 @@ ms.custom: asr
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803.
+Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version 1803.
> [!TIP]
> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
@@ -93,7 +93,7 @@ Win32K | 260 | Untrusted Font
## Mitigation comparison
-The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server 2016 (starting with version 1803), under [Exploit protection](exploit-protection.md).
+The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server (starting with version 1803), under [Exploit protection](exploit-protection.md).
The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
index 549743f14c..5f6f4ad48c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
@@ -34,7 +34,6 @@ In general, you’ll need to take the following steps to use the APIs:
- Use the token to access Microsoft Defender ATP API.
The following steps with guide you how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token.
-
**To become an official partner of Microsoft Defender ATP and appear in our partner page, you will provide us with your application identifier.**
## Create the multi-tenant app
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
index f69367a074..ef03093507 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
@@ -1,5 +1,5 @@
---
-title: Create an Application to access Microsoft Defender ATP without a user
+title: Create an app to access Microsoft Defender ATP without a user
ms.reviewer:
description: Learn how to design a web app to get programmatic access to Microsoft Defender ATP without a user.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
@@ -23,104 +23,88 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-This page describes how to create an application to get programmatic access to Microsoft Defender ATP without a user.
-
-If you need programmatic access Microsoft Defender ATP on behalf of a user, see [Get access with user context](exposed-apis-create-app-nativeapp.md)
-
-If you are not sure which access you need, see [Get started](apis-intro.md).
+This page describes how to create an application to get programmatic access to Microsoft Defender ATP without a user. If you need programmatic access to Microsoft Defender ATP on behalf of a user, see [Get access with user context](exposed-apis-create-app-nativeapp.md). If you are not sure which access you need, see [Get started](apis-intro.md).
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, you’ll need to take the following steps to use the APIs:
-- Create an AAD application
-- Get an access token using this application
-- Use the token to access Microsoft Defender ATP API
+- Create an Azure Active Directory (Azure AD) application.
+- Get an access token using this application.
+- Use the token to access Microsoft Defender ATP API.
-This page explains how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token.
+This article explains how to create an Azure AD application, get an access token to Microsoft Defender ATP, and validate the token.
## Create an app
-1. Log on to [Azure](https://portal.azure.com) with user that has **Global Administrator** role.
+1. Log on to [Azure](https://portal.azure.com) with a user that has the **Global Administrator** role.
2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.
-3. In the registration form, choose a name for your application and then click **Register**.
+3. In the registration form, choose a name for your application, and then select **Register**.
-4. Allow your Application to access Microsoft Defender ATP and assign it **'Read all alerts'** permission:
+4. To enable your app to access Microsoft Defender ATP and assign it **'Read all alerts'** permission, on your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** >, type **WindowsDefenderATP**, and then select **WindowsDefenderATP**.
- - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
-
- - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+ > [!NOTE]
+ > WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
- - Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions**
+ - Select **Application permissions** > **Alert.Read.All**, and then select **Add permissions**.
- **Important note**: You need to select the relevant permissions. 'Read All Alerts' is only an example!
+ Note that you need to select the relevant permissions. 'Read All Alerts' is only an example. For instance:
- For instance,
-
- - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
+ - To [run advanced queries](run-advanced-query-api.md), select the 'Run advanced queries' permission.
+ - To [isolate a machine](isolate-machine.md), select the 'Isolate machine' permission.
- To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
-5. Click **Grant consent**
+5. Select **Grant consent**.
- - **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
+ > [!NOTE]
+ > Every time you add a permission, you must select **Grant consent** for the new permission to take effect.
- 
+ 
-6. Add a secret to the application.
+6. To add a secret to the application, select **Certificates & secrets**, add a description to the secret, and then select **Add**.
- - Click **Certificates & secrets**, add description to the secret and click **Add**.
-
- **Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
+ > [!NOTE]
+ > After you select **Add**, select **copy the generated secret value**. You won't be able to retrieve this value after you leave.
-7. Write down your application ID and your tenant ID:
-
- - On your application page, go to **Overview** and copy the following:
+7. Write down your application ID and your tenant ID. On your application page, go to **Overview** and copy the following.
-8. **For Microsoft Defender ATP Partners only** - Set your application to be multi-tenanted (available in all tenants after consent)
+8. **For Microsoft Defender ATP Partners only**. Set your app to be multi-tenanted (available in all tenants after consent). This is **required** for third-party apps (for example, if you create an app that is intended to run in multiple customers' tenant). This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data). To set your app to be multi-tenanted:
- This is **required** for 3rd party applications (for example, if you create an application that is intended to run in multiple customers tenant).
+ - Go to **Authentication**, and add https://portal.azure.com as the **Redirect URI**.
- This is **not required** if you create a service that you want to run in your tenant only (i.e. if you create an application for your own usage that will only interact with your own data)
+ - On the bottom of the page, under **Supported account types**, select the **Accounts in any organizational directory** application consent for your multi-tenant app.
- - Go to **Authentication** > Add https://portal.azure.com as **Redirect URI**.
+ You need your application to be approved in each tenant where you intend to use it. This is because your application interacts Microsoft Defender ATP on behalf of your customer.
- - On the bottom of the page, under **Supported account types**, mark **Accounts in any organizational directory**
+ You (or your customer if you are writing a third-party app) need to select the consent link and approve your app. The consent should be done with a user who has administrative privileges in Active Directory.
- - Application consent for your multi-tenant Application:
-
- You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with Microsoft Defender ATP application on behalf of your customer.
-
- You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
-
- Consent link is of the form:
+ The consent link is formed as follows:
```
https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
```
- where 00000000-0000-0000-0000-000000000000 should be replaced with your Application ID
+ Where 00000000-0000-0000-0000-000000000000 is replaced with your application ID.
-- **Done!** You have successfully registered an application!
-- See examples below for token acquisition and validation.
+**Done!** You have successfully registered an application! See examples below for token acquisition and validation.
-## Get an access token examples:
+## Get an access token
-For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+For more details on Azure AD tokens, see the [Azure AD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds).
-### Using PowerShell
+### Use PowerShell
```
# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
@@ -144,19 +128,19 @@ Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token
```
-### Using C#:
+### Use C#:
->The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
+The following code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8.
-- Create a new Console Application
-- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
-- Add the below using
+1. Create a new console application.
+1. Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/).
+1. Add the following:
```
using Microsoft.IdentityModel.Clients.ActiveDirectory;
```
-- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```)
+1. Copy and paste the following code in your app (don't forget to update the three variables: ```tenantId, appId, appSecret```):
```
string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
@@ -173,26 +157,25 @@ return $token
```
-### Using Python
+### Use Python
-Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
+See [Get token using Python](run-advanced-query-sample-python.md#get-token).
-### Using Curl
+### Use Curl
> [!NOTE]
-> The below procedure supposed Curl for Windows is already installed on your computer
+> The following procedure assumes that Curl for Windows is already installed on your computer.
-- Open a command window
-- Set CLIENT_ID to your Azure application ID
-- Set CLIENT_SECRET to your Azure application secret
-- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender ATP application
-- Run the below command:
+1. Open a command prompt, and set CLIENT_ID to your Azure application ID.
+1. Set CLIENT_SECRET to your Azure application secret.
+1. Set TENANT_ID to the Azure tenant ID of the customer that wants to use your app to access Microsoft Defender ATP.
+1. Run the following command:
```
curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
```
-You will get an answer of the form:
+You will get an answer in the following form:
```
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn aWReH7P0s0tjTBX8wGWqJUdDA"}
@@ -200,20 +183,21 @@ You will get an answer of the form:
## Validate the token
-Sanity check to make sure you got a correct token:
-- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
-- Validate you get a 'roles' claim with the desired permissions
-- In the screen shot below you can see a decoded token acquired from an Application with permissions to all of Microsoft Defender ATP's roles:
+Ensure that you got the correct token:
+
+1. Copy and paste the token you got in the previous step into [JWT](https://jwt.ms) in order to decode it.
+1. Validate that you get a 'roles' claim with the desired permissions
+1. In the following image, you can see a decoded token acquired from an app with permissions to all of Microsoft Defender ATP's roles:
## Use the token to access Microsoft Defender ATP API
-- Choose the API you want to use, for more information, see [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
-- Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme)
-- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
+1. Choose the API you want to use. For more information, see [Supported Microsoft Defender ATP APIs](exposed-apis-list.md).
+1. Set the authorization header in the http request you send to "Bearer {token}" (Bearer is the authorization scheme).
+1. The expiration time of the token is one hour. You can send more then one request with the same token.
-- Example of sending a request to get a list of alerts **using C#**
+The following is an example of sending a request to get a list of alerts **using C#**:
```
var httpClient = new HttpClient();
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index cb90cee7fe..4b26c6d836 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -1,7 +1,7 @@
---
title: OData queries with Microsoft Defender ATP
ms.reviewer:
-description: OData queries with Microsoft Defender ATP
+description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender ATP
keywords: apis, supported apis, odata, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -35,7 +35,7 @@ Not all properties are filterable.
### Example 1
-- Get all the machines with the tag 'ExampleTag'
+Get all the machines with the tag 'ExampleTag'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
@@ -76,7 +76,7 @@ Content-type: application/json
### Example 2
-- Get all the alerts that created after 2018-10-20 00:00:00
+Get all the alerts that created after 2018-10-20 00:00:00
```
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime+gt+2018-11-22T00:00:00Z
@@ -126,7 +126,7 @@ Content-type: application/json
### Example 3
-- Get all the machines with 'High' 'RiskScore'
+Get all the machines with 'High' 'RiskScore'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High'
@@ -167,7 +167,7 @@ Content-type: application/json
### Example 4
-- Get top 100 machines with 'HealthStatus' not equals to 'Active'
+Get top 100 machines with 'HealthStatus' not equals to 'Active'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100
@@ -208,7 +208,7 @@ Content-type: application/json
### Example 5
-- Get all the machines that last seen after 2018-10-20
+Get all the machines that last seen after 2018-10-20
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
@@ -249,7 +249,7 @@ Content-type: application/json
### Example 6
-- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP
+Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP
```
HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
@@ -283,7 +283,7 @@ Content-type: application/json
### Example 7
-- Get the count of open alerts for a specific machine:
+Get the count of open alerts for a specific machine:
```
HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved'
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
new file mode 100644
index 0000000000..86ce1c9e6a
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
@@ -0,0 +1,86 @@
+---
+title: Get missing KBs by machine ID
+description: Retrieves missing KBs by machine Id
+keywords: apis, graph api, supported apis, get, list, file, information, machine id, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get missing KBs by machine ID
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Retrieves missing KBs by machine Id
+
+## HTTP request
+
+```
+GET /api/machines/{machineId}/getmissingkbs
+```
+
+## Request header
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK, with the specified machine missing kb data in the body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs
+```
+
+### Response
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProductFixDto)",
+ "value": [
+ {
+ "id": "4540673",
+ "name": "March 2020 Security Updates",
+ "productsNames": [
+ "windows_10",
+ "edge",
+ "internet_explorer"
+ ],
+ "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
+ "machineMissedOn": 1,
+ "cveAddressed": 97
+ },
+ ...
+ ]
+}
+```
+
+## Related topics
+
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
new file mode 100644
index 0000000000..e91d137857
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
@@ -0,0 +1,93 @@
+---
+title: Get missing KBs by software ID
+description: Retrieves missing KBs by software ID
+keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get missing KBs by software ID
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Retrieves missing KBs by software ID
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+
+```
+GET /api/Software/{Id}/getmissingkbs
+```
+
+## Request header
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK, with the specified software missing kb data in the body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/getmissingkbs
+```
+
+### Response
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProductFixDto)",
+ "value": [
+ {
+ "id": "4540673",
+ "name": "March 2020 Security Updates",
+ "productsNames": [
+ "edge"
+ ],
+ "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
+ "machineMissedOn": 240,
+ "cveAddressed": 14
+ },
+ ...
+ ]
+}
+```
+
+## Related topics
+
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
index 1343ebbc71..449efaf986 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@@ -73,7 +73,7 @@ Here is an example of the response.
"id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
"computerDnsName": "niw_pc",
"osPlatform": "Windows10",
- "rbacGroupId": 2154
+ "rbacGroupName": "GroupTwo"
}
...
]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ASR_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/ASR_icon.png
deleted file mode 100644
index dd521d492a..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ASR_icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.jpg
deleted file mode 100644
index ed71564e87..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.png
deleted file mode 100644
index f2622cbc2b..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.jpg
deleted file mode 100644
index 020b1d4132..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.png
deleted file mode 100644
index d5b9b48086..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.jpg
deleted file mode 100644
index d089da2493..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.png
deleted file mode 100644
index 6066f305a2..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png
index b3cb1854b9..17097506c4 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png and b/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-column-chart.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-column-chart.jpg
new file mode 100644
index 0000000000..34add76848
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-column-chart.jpg differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-expand.png b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-expand.png
new file mode 100644
index 0000000000..7ef27c4d87
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-expand.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-filter.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-filter.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-line-chart.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-line-chart.jpg
new file mode 100644
index 0000000000..1091d7c719
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-line-chart.jpg differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-pie-chart.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-pie-chart.jpg
new file mode 100644
index 0000000000..881ae197d1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-pie-chart.jpg differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example-2.png
new file mode 100644
index 0000000000..f72fa6a68d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example-2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG
deleted file mode 100644
index 57337cd9ab..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-results-filter.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG
rename to windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-results-filter.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-stacked-chart.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-stacked-chart.jpg
new file mode 100644
index 0000000000..d7917a6bed
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-stacked-chart.jpg differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/air-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/air-icon.png
new file mode 100644
index 0000000000..985e3e4429
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/air-icon.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/asr-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/asr-icon.png
new file mode 100644
index 0000000000..bf649e87ec
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/asr-icon.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png
new file mode 100644
index 0000000000..7dd1c6d0e6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png
new file mode 100644
index 0000000000..232b46993b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-win-intune.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-win-intune.png
new file mode 100644
index 0000000000..f5c2853226
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-win-intune.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png
rename to windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configure-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/configure-page.png
new file mode 100644
index 0000000000..899a5a2312
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/configure-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configure.png b/windows/security/threat-protection/microsoft-defender-atp/images/configure.png
new file mode 100644
index 0000000000..a8657fc3aa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/configure.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cve-detection-logic.png b/windows/security/threat-protection/microsoft-defender-atp/images/cve-detection-logic.png
new file mode 100644
index 0000000000..f3fabfe3ba
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cve-detection-logic.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/edr-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/edr-icon.png
new file mode 100644
index 0000000000..8c750dee42
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/edr-icon.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode.jpg
new file mode 100644
index 0000000000..d6177a0899
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode.jpg differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/eos-upcoming-eos.png b/windows/security/threat-protection/microsoft-defender-atp/images/eos-upcoming-eos.png
new file mode 100644
index 0000000000..270a3502c5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/eos-upcoming-eos.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png
new file mode 100644
index 0000000000..05ac6c4637
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png b/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png
index 41c451506b..598ea2fd78 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png and b/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-dashboard.png
new file mode 100644
index 0000000000..94df3bad5b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-deployment-strategy.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-deployment-strategy.png
new file mode 100644
index 0000000000..790f6b8e57
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-deployment-strategy.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png
index 6d49c8b659..ef831f2c25 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-investigations.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-investigations.jpg
new file mode 100644
index 0000000000..6fe755e857
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-investigations.jpg differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png
index 39b714cdd4..ef12c4002b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png
new file mode 100644
index 0000000000..a08711f23f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png
new file mode 100644
index 0000000000..1e1e039268
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png
new file mode 100644
index 0000000000..a03e0732c7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-10.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png
new file mode 100644
index 0000000000..5d1d428e9c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-11.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png
new file mode 100644
index 0000000000..ba0576849e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-12.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png
new file mode 100644
index 0000000000..4854fa9f2f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-13.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png
new file mode 100644
index 0000000000..3f1eb5d2b1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-14.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png
new file mode 100644
index 0000000000..9a4fbebf8a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-15.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png
new file mode 100644
index 0000000000..7928a984a4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-16.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png
new file mode 100644
index 0000000000..1c81f3d4f0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-17.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png
new file mode 100644
index 0000000000..86de17e266
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-18.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png
new file mode 100644
index 0000000000..eb8b56ee9b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-19.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png
new file mode 100644
index 0000000000..6754cafb4a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png
new file mode 100644
index 0000000000..da1c678a78
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-20.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png
new file mode 100644
index 0000000000..b1c10100a8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-21.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png
new file mode 100644
index 0000000000..4e584cf8ff
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-22.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png
new file mode 100644
index 0000000000..409a17bd31
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-23.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png
new file mode 100644
index 0000000000..eff967231f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-24.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png
new file mode 100644
index 0000000000..633bdd07fc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-25.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png
new file mode 100644
index 0000000000..4fa5bcefbd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-26.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png
new file mode 100644
index 0000000000..57475dbc33
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-27.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png
new file mode 100644
index 0000000000..8049e9ff17
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-28.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png
new file mode 100644
index 0000000000..b66bf94eed
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-29.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png
new file mode 100644
index 0000000000..ac9b6fdbe0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png
new file mode 100644
index 0000000000..34013530b7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-30.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png
new file mode 100644
index 0000000000..ec02855c2e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png
new file mode 100644
index 0000000000..3ca2697396
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png
new file mode 100644
index 0000000000..bae2cefcb1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-6.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png
new file mode 100644
index 0000000000..6b88d7c627
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-7.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png
new file mode 100644
index 0000000000..7d6da4c656
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-8.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png
new file mode 100644
index 0000000000..73d85b26ad
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mecm-9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png
new file mode 100644
index 0000000000..9106d38d7e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/msdefender-mac-config-profile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-icon.png
new file mode 100644
index 0000000000..1d5693a399
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-icon.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ngp-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/ngp-icon.png
new file mode 100644
index 0000000000..9aca3db517
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ngp-icon.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/no-license-found.png b/windows/security/threat-protection/microsoft-defender-atp/images/no-license-found.png
new file mode 100644
index 0000000000..e2a4573a13
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/no-license-found.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/oboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/oboard.png
new file mode 100644
index 0000000000..cd9e16abb8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/oboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboard-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-page.png
new file mode 100644
index 0000000000..3b6aaed8fa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboard.png
new file mode 100644
index 0000000000..eb6cb9b0aa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/plan-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/plan-page.png
new file mode 100644
index 0000000000..07ff19f20e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/plan-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/plan.png b/windows/security/threat-protection/microsoft-defender-atp/images/plan.png
new file mode 100644
index 0000000000..fa484b1d9d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/plan.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/prepare.png b/windows/security/threat-protection/microsoft-defender-atp/images/prepare.png
new file mode 100644
index 0000000000..8b0c46059f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/prepare.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png b/windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png
deleted file mode 100644
index a0f5f3e295..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout.png
new file mode 100644
index 0000000000..85a4ed9445
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout500.png b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout500.png
new file mode 100644
index 0000000000..e862c73200
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout500.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy.png b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy.png
new file mode 100644
index 0000000000..9d3b149d1c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png
new file mode 100644
index 0000000000..12f0d72fac
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png b/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png
index 570609f803..67f0679c18 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png and b/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png
deleted file mode 100644
index 31e550b1e1..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/setup.png
new file mode 100644
index 0000000000..e8402090e6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/setup.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/software-drilldown-eos.png b/windows/security/threat-protection/microsoft-defender-atp/images/software-drilldown-eos.png
new file mode 100644
index 0000000000..b3893cd5ec
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/software-drilldown-eos.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy.png b/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy.png
new file mode 100644
index 0000000000..7a46a33eec
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy500.png b/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy500.png
new file mode 100644
index 0000000000..b299b79238
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy500.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png b/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png
index d9409e3ab1..88b27a0332 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png and b/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations.png b/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations.png
new file mode 100644
index 0000000000..5ec281d0b3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png b/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png
new file mode 100644
index 0000000000..ea977eacef
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/turn-edr-in-block-mode-on.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/turn-edr-in-block-mode-on.jpg
new file mode 100644
index 0000000000..577f034ff6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/turn-edr-in-block-mode-on.jpg differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-discovered-vulnerabilities.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-discovered-vulnerabilities.png
new file mode 100644
index 0000000000..4659dcc51f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-discovered-vulnerabilities.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png
new file mode 100644
index 0000000000..df675109cc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png
new file mode 100644
index 0000000000..7d80bca932
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png
new file mode 100644
index 0000000000..c7c9c0b861
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png
new file mode 100644
index 0000000000..48af27eb1f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png
new file mode 100644
index 0000000000..a066310eae
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png
new file mode 100644
index 0000000000..5a7ce86cbd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png
new file mode 100644
index 0000000000..d8b73ba265
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software.png
deleted file mode 100644
index 3ef800afac..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software500.png
new file mode 100644
index 0000000000..d78ed19c8d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software500.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-overview.png
new file mode 100644
index 0000000000..dc677108ac
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-overview.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png
deleted file mode 100644
index 4da702615b..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png
deleted file mode 100644
index 7d83e1545d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png
deleted file mode 100644
index ea9e800b94..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png
deleted file mode 100644
index cf9f274980..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png
deleted file mode 100644
index 9af2ad6945..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png
deleted file mode 100644
index ec4fa8bc44..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/version-eos-date.png b/windows/security/threat-protection/microsoft-defender-atp/images/version-eos-date.png
new file mode 100644
index 0000000000..731fa3bcf4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/version-eos-date.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/windows-server-drilldown.png b/windows/security/threat-protection/microsoft-defender-atp/images/windows-server-drilldown.png
new file mode 100644
index 0000000000..72a97b7f26
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/windows-server-drilldown.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
index 174242a934..95806be4e6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
@@ -21,11 +21,11 @@ manager: dansimp
**Applies to:**
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](microsoft-defender-advanced-threat-protection.md)
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection.
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/help/2458544/) are now included in exploit protection.
You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
@@ -33,7 +33,7 @@ You can also convert and import an existing EMET configuration XML file into an
This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
-The [Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
+The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
## Create and export a configuration file
@@ -53,27 +53,28 @@ When you have configured exploit protection to your desired state (including bot
3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
-> [!IMPORTANT]
-> If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file.
+ > [!IMPORTANT]
+ > If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file.
-
+ 
-> [!NOTE]
-> When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
+ > [!NOTE]
+ > When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections—either section will export all settings.
### Use PowerShell to export a configuration file
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
Get-ProcessMitigation -RegistryConfigFilePath filename.xml
```
-Change `filename` to any name or location of your choosing.
+ Change `filename` to any name or location of your choosing.
-Example command
-**Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml**
+ Example command:
+
+ **Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml**
> [!IMPORTANT]
> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
@@ -86,17 +87,18 @@ After importing, the settings will be instantly applied and can be reviewed in t
### Use PowerShell to import a configuration file
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
Set-ProcessMitigation -PolicyFilePath filename.xml
```
-Change `filename` to the location and name of the exploit protection XML file.
+ Change `filename` to the location and name of the exploit protection XML file.
-Example command
-**Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml**
+ Example command:
+
+ **Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml**
> [!IMPORTANT]
>
@@ -116,14 +118,14 @@ You can only do this conversion in PowerShell.
>
> You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
```
-Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
+ Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
> [!IMPORTANT]
>
@@ -141,7 +143,7 @@ You can use Group Policy to deploy the configuration you've created to multiple
### Use Group Policy to distribute the configuration
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -151,14 +153,14 @@ You can use Group Policy to deploy the configuration you've created to multiple
4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
-5. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
+5. In the **Options::** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples:
* C:\MitigationSettings\Config.XML
* \\\Server\Share\Config.xml
* https://localhost:8080/Config.xml
* C:\ExploitConfigfile.xml
-6. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+6. Click **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy).
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
deleted file mode 100644
index eb0adb5890..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: Configure information protection in Windows
-ms.reviewer:
-description: Learn how to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
-keywords: information, protection, data, loss, prevention, wip, policy, scc, compliance, labels, dlp
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Configure information protection in Windows
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
-
->[!TIP]
-> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
-
-If a file meets the criteria set in the policy settings and endpoint data loss prevention setting is also configured, WIP will be enabled for that file.
-
-
-
-## Prerequisites
-- Endpoints need to be on Windows 10, version 1809 or later
-- You need the appropriate license to use the Microsoft Defender ATP and Azure Information Protection integration
-- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information, see [Configure a Log Analytics workspace for the reports](https://docs.microsoft.com/azure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports)
-
-
-## Configure endpoint data loss prevention
-Complete the following steps so that Microsoft Defender ATP can automatically identify labeled documents stored on the device and enable WIP on them.
-
->[!NOTE]
->- The Microsoft Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy.
->- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data.
-
-1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step.
-2. Define which labels need to get WIP protection in Office 365 Security and Compliance.
-
- 1. Go to: **Classifications > Labels**.
- 2. Create a label or edit an existing one.
- 3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP.
-
- 
-
- 4. Repeat for every label that you want to get WIP applied to in Windows.
-
-
-
-
-## Configure auto labeling
-
-Windows automatically detects when an Office file, CSV, or TXT files are being created on a device and inspects it based on context to identify sensitive information types.
-
-Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled. The file is protected with Endpoint data loss prevention.
-
->[!NOTE]
-> Auto-labeling requires Windows 10, version 1903.
-
-
-1. In Office 365 Security & Compliance, go to **Classifications > Labels**.
-
-2. Create a new label or edit an existing one.
-
-
-3. Set a policy for Data classification:
-
- 1. Go through the label creation wizard.
- 2. When you reach the Auto labeling page, turn on auto labeling toggle on.
- 3. Add a new auto-labeling rule with the conditions that you require.
-
- 
-
- 4. Validate that "When content matches these conditions" setting is set to "Automatically apply the label".
-
-
-
-
-
-
-## Related topic
-- [Information protection in Windows overview](information-protection-in-windows-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
index 12d5e36306..0c80426a9f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
@@ -1,8 +1,8 @@
---
title: Information protection in Windows overview
-ms.reviewer:
+ms.reviewer:
description: Learn about how information protection works in Windows to identify and protect sensitive information
-keywords: information, protection, dlp, wip, data, loss, prevention, protect
+keywords: information, protection, dlp, data, loss, prevention, protect
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,12 +13,14 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Information protection in Windows overview
+
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
@@ -26,47 +28,44 @@ ms.topic: conceptual
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace.
-Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite.
-
>[!TIP]
> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
-
Microsoft Defender ATP applies the following methods to discover, classify, and protect data:
+
- **Data discovery** - Identify sensitive data on Windows devices at risk
- **Data classification** - Automatically classify data based on common Microsoft Information Protection (MIP) policies managed in Office 365 Security & Compliance Center. Auto-classification allows you to protect sensitive data even if the end user hasn’t manually classified it.
-- **Data protection** - Windows Information Protection (WIP) as outcome of Azure Information Protection label
## Data discovery and data classification
-Microsoft Defender ATP automatically discovers files with sensitivity labels and files that contain sensitive information types.
-Sensitivity labels classify and help protect sensitive content.
+Microsoft Defender ATP automatically discovers files with sensitivity labels and files that contain sensitive information types.
+Sensitivity labels classify and help protect sensitive content.
Sensitive information types in the Office 365 data loss prevention (DLP) implementation fall under two categories:
+
- Default
- Custom
-Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for).
+Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for).
Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type).
-
-When a file is created or edited on a Windows device, Microsoft Defender ATP scans the content to evaluate if it contains sensitive information.
+When a file is created or edited on a Windows device, Microsoft Defender ATP scans the content to evaluate if it contains sensitive information.
Turn on the Azure Information Protection integration so that when a file that contains sensitive information is discovered by Microsoft Defender ATP though labels or information types, it is automatically forwarded to Azure Information Protection from the device.
-The reported signals can be viewed on the Azure Information Protection – Data discovery dashboard.
+The reported signals can be viewed on the Azure Information Protection – Data discovery dashboard.
-## Azure Information Protection - Data discovery dashboard
-This dashboard presents a summarized discovery information of data discovered by bothMicrosoft Defender ATP and Azure Information Protection. Data from Microsoft Defender ATP is marked with Location Type - Endpoint.
+## Azure Information Protection - Data discovery dashboard
+
+This dashboard presents a summarized discovery information of data discovered by both Microsoft Defender ATP and Azure Information Protection. Data from Microsoft Defender ATP is marked with Location Type - Endpoint.
-
Notice the Device Risk column on the right, this device risk is derived directly from Microsoft Defender ATP, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Microsoft Defender ATP.
Click on a device to view a list of files observed on this device, with their sensitivity labels and information types.
@@ -74,63 +73,26 @@ Click on a device to view a list of files observed on this device, with their se
>[!NOTE]
>Please allow approximately 15-20 minutes for the Azure Information Protection Dashboard Discovery to reflect discovered files.
+## Log Analytics
-
-
-## Log Analytics
Data discovery based on Microsoft Defender ATP is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data.
-For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip).
+For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip).
-Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic).
-
-To view Microsoft Defender ATP data, perform a query that contains:
+Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic).
+To view Microsoft Defender ATP data, perform a query that contains:
```
-InformationProtectionLogs_CL
-| where Workload_s == "Windows Defender"
+InformationProtectionLogs_CL
+| where Workload_s == "Windows Defender"
```
**Prerequisites:**
+
- Customers must have a subscription for Azure Information Protection.
-- Enable Azure Information Protection integration in Microsoft Defender Security Center:
+- Enable Azure Information Protection integration in Microsoft Defender Security Center:
- Go to **Settings** in Microsoft Defender Security Center, click on **Advanced Settings** under **General**.
-## Data protection
-### Endpoint data loss prevention
-For data to be protected, they must first be identified through labels.
-
-Sensitivity labels are created in Office 365 Security & Compliance Center. Microsoft Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them.
-
-When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Endpoint data loss prevention.
-
-For the endpoint data loss prevention, you'll need to turn on the Endpoint Data loss prevention and select Enable Windows end point protection (DLP for devices).
-
-
-
-
-Once, the policy is set and published, Microsoft Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy.
-
-This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin.
-
-For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
-
-## Auto labeling
-
-Auto labeling is another way to protect data and can also be configured in Office 365 Security & Compliance Center. Windows automatically detects when an Office file, PDF, CSV or TXT files are being created on a device and inspects it based on context to identify sensitive information types.
-
-Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled; the file is protected with Endpoint data loss prevention.
-
-> [!NOTE]
-> Auto-labeling is supported in Office apps only when the Azure Information Protection unified labeling client is installed. When sensitive content is detected in email or documents matching the conditions you choose, a label can automatically be applied or a message can be shown to users recommending they apply it themselves.
-
-
-
-For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
-
-
-## Related topics
-- [How Windows Information Protection protects files with a sensitivity label](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
index 379a0c8d3e..664d337477 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
@@ -30,6 +30,9 @@ When you investigate an incident, you'll see:
- Incident comments and actions
- Tabs (alerts, machines, investigations, evidence, graph)
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUV]
+
+
## Analyze incident details
Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index fe9095c926..301ad65ba0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -144,6 +144,13 @@ More details about certain events are provided in the **Additional information**
You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine.
+#### Event details
+Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown.
+
+To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting **Hunt for related events**. The query will return the selected event and the list of other events that occurred around the same time on the same endpoint.
+
+
+
### Security recommendations
**Security recommendations** are generated from Microsoft Defender ATP's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/licensing.md b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
deleted file mode 100644
index c86b827fd6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/licensing.md
+++ /dev/null
@@ -1,123 +0,0 @@
----
-title: Validate licensing provisioning and complete Microsoft Defender ATP set up
-description: Validating licensing provisioning, setting up initial preferences, and completing the user set up for Microsoft Defender Advanced Threat Protection portal.
-keywords: license, licensing, account, set up, validating licensing, windows defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Validate licensing provisioning and complete set up for Microsoft Defender ATP
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-validatelicense-abovefoldlink)
-
-## Check license state
-
-Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**.
-
-1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
-
- 
-
-1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
-
- - On the screen you will see all the provisioned licenses and their current **Status**.
-
- 
-
-
-## Cloud Service Provider validation
-
-To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center.
-
-1. From the **Partner portal**, click on the **Administer services > Office 365**.
-
-2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer admin center.
-
- 
-
-## Access Microsoft Defender Security Center for the first time
-
-When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created.
-
-1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product.
-
- 
-
- Once the authorization step is completed, the **Welcome** screen will be displayed.
-
-2. The **Welcome** screen will provide some details as to what is about to occur during the set up wizard.
-
- 
-
- You will need to set up your preferences for Microsoft Defender Security Center.
-
-3. Set up preferences
-
- 
-
- 1. **Select data storage location**
When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United States, the European Union, or the United Kingdom. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
-
- > [!WARNING]
- > This option cannot be changed without completely offboarding from Microsoft Defender ATP and completing a new enrollment process.
-
- 2. **Select the data retention policy**
Microsoft Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process.
-
- > [!NOTE]
- > This option can be changed at a later time.
-
- 3. **Select the size of your organization**
You will need to indicate the size of your organization based on an estimate of the number of employees currently employed.
-
- > [!NOTE]
- > The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization.
-
- 4. **Turn on preview features**
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**.
-
- You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
-
- - Toggle the setting between On and Off to choose **Preview features**.
-
- > [!NOTE]
- > This option can be changed at a later time.
-
-4. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**.
-
- > [!NOTE]
- > Some of these options can be changed at a later time in Microsoft Defender Security Center.
-
- 
-
-5. A dedicated cloud instance of Microsoft Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete.
-
-6. You are almost done. Before you can start using Microsoft Defender ATP you'll need to:
-
- - [Onboard Windows 10 machines](configure-endpoints.md)
-
- - Run detection test (optional)
-
- 
-
- > [!IMPORTANT]
- > If you click **Start using Microsoft Defender ATP** before onboarding machines you will receive the following notification:
- > 
-
-7. After onboarding machines you can click **Start using Microsoft Defender ATP**. You will now launch Microsoft Defender ATP for the first time.
-
-## Related topics
-- [Onboard machines to the Microsoft Defender Advanced Threat Protection service](onboard-configure.md)
-- [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
new file mode 100644
index 0000000000..ef0797f456
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
@@ -0,0 +1,118 @@
+---
+title: Configure and validate exclusions for Microsoft Defender ATP for Linux
+description: Provide and validate exclusions for Microsoft Defender ATP for Linux. Exclusions can be set for files, folders, and processes.
+keywords: microsoft, defender, atp, linux, exclusions, scans, antivirus
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Configure and validate exclusions for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring.
+
+> [!IMPORTANT]
+> The exclusions described in this article don't apply to other Microsoft Defender ATP for Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
+
+You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Linux scans.
+
+Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Linux.
+
+> [!WARNING]
+> Defining exclusions lowers the protection offered by Microsoft Defender ATP for Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+
+## Supported exclusion types
+
+The follow table shows the exclusion types supported by Microsoft Defender ATP for Linux.
+
+Exclusion | Definition | Examples
+---|---|---
+File extension | All files with the extension, anywhere on the machine | `.test`
+File | A specific file identified by the full path | `/var/log/test.log`
`/var/log/*.log`
`/var/log/install.?.log`
+Folder | All files under the specified folder | `/var/log/`
`/var/*/`
+Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat`
`c?t`
+
+File, folder, and process exclusions support the following wildcards:
+
+Wildcard | Description | Example | Matches
+---|---|---|---
+\* | Matches any number of any characters including none | `/var/\*/\*.log` | `/var/log/system.log`
+? | Matches any single character | `file?.log` | `file1.log`
`file2.log`
+
+## How to configure the list of exclusions
+
+### From the management console
+
+For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
+
+### From the command line
+
+Run the following command to see the available switches for managing exclusions:
+
+```bash
+$ mdatp --exclusion
+```
+
+Examples:
+
+- Add an exclusion for a file extension:
+
+ ```bash
+ $ mdatp --exclusion --add-extension .txt
+ Configuration updated successfully
+ ```
+
+- Add an exclusion for a file:
+
+ ```bash
+ $ mdatp --exclusion --add-folder /var/log/dummy.log
+ Configuration updated successfully
+ ```
+
+- Add an exclusion for a folder:
+
+ ```bash
+ $ mdatp --exclusion --add-folder /var/log/
+ Configuration updated successfully
+ ```
+
+- Add an exclusion for a process:
+
+ ```bash
+ $ mdatp --exclusion --add-process cat
+ Configuration updated successfully
+ ```
+
+## Validate exclusions lists with the EICAR test file
+
+You can validate that your exclusion lists are working by using `curl` to download a test file.
+
+In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
+
+```bash
+$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
+```
+
+If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
+
+If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
+
+```bash
+echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
+```
+
+You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
new file mode 100644
index 0000000000..250093e512
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -0,0 +1,281 @@
+---
+title: Deploy Microsoft Defender ATP for Linux manually
+ms.reviewer:
+description: Describes how to deploy Microsoft Defender ATP for Linux manually from the command line.
+keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Deploy Microsoft Defender ATP for Linux manually
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+This article describes how to deploy Microsoft Defender ATP for Linux manually. A successful deployment requires the completion of all of the following tasks:
+
+- [Configure the Linux software repository](#configure-the-linux-software-repository)
+- [Application installation](#application-installation)
+- [Download the onboarding package](#download-the-onboarding-package)
+- [Client configuration](#client-configuration)
+
+## Prerequisites and system requirements
+
+Before you get started, see [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
+
+## Configure the Linux software repository
+
+Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below.
+
+The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
+
+In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
+
+> [!WARNING]
+> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
+
+### RHEL and variants (CentOS and Oracle Linux)
+
+- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`.
+
+ In the below commands, replace *[distro]* and *[version]* with the information you've identified:
+
+ > [!NOTE]
+ > In case of Oracle Linux, replace *[distro]* with “rhel”.
+
+ ```bash
+ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
+ ```
+
+ For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
+
+ ```bash
+ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
+ ```
+
+- Install the Microsoft GPG public key:
+
+ ```bash
+ curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc
+ ```
+
+ ```bash
+ sudo rpm --import microsoft.asc
+ ```
+
+- Install `yum-utils` if it is not already installed:
+
+ ```bash
+ sudo yum install yum-utils
+ ```
+
+- Download and make usable all the metadata for the currently enabled yum repositories:
+
+ ```bash
+ yum makecache
+ ```
+
+### SLES and variants
+
+- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`.
+
+ In the following commands, replace *[distro]* and *[version]* with the information you've identified:
+
+ ```bash
+ sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
+ ```
+
+ For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
+
+ ```bash
+ sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo
+ ```
+
+- Install the Microsoft GPG public key:
+
+ ```bash
+ curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc
+ ```
+
+ ```bash
+ rpm --import microsoft.asc
+ ```
+
+### Ubuntu and Debian systems
+
+- Install `curl` if it is not already installed:
+
+ ```bash
+ sudo apt-get install curl
+ ```
+
+- Install `libplist-utils` if it is not already installed:
+
+ ```bash
+ sudo apt-get install libplist-utils
+ ```
+
+- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config`.
+
+ In the below command, replace *[distro]* and *[version]* with the information you've identified:
+
+ ```bash
+ curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list
+ ```
+
+ For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
+
+ ```bash
+ curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
+ ```
+
+- Install the repository configuration:
+
+ ```bash
+ sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list
+ ```
+
+- Install the gpg package if not already installed:
+
+ ```bash
+ sudo apt-get install gpg
+ ```
+
+- Install the Microsoft GPG public key:
+
+ ```bash
+ curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
+ ```
+
+- Install the https driver if it's not already present:
+
+ ```bash
+ sudo apt-get install apt-transport-https
+ ```
+
+- Update the repository metadata:
+
+ ```bash
+ sudo apt-get update
+ ```
+
+## Application installation
+
+- RHEL and variants (CentOS and Oracle Linux):
+
+ ```bash
+ sudo yum install mdatp
+ ```
+
+- SLES and variants:
+
+ ```bash
+ sudo zypper install mdatp
+ ```
+
+- Ubuntu and Debian system:
+
+ ```bash
+ sudo apt-get install mdatp
+ ```
+
+## Download the onboarding package
+
+Download the onboarding package from Microsoft Defender Security Center:
+
+1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Local Script (for up to 10 machines)** as the deployment method.
+3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
+
+ 
+
+4. From a command prompt, verify that you have the file.
+ Extract the contents of the archive:
+
+ ```bash
+ ls -l
+ ```
+
+ `total 8`
+ `-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip`
+
+ ```bash
+ unzip WindowsDefenderATPOnboardingPackage.zip
+ Archive: WindowsDefenderATPOnboardingPackage.zip
+ inflating: MicrosoftDefenderATPOnboardingLinuxServer.py
+ ```
+
+ `Archive: WindowsDefenderATPOnboardingPackage.zip`
+ `inflating: WindowsDefenderATPOnboarding.py`
+
+## Client configuration
+
+1. Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the target machine.
+
+ Initially the client machine is not associated with an organization. Note that the *orgId* attribute is blank:
+
+ ```bash
+ mdatp --health orgId
+ ```
+
+2. Run MicrosoftDefenderATPOnboardingLinuxServer.py, and note that, in order to run this command, you must have `python` installed on the device:
+
+ ```bash
+ python MicrosoftDefenderATPOnboardingLinuxServer.py
+ ```
+
+3. Verify that the machine is now associated with your organization and reports a valid organization identifier:
+
+ ```bash
+ mdatp --health orgId
+ ```
+
+4. A few minutes after you complete the installation, you can see the status by running the following command. A return value of `1` denotes that the product is functioning as expected:
+
+ ```bash
+ mdatp --health healthy
+ ```
+
+ > [!IMPORTANT]
+ > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`.
+ > Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Microsoft Defender ATP for Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration).
+
+5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine:
+
+ - Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command):
+
+ ```bash
+ mdatp --health realTimeProtectionEnabled
+ ```
+
+ - Open a Terminal window. Copy and execute the following command:
+
+ ``` bash
+ curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
+ ```
+
+ - The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats:
+
+ ```bash
+ mdatp --threat --list --pretty
+ ```
+
+## Log installation issues
+
+See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
+
+## Uninstallation
+
+See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
new file mode 100644
index 0000000000..d097245cf8
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
@@ -0,0 +1,266 @@
+---
+title: Deploy Microsoft Defender ATP for Linux with Ansible
+ms.reviewer:
+description: Describes how to deploy Microsoft Defender ATP for Linux using Ansible.
+keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Deploy Microsoft Defender ATP for Linux with Ansible
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+This topic describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
+
+- [Download the onboarding package](#download-the-onboarding-package)
+- [Create Ansible YAML files](#create-ansible-yaml-files)
+- [Deployment](#deployment)
+- [References](#references)
+
+## Prerequisites and system requirements
+
+Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
+
+- Ansible needs to be installed on at least on one computer (we will call it the master).
+- SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication.
+- The following software must be installed on all clients:
+ - curl
+ - python-apt
+ - unzip
+
+- All hosts must be listed in the following format in the `/etc/ansible/hosts` file:
+
+ ```bash
+ [servers]
+ host1 ansible_ssh_host=10.171.134.39
+ host2 ansible_ssh_host=51.143.50.51
+ ```
+
+- Ping test:
+
+ ```bash
+ $ ansible -m ping all
+ ```
+
+## Download the onboarding package
+
+Download the onboarding package from Microsoft Defender Security Center:
+
+1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.
+3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
+
+ 
+
+4. From a command prompt, verify that you have the file. Extract the contents of the archive:
+
+ ```bash
+ $ ls -l
+ total 8
+ -rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
+ $ unzip WindowsDefenderATPOnboardingPackage.zip
+ Archive: WindowsDefenderATPOnboardingPackage.zip
+ inflating: mdatp_onboard.json
+ ```
+
+## Create Ansible YAML files
+
+Create subtask or role files that contribute to an actual task. First create the `download_copy_blob.yml` file under the `/etc/ansible/roles` directory:
+
+- Copy the onboarding package to all client machines:
+
+ ```bash
+ - name: Copy the zip file
+ copy:
+ src: /root/WindowsDefenderATPOnboardingPackage.zip
+ dest: /root/WindowsDefenderATPOnboardingPackage.zip
+ owner: root
+ group: root
+ mode: '0644'
+
+ - name: Add Microsoft apt signing key
+ apt_key:
+ url: https://packages.microsoft.com/keys/microsoft.asc
+ state: present
+ when: ansible_os_family == "Debian"
+ ```
+
+- Create the `setup.sh` script that operates on the onboarding file, in this example located in the `/root` directory:
+
+ ```bash
+ #!/bin/bash
+ # We assume WindowsDefenderATPOnboardingPackage.zip is stored in /root
+ cd /root || exit 1
+ # Unzip the archive and create the onboarding file
+ mkdir -p /etc/opt/microsoft/mdatp/
+ unzip WindowsDefenderATPOnboardingPackage.zip
+ cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json
+ ```
+
+- Create the onboarding task, `onboarding_setup.yml`, under the `/etc/ansible/roles` directory:
+
+ ```bash
+ - name: Register mdatp_onboard.json
+ stat: path=/etc/opt/microsoft/mdatp/mdatp_onboard.json
+ register: mdatp_onboard
+
+ - name: Copy the setup script file
+ copy:
+ src: /root/setup.sh
+ dest: /root/setup.sh
+ owner: root
+ group: root
+ mode: '0744'
+
+ - name: Run a script to create the onboarding file
+ script: /root/setup.sh
+ when: not mdatp_onboard.stat.exists
+ ```
+
+- Add the Microsoft Defender ATP repository and key.
+
+ Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
+
+ The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
+
+ In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
+
+ > [!WARNING]
+ > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
+
+ Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
+
+ In the following commands, replace *[distro]* and *[version]* with the information you've identified.
+
+ > [!NOTE]
+ > In case of Oracle Linux, replace *[distro]* with “rhel”.
+
+ ```bash
+ - name: Add Microsoft apt repository for MDATP
+ apt_repository:
+ repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main
+ update_cache: yes
+ state: present
+ filename: microsoft-[channel].list
+ when: ansible_os_family == "Debian"
+
+ - name: Add Microsoft APT key
+ apt_key:
+ keyserver: https://packages.microsoft.com/
+ id: BC528686B50D79E339D3721CEB3E94ADBE1229CF
+ when: ansible_os_family == "Debian"
+
+ - name: Add Microsoft yum repository for MDATP
+ yum_repository:
+ name: packages-microsoft-com-prod-[channel]
+ description: Microsoft Defender ATP
+ file: microsoft-[channel]
+ baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/
+ gpgcheck: yes
+ enabled: Yes
+ when: ansible_os_family == "RedHat"
+ ```
+
+- Create the actual install/uninstall YAML files under `/etc/ansible/playbooks`.
+
+ - For apt-based distributions use the following YAML file:
+
+ ```bash
+ $ cat install_mdatp.yml
+ - hosts: servers
+ tasks:
+ - include: ../roles/download_copy_blob.yml
+ - include: ../roles/setup_blob.yml
+ - include: ../roles/add_apt_repo.yml
+ - apt:
+ name: mdatp
+ state: latest
+ update_cache: yes
+ ```
+
+ ```bash
+ $ cat uninstall_mdatp.yml
+ - hosts: servers
+ tasks:
+ - apt:
+ name: mdatp
+ state: absent
+ ```
+
+ - For yum-based distributions use the following YAML file:
+
+ ```bash
+ $ cat install_mdatp_yum.yml
+ - hosts: servers
+ tasks:
+ - include: ../roles/download_copy_blob.yml
+ - include: ../roles/setup_blob.yml
+ - include: ../roles/add_yum_repo.yml
+ - yum:
+ name: mdatp
+ state: latest
+ enablerepo: packages-microsoft-com-prod-[channel]
+ ```
+
+ ```bash
+ $ cat uninstall_mdatp_yum.yml
+ - hosts: servers
+ tasks:
+ - yum:
+ name: mdatp
+ state: absent
+ ```
+
+## Deployment
+
+Now run the tasks files under `/etc/ansible/playbooks/`.
+
+- Installation:
+
+ ```bash
+ $ ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
+ ```
+
+> [!IMPORTANT]
+> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes.
+
+- Validation/configuration:
+
+ ```bash
+ $ ansible -m shell -a 'mdatp --connectivity-test' all
+ $ ansible -m shell -a 'mdatp --health' all
+ ```
+
+- Uninstallation:
+
+ ```bash
+ $ ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
+ ```
+
+## Log installation issues
+
+See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
+
+## References
+
+- [Add or remove YUM repositories](https://docs.ansible.com/ansible/2.3/yum_repository_module.html)
+
+- [Manage packages with the yum package manager](https://docs.ansible.com/ansible/latest/modules/yum_module.html)
+
+- [Add and remove APT repositories](https://docs.ansible.com/ansible/latest/modules/apt_repository_module.html)
+
+- [Manage apt-packages](https://docs.ansible.com/ansible/latest/modules/apt_module.html)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
new file mode 100644
index 0000000000..92c721fedf
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
@@ -0,0 +1,220 @@
+---
+title: Deploy Microsoft Defender ATP for Linux with Puppet
+ms.reviewer:
+description: Describes how to deploy Microsoft Defender ATP for Linux using Puppet.
+keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Deploy Microsoft Defender ATP for Linux with Puppet
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
+
+- [Download the onboarding package](#download-the-onboarding-package)
+- [Create Puppet manifest](#create-a-puppet-manifest)
+- [Deployment](#deployment)
+- [Check onboarding status](#check-onboarding-status)
+
+## Prerequisites and system requirements
+
+Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
+
+In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Please refer to the [Puppet documentation](https://puppet.com/docs) for details.
+
+## Download the onboarding package
+
+Download the onboarding package from Microsoft Defender Security Center:
+
+1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
+2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.
+3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
+
+ 
+
+4. From a command prompt, verify that you have the file. Extract the contents of the archive:
+
+ ```bash
+ $ ls -l
+ total 8
+ -rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
+ $ unzip WindowsDefenderATPOnboardingPackage.zip
+ Archive: WindowsDefenderATPOnboardingPackage.zip
+ inflating: mdatp_onboard.json
+ ```
+
+## Create a Puppet manifest
+
+You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
+
+Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
+
+```bash
+$ pwd
+/etc/puppetlabs/code/environments/production/modules
+
+$ tree install_mdatp
+install_mdatp
+├── files
+│ └── mdatp_onboard.json
+└── manifests
+ └── init.pp
+```
+
+### Contents of `install_mdatp/manifests/init.pp`
+
+Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
+
+The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
+
+In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
+
+> [!WARNING]
+> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
+
+Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
+
+In the below commands, replace *[distro]* and *[version]* with the information you've identified:
+
+> [!NOTE]
+> In case of RedHat, Oracle EL, and CentOS 8, replace *[distro]* with 'rhel'.
+
+```puppet
+# Puppet manifest to install Microsoft Defender ATP.
+# @param channel The release channel based on your environment, insider-fast or prod.
+# @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL, and CentOS 8, the distro variable should be 'rhel'.
+# @param version The Linux distribution release number, e.g. 7.4.
+
+class install_mdatp (
+$channel = 'insiders-fast',
+$distro = undef,
+$version = undef
+){
+ case $::osfamily {
+ 'Debian' : {
+ apt::source { 'microsoftpackages' :
+ location => "https://packages.microsoft.com/${distro}/${version}/prod",
+ release => $channel,
+ repos => 'main',
+ key => {
+ 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF',
+ 'server' => 'keyserver.ubuntu.com',
+ },
+ }
+ }
+ 'RedHat' : {
+ yumrepo { 'microsoftpackages' :
+ baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}",
+ descr => "packages-microsoft-com-prod-${channel}",
+ enabled => 1,
+ gpgcheck => 1,
+ gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc'
+ }
+ }
+ default : { fail("${::osfamily} is currently not supported.") }
+ }
+
+ case $::osfamily {
+ /(Debian|RedHat)/: {
+ file { ['/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']:
+ ensure => directory,
+ owner => root,
+ group => root,
+ mode => '0755'
+ }
+
+ file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json':
+ source => 'puppet:///modules/mdatp/mdatp_onboard.json',
+ owner => root,
+ group => root,
+ mode => '0600',
+ require => File['/etc/opt/microsoft/mdatp']
+ }
+
+ package { 'mdatp':
+ ensure => 'installed',
+ require => File['/etc/opt/microsoft/mdatp/mdatp_onboard.json']
+ }
+ }
+ default : { fail("${::osfamily} is currently not supported.") }
+ }
+}
+```
+
+## Deployment
+
+Include the above manifest in your site.pp file:
+
+```bash
+$ cat /etc/puppetlabs/code/environments/production/manifests/site.pp
+node "default" {
+ include install_mdatp
+}
+```
+
+Enrolled agent devices periodically poll the Puppet Server, and install new configuration profiles and policies as soon as they are detected.
+
+## Monitor Puppet deployment
+
+On the agent machine, you can also check the onboarding status by running:
+
+```bash
+$ mdatp --health
+...
+licensed : true
+orgId : "[your organization identifier]"
+...
+```
+
+- **licensed**: This confirms that the device is tied to your organization.
+
+- **orgId**: This is your Microsoft Defender ATP organization identifier.
+
+## Check onboarding status
+
+You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status:
+
+```bash
+mdatp --health healthy
+```
+
+The above command prints `1` if the product is onboarded and functioning as expected.
+
+> [!IMPORTANT]
+> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`.
+
+If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
+
+- 1 if the device is not yet onboarded.
+- 3 if the connection to the daemon cannot be established.
+
+## Log installation issues
+
+See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
+
+## Uninstallation
+
+Create a module *remove_mdatp* similar to *install_mdatp* with the following contents in *init.pp* file:
+
+```bash
+class remove_mdatp {
+ package { 'mdatp':
+ ensure => 'purged',
+ }
+}
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
new file mode 100644
index 0000000000..537883114e
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
@@ -0,0 +1,366 @@
+---
+title: Set preferences for Microsoft Defender ATP for Linux
+ms.reviewer:
+description: Describes how to configure Microsoft Defender ATP for Linux in enterprises.
+keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Set preferences for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+>[!IMPORTANT]
+>This topic contains instructions for how to set preferences for Microsoft Defender ATP for Linux in enterprise environments. If you are interested in configuring the product on a device from the command-line, see [Resources](linux-resources.md#configure-from-the-command-line).
+
+In enterprise environments, Microsoft Defender ATP for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
+
+This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
+
+## Configuration profile structure
+
+The configuration profile is a .json file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can be simple, such as a numerical value, or complex, such as a nested list of preferences.
+
+Typically, you would use a configuration management tool to push a file with the name ```mdatp_managed.json``` at the location ```/etc/opt/microsoft/mdatp/managed/```.
+
+The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
+
+### Antivirus engine preferences
+
+The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of the product.
+
+|||
+|:---|:---|
+| **Key** | antivirusEngine |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+#### Enable / disable real-time protection
+
+Determines whether real-time protection (scan files as they are accessed) is enabled or not.
+
+|||
+|:---|:---|
+| **Key** | enableRealTimeProtection |
+| **Data type** | Boolean |
+| **Possible values** | true (default)
false |
+
+#### Enable / disable passive mode
+
+Determines whether the antivirus engine runs in passive mode or not. In passive mode:
+- Real-time protection is turned off.
+- On-demand scanning is turned on.
+- Automatic threat remediation is turned off.
+- Security intelligence updates are turned on.
+- Status menu icon is hidden.
+
+|||
+|:---|:---|
+| **Key** | passiveMode |
+| **Data type** | Boolean |
+| **Possible values** | false (default)
true |
+| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. |
+
+#### Exclusion merge policy
+
+Specifies the merge policy for exclusions. It can be a combination of administrator-defined and user-defined exclusions (`merge`) or only administrator-defined exclusions (`admin_only`). This setting can be used to restrict local users from defining their own exclusions.
+
+|||
+|:---|:---|
+| **Key** | exclusionsMergePolicy |
+| **Data type** | String |
+| **Possible values** | merge (default)
admin_only |
+| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+
+#### Scan exclusions
+
+Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.
+
+|||
+|:---|:---|
+| **Key** | exclusions |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+**Type of exclusion**
+
+Specifies the type of content excluded from the scan.
+
+|||
+|:---|:---|
+| **Key** | $type |
+| **Data type** | String |
+| **Possible values** | excludedPath
excludedFileExtension
excludedFileName |
+
+**Path to excluded content**
+
+Used to exclude content from the scan by full file path.
+
+|||
+|:---|:---|
+| **Key** | path |
+| **Data type** | String |
+| **Possible values** | valid paths |
+| **Comments** | Applicable only if *$type* is *excludedPath* |
+
+**Path type (file / directory)**
+
+Indicates if the *path* property refers to a file or directory.
+
+|||
+|:---|:---|
+| **Key** | isDirectory |
+| **Data type** | Boolean |
+| **Possible values** | false (default)
true |
+| **Comments** | Applicable only if *$type* is *excludedPath* |
+
+**File extension excluded from the scan**
+
+Used to exclude content from the scan by file extension.
+
+|||
+|:---|:---|
+| **Key** | extension |
+| **Data type** | String |
+| **Possible values** | valid file extensions |
+| **Comments** | Applicable only if *$type* is *excludedFileExtension* |
+
+**Process excluded from the scan**
+
+Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (e.g. `cat`) or full path (e.g. `/bin/cat`).
+
+|||
+|:---|:---|
+| **Key** | name |
+| **Data type** | String |
+| **Possible values** | any string |
+| **Comments** | Applicable only if *$type* is *excludedFileName* |
+
+#### Allowed threats
+
+List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.
+
+|||
+|:---|:---|
+| **Key** | allowedThreats |
+| **Data type** | Array of strings |
+
+#### Disallowed threat actions
+
+Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface.
+
+|||
+|:---|:---|
+| **Key** | disallowedThreatActions |
+| **Data type** | Array of strings |
+| **Possible values** | allow (restricts users from allowing threats)
restore (restricts users from restoring threats from the quarantine) |
+| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+
+#### Threat type settings
+
+The *threatTypeSettings* preference in the antivirus engine is used to control how certain threat types are handled by the product.
+
+|||
+|:---|:---|
+| **Key** | threatTypeSettings |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+**Threat type**
+
+Type of threat for which the behavior is configured.
+
+|||
+|:---|:---|
+| **Key** | key |
+| **Data type** | String |
+| **Possible values** | potentially_unwanted_application
archive_bomb |
+
+**Action to take**
+
+Action to take when coming across a threat of the type specified in the preceding section. Can be:
+
+- **Audit**: The device is not protected against this type of threat, but an entry about the threat is logged.
+- **Block**: The device is protected against this type of threat and you are notified in the user interface and the security console.
+- **Off**: The device is not protected against this type of threat and nothing is logged.
+
+|||
+|:---|:---|
+| **Key** | value |
+| **Data type** | String |
+| **Possible values** | audit (default)
block
off |
+
+#### Threat type settings merge policy
+
+Specifies the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (`merge`) or only administrator-defined settings (`admin_only`). This setting can be used to restrict local users from defining their own settings for different threat types.
+
+|||
+|:---|:---|
+| **Key** | threatTypeSettingsMergePolicy |
+| **Data type** | String |
+| **Possible values** | merge (default)
admin_only |
+| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+
+### Cloud-delivered protection preferences
+
+The *cloudService* entry in the configuration profile is used to configure the cloud-driven protection feature of the product.
+
+|||
+|:---|:---|
+| **Key** | cloudService |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+#### Enable / disable cloud delivered protection
+
+Determines whether cloud-delivered protection is enabled on the device or not. To improve the security of your services, we recommend keeping this feature turned on.
+
+|||
+|:---|:---|
+| **Key** | enabled |
+| **Data type** | Boolean |
+| **Possible values** | true (default)
false |
+
+#### Diagnostic collection level
+
+Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft.
+
+|||
+|:---|:---|
+| **Key** | diagnosticLevel |
+| **Data type** | String |
+| **Possible values** | optional (default)
required |
+
+#### Enable / disable automatic sample submissions
+
+Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information.
+
+|||
+|:---|:---|
+| **Key** | automaticSampleSubmission |
+| **Data type** | Boolean |
+| **Possible values** | true (default)
false |
+
+## Recommended configuration profile
+
+To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
+
+The following configuration profile will:
+
+- Enable real-time protection (RTP).
+- Specify how the following threat types are handled:
+ - **Potentially unwanted applications (PUA)** are blocked.
+ - **Archive bombs** (file with a high compression rate) are audited to the product logs.
+- Enable cloud-delivered protection.
+- Enable automatic sample submission.
+
+### Sample profile
+
+```JSON
+{
+ "antivirusEngine":{
+ "enableRealTimeProtection":true,
+ "threatTypeSettings":[
+ {
+ "key":"potentially_unwanted_application",
+ "value":"block"
+ },
+ {
+ "key":"archive_bomb",
+ "value":"audit"
+ }
+ ]
+ },
+ "cloudService":{
+ "automaticSampleSubmission":true,
+ "enabled":true
+ }
+}
+```
+
+## Full configuration profile example
+
+The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.
+
+### Full profile
+
+```JSON
+{
+ "antivirusEngine":{
+ "enableRealTimeProtection":true,
+ "passiveMode":false,
+ "exclusionsMergePolicy":"merge",
+ "exclusions":[
+ {
+ "$type":"excludedPath",
+ "isDirectory":false,
+ "path":"/var/log/system.log"
+ },
+ {
+ "$type":"excludedPath",
+ "isDirectory":true,
+ "path":"/home"
+ },
+ {
+ "$type":"excludedFileExtension",
+ "extension":"pdf"
+ },
+ {
+ "$type":"excludedFileName",
+ "name":"cat"
+ }
+ ],
+ "allowedThreats":[
+ "EICAR-Test-File (not a virus)"
+ ],
+ "disallowedThreatActions":[
+ "allow",
+ "restore"
+ ],
+ "threatTypeSettingsMergePolicy":"merge",
+ "threatTypeSettings":[
+ {
+ "key":"potentially_unwanted_application",
+ "value":"block"
+ },
+ {
+ "key":"archive_bomb",
+ "value":"audit"
+ }
+ ]
+ },
+ "cloudService":{
+ "enabled":true,
+ "diagnosticLevel":"optional",
+ "automaticSampleSubmission":true
+ }
+}
+```
+
+## Configuration profile validation
+
+The configuration profile must be a valid JSON-formatted file. There are a number of tools that can be used to verify this. For example, if you have `python` installed on your device:
+
+```bash
+$ python -m json.tool mdatp_managed.json
+```
+
+If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
+
+## Configuration profile deployment
+
+Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft Defender ATP for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
new file mode 100644
index 0000000000..adc92e7c31
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
@@ -0,0 +1,116 @@
+---
+title: Microsoft Defender ATP for Linux resources
+ms.reviewer:
+description: Describes resources for Microsoft Defender ATP for Linux, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
+keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Resources
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+## Collect diagnostic information
+
+If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
+
+1. Increase logging level:
+
+ ```bash
+ $ mdatp --log-level verbose
+ Creating connection to daemon
+ Connection established
+ Operation succeeded
+ ```
+
+2. Reproduce the problem.
+
+3. Run `sudo mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds:
+
+ ```bash
+ $ sudo mdatp --diagnostic --create
+ Creating connection to daemon
+ Connection established
+ ```
+
+4. Restore logging level:
+
+ ```bash
+ $ mdatp --log-level info
+ Creating connection to daemon
+ Connection established
+ Operation succeeded
+ ```
+
+## Log installation issues
+
+If an error occurs during installation, the installer will only report a general failure.
+
+The detailed log will be saved to `/var/log/microsoft/mdatp_install.log`. If you experience issues during installation, send us this file so we can help diagnose the cause.
+
+## Uninstall
+
+There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, please follow the package uninstallation instructions for the configuration tool.
+
+### Manual uninstallation
+
+- ```sudo yum remove mdatp``` for RHEL and variants(CentOS and Oracle Linux).
+- ```sudo zypper remove mdatp``` for SLES and variants.
+- ```sudo apt-get purge mdatp``` for Ubuntu and Debian systems.
+
+## Configure from the command line
+
+Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:
+
+|Group |Scenario |Command |
+|-------------|-------------------------------------------|-----------------------------------------------------------------------|
+|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` |
+|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` |
+|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` |
+|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` |
+|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
+|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
+|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
+|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
+|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
+|Health |Check the product's health |`mdatp --health` |
+|Protection |Scan a path |`mdatp --scan --path [path]` |
+|Protection |Do a quick scan |`mdatp --scan --quick` |
+|Protection |Do a full scan |`mdatp --scan --full` |
+|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` |
+|Protection |Request a security intelligence update |`mdatp --definition-update` |
+
+## Microsoft Defender ATP portal information
+
+In the Microsoft Defender ATP portal, you'll see two categories of information:
+
+- Antivirus alerts, including:
+ - Severity
+ - Scan type
+ - Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
+ - File information (name, path, size, and hash)
+ - Threat information (name, type, and state)
+- Device information, including:
+ - Machine identifier
+ - Tenant identifier
+ - App version
+ - Hostname
+ - OS type
+ - OS version
+ - Computer model
+ - Processor architecture
+ - Whether the device is a virtual machine
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
new file mode 100644
index 0000000000..0ac647a0b9
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
@@ -0,0 +1,77 @@
+---
+title: Microsoft Defender ATP for Linux static proxy discovery
+ms.reviewer:
+description: Describes how to configure Microsoft Defender ATP for static proxy discovery.
+keywords: microsoft, defender, atp, linux, installation, proxy
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Configure Microsoft Defender ATP for Linux for static proxy discovery
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+Microsoft Defender ATP can discover a proxy server using the ```HTTPS_PROXY``` environment variable. This setting must be configured **both** at installation time and after the product has been installed.
+
+## Installation time configuration
+
+During installation, the ```HTTPS_PROXY``` environment variable must be passed to the package manager. The package manager can read this variable in any of the following ways:
+
+- The ```HTTPS_PROXY``` variable is defined in ```/etc/environment``` with the following line:
+
+ ```bash
+ HTTPS_PROXY="http://proxy.server:port/"
+ ```
+
+- The `HTTPS_PROXY` variable is defined in the package manager global configuration. For example, in Ubuntu 18.04, you can add the following line to `/etc/apt/apt.conf.d/proxy.conf`:
+
+ ```bash
+ Acquire::https::Proxy "http://proxy.server:port/";
+ ```
+
+ > [!CAUTION]
+ > Note that above two methods could define the proxy to use for other applications on your system. Use this method with caution, or only if this is meant to be a generally global configuration.
+
+- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP:
+
+ ```bash
+ $ HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
+ ```
+
+ > [!NOTE]
+ > Do not add sudo between the environment variable definition and apt, otherwise the variable will not be propagated.
+
+The `HTTPS_PROXY` environment variable may similarly be defined during uninstallation.
+
+Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take significantly longer due to network timeouts.
+
+## Post installation configuration
+
+After installation, the `HTTPS_PROXY` environment variable must be defined in the Microsoft Defender ATP service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways:
+
+- Uncomment the line `#Environment="HTTPS_PROXY=http://address:port"` and specify your static proxy address.
+
+- Add a line `EnvironmentFile=/path/to/env/file`. This path can point to `/etc/environment` or a custom file, either of which needs to add the following line:
+
+ ```bash
+ HTTPS_PROXY="http://proxy.server:port/"
+ ```
+
+After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:
+
+```bash
+$ systemctl daemon-reload; systemctl restart mdatp
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
new file mode 100644
index 0000000000..4a25d355bf
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
@@ -0,0 +1,94 @@
+---
+title: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
+ms.reviewer:
+description: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
+keywords: microsoft, defender, atp, linux, cloud, connectivity, communication
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+## Run the connectivity test
+
+To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
+
+```bash
+$ mdatp --connectivity-test
+```
+
+If the connectivity test fails, check if the machine has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
+
+## Troubleshooting steps for environments without proxy or with transparent proxy
+
+To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal:
+
+```bash
+curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+```
+
+The output from this command should be similar to:
+
+```
+OK https://x.cp.wd.microsoft.com/api/report
+OK https://cdn.x.cp.wd.microsoft.com/ping
+```
+
+## Troubleshooting steps for environments with static proxy
+
+> [!WARNING]
+> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
+>
+> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
+
+If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
+
+```bash
+$ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+```
+
+Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands.
+
+> [!WARNING]
+> The static proxy cannot be configured through a system-wide `HTTPS_PROXY` environment variable. Instead, ensure that `HTTPS_PROXY` is properly set in the `/lib/system/system/mdatp.service` file.
+
+To use a static proxy, the `mdatp.service` file must be modified. Ensure the leading `#` is removed to uncomment the following line from `/lib/systemd/system/mdatp.service`:
+
+```bash
+#Environment="HTTPS_PROXY=http://address:port"
+```
+
+Also ensure that the correct static proxy address is filled in to replace `address:port`.
+
+If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting:
+
+```bash
+$ sudo systemctl daemon-reload; sudo systemctl restart mdatp
+```
+
+Upon success, attempt another connectivity test from the command line:
+
+```bash
+$ mdatp --connectivity-test
+```
+
+If the problem persists, contact customer support.
+
+## Resources
+
+- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
new file mode 100644
index 0000000000..0982c630fa
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
@@ -0,0 +1,121 @@
+---
+title: Troubleshoot installation issues for Microsoft Defender ATP for Linux
+ms.reviewer:
+description: Troubleshoot installation issues for Microsoft Defender ATP for Linux
+keywords: microsoft, defender, atp, linux, installation
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Troubleshoot installation issues for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+## Verify if installation succeeded
+
+An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, one can obtain and check the installation logs using:
+```bash
+$ sudo journalctl | grep 'microsoft-mdatp' > installation.log
+$ grep 'postinstall end' installation.log
+
+microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
+```
+An output from the previous command with correct date and time of installation indicates success.
+
+Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file.
+
+## Installation failed
+
+Check if the mdatp service is running
+```bash
+$ systemctl status mdatp
+
+● mdatp.service - Microsoft Defender ATP
+ Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
+ Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
+ Main PID: 1966 (wdavdaemon)
+ Tasks: 105 (limit: 4915)
+ CGroup: /system.slice/mdatp.service
+ ├─1966 /opt/microsoft/mdatp/sbin/wdavdaemon
+ ├─1967 /opt/microsoft/mdatp/sbin/wdavdaemon
+ └─1968 /opt/microsoft/mdatp/sbin/wdavdaemon
+```
+
+## Steps to troubleshoot if mdatp service isn't running
+
+1. Check if “mdatp” user exists:
+```bash
+$ id “mdatp”
+```
+If there’s no output, run
+```bash
+$ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
+```
+
+2. Try enabling and restarting the service using:
+```bash
+$ sudo systemctl enable mdatp
+$ sudo systemctl restart mdatp
+```
+
+3. If mdatp.service isn't found upon running the previous command, run
+```bash
+$ sudo cp /opt/microsoft/mdatp/conf/mdatp.service
+
+where is
+/lib/systemd/system for Ubuntu and Debian distributions
+/usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES
+```
+and then rerun step 2.
+
+4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
+Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot.
+
+5. Ensure that the daemon has executable permission.
+```bash
+$ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
+
+-rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
+```
+If the daemon doesn't have executable permissions, make it executable using:
+```bash
+$ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
+```
+and retry running step 2.
+
+6. Ensure that the file system containing wdavdaemon isn't mounted with “noexec”.
+
+## If mdatp service is running, but EICAR text file detection doesn't work
+
+1. Check the file system type using:
+```bash
+$ findmnt -T
+```
+Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned.
+
+## Command-line tool “mdatp” isn't working
+
+1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command:
+```bash
+$ sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
+```
+and try again.
+
+If none of the above steps help, collect the diagnostic logs:
+```bash
+$ sudo mdatp --diagnostic --create
+```
+Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
new file mode 100644
index 0000000000..55da60a602
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
@@ -0,0 +1,82 @@
+---
+title: Troubleshoot performance issues for Microsoft Defender ATP for Linux
+description: Troubleshoot performance issues in Microsoft Defender ATP for Linux.
+keywords: microsoft, defender, atp, linux, performance
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Troubleshoot performance issues for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
+
+Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
+
+Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Linux.
+
+The following steps can be used to troubleshoot and mitigate these issues:
+
+1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender ATP for Linux is contributing to the performance issues.
+
+ If your device is not managed by your organization, real-time protection can be disabled from the command line:
+
+ ```bash
+ $ mdatp --config realTimeProtectionEnabled false
+ ```
+
+ If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
+
+2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Microsoft Defender ATP for Linux.
+
+ > [!NOTE]
+ > This feature is available in version 100.90.70 or newer.
+
+ This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
+
+ ```bash
+ $ mdatp config real_time_protection_statistics_enabled on
+ ```
+
+ This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
+
+ ```bash
+ $ mdatp health
+ ```
+
+ Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it:
+
+ ```bash
+ $ mdatp --config realTimeProtectionEnabled true
+ ```
+
+ To collect current statistics, run:
+
+ ```bash
+ $ mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file
+ ```
+
+ The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).
+
+ > [!NOTE]
+ > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
+
+3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
+
+4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
+
+ See [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md) for details.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
new file mode 100644
index 0000000000..37b668c4f2
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
@@ -0,0 +1,47 @@
+---
+title: Deploy updates for Microsoft Defender ATP for Linux
+ms.reviewer:
+description: Describes how to deploy updates for Microsoft Defender ATP for Linux in enterprise environments.
+keywords: microsoft, defender, atp, linux, updates, deploy
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Deploy updates for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+Microsoft regularly publishes software updates to improve performance, security, and to deliver new features.
+
+To update Microsoft Defender ATP for Linux manually, execute one of the following commands:
+
+## RHEL and variants (CentOS and Oracle Linux)
+
+```bash
+sudo yum update mdatp
+```
+
+## SLES and variants
+
+```bash
+sudo zypper update mdatp
+```
+
+## Ubuntu and Debian systems
+
+```bash
+sudo apt-get install --only-upgrade mdatp
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
new file mode 100644
index 0000000000..4c49223e78
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
@@ -0,0 +1,30 @@
+---
+title: What's new in Microsoft Defender Advanced Threat Protection for Linux
+description: List of major changes for Microsoft Defender ATP for Linux.
+keywords: microsoft, defender, atp, linux, whatsnew, release
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# What's new in Microsoft Defender Advanced Threat Protection for Linux
+
+## 100.90.70
+
+> [!WARNING]
+> When upgrading the installed package from a product version earlier than 100.90.70, the update may fail on Red Hat-based and SLES distributions. This is because of a major change in a file path. A temporary solution is to remove the older package, and then install the newer one. This issue does not exist in newer versions.
+
+- Antivirus [exclusions now support wildcards](linux-exclusions.md#supported-exclusion-types)
+- Added the ability to [troubleshoot performance issues](linux-support-perf.md) through the `mdatp` command-line tool
+- Improvements to make the package installation more robust
+- Performance improvements & bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
index 89649bba47..33a756f573 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
@@ -1,6 +1,6 @@
---
title: Live response command examples
-description: Learn about common commands and see examples on how it's used
+description: Learn to run basic or advanced live response commands for Microsoft Defender Advanced Threat Protection (ATP) and see examples on how it's used
keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
index ddd34985a3..8ab5475888 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@@ -1,6 +1,6 @@
---
title: Investigate entities on machines using live response in Microsoft Defender ATP
-description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time.
+description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real time.
keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file,
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,51 +17,69 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Investigate entities on machines using live response
+# Investigate entities on devices using live response
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
+Live response is a capability that gives your security operations team instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats — in real time.
-Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
+Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
-With live response, analysts will have the ability to:
-- Run basic and advanced commands to do investigative work
-- Download files such as malware samples and outcomes of PowerShell scripts
-- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level
-- Take or undo remediation actions
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUW]
+With live response, analysts can do all of the following tasks:
+- Run basic and advanced commands to do investigative work on a device.
+- Download files such as malware samples and outcomes of PowerShell scripts.
+- Download files in the background (new!).
+- Upload a PowerShell script or executable to the library and run it on a device from a tenant level.
+- Take or undo remediation actions.
## Before you begin
-Before you can initiate a session on a machine, make sure you fulfill the following requirements:
-- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later.
+Before you can initiate a session on a device, make sure you fulfill the following requirements:
-- **Enable live response from the settings page**
+- **Verify that you're running a supported version of Windows 10**.
+Devices must be running one of the following versions of Windows 10:
+ - [1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later
+ - [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
+ - [1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
+ - [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
+ - [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+
+- **Make sure to install appropriate security updates**.
+ - 1903: [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)
+ - 1809 (RS5): [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
+ - 1803 (RS4): [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
+ - 1709 (RS3): [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
+
+- **Enable live response from the settings page**.
You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
>[!NOTE]
>Only users with manage security or global admin roles can edit these settings.
+
+- **Ensure that the machine has an Automation Remediation level assigned to it**.
+You'll need to enable, at least, the minimum Remediation Level for a given Machine Group. Otherwise you won't be able to establish a Live Response session to a member of that group.
-- **Enable live response unsigned script execution** (optional)
+- **Enable live response unsigned script execution** (optional).
>[!WARNING]
>Allowing the use of unsigned scripts may increase your exposure to threats.
- Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
+ Running unsigned scripts is not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
-- **Ensure that you have the appropriate permissions**
- Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md).
+- **Ensure that you have the appropriate permissions**.
+ Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md).
> [!IMPORTANT]
> The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions.
- Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role.
+ Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permissions are controlled by RBAC custom role.
## Live response dashboard overview
-When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as:
+When you initiate a live response session on a device, a dashboard opens. The dashboard provides information about the session such as the following:
- Who created the session
- When the session started
@@ -77,81 +95,112 @@ The dashboard also gives you access to:
## Initiate a live response session on a machine
1. Log in to Microsoft Defender Security Center.
-2. Navigate to the machines list page and select a machine to investigate. The machine page opens.
- >[!NOTE]
- >Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later.
+2. Navigate to the devices list page and select a machine to investigate. The machines page opens.
-2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine.
-3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands).
-4. After completing your investigation, select **Disconnect session**, then select **Confirm**.
+3. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the device.
+4. Use the built-in commands to do investigative work. For more information, see [Live response commands](#live-response-commands).
+5. After completing your investigation, select **Disconnect session**, then select **Confirm**.
## Live response commands
-Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md).
+
+Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see [Create and manage roles](user-roles.md).
### Basic commands
-The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
-Command | Description
-:---|:---|:---
-cd | Changes the current directory.
-cls | Clears the console screen.
-connect | Initiates a live response session to the machine.
-connections | Shows all the active connections.
-dir | Shows a list of files and subdirectories in a directory
-drivers | Shows all drivers installed on the machine.
-fileinfo | Get information about a file.
-findfile | Locates files by a given name on the machine.
-help | Provides help information for live response commands.
-persistence | Shows all known persistence methods on the machine.
-processes | Shows all processes running on the machine.
-registry | Shows registry values.
-scheduledtasks| Shows all scheduled tasks on the machine.
-services | Shows all services on the machine.
-trace | Sets the terminal's logging mode to debug.
+The following commands are available for user roles that are granted the ability to run **basic** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
+| Command | Description |
+|---|---|--- |
+|`cd` | Changes the current directory. |
+|`cls` | Clears the console screen. |
+|`connect` | Initiates a live response session to the device. |
+|`connections` | Shows all the active connections. |
+|`dir` | Shows a list of files and subdirectories in a directory. |
+|`download &` | Downloads a file in the background. |
+drivers | Shows all drivers installed on the device. |
+|`fg ` | Returns a file download to the foreground. |
+|`fileinfo` | Get information about a file. |
+|`findfile` | Locates files by a given name on the device. |
+|`help` | Provides help information for live response commands. |
+|`persistence` | Shows all known persistence methods on the device. |
+|`processes` | Shows all processes running on the device. |
+|`registry` | Shows registry values. |
+|`scheduledtasks` | Shows all scheduled tasks on the device. |
+|`services` | Shows all services on the device. |
+|`trace` | Sets the terminal's logging mode to debug. |
### Advanced commands
-The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
+The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments see [Create and manage roles](user-roles.md).
-Command | Description
-:---|:---
-analyze | Analyses the entity with various incrimination engines to reach a verdict.
-getfile | Gets a file from the machine.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command.
-run | Runs a PowerShell script from the library on the machine.
-library | Lists files that were uploaded to the live response library.
-putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default.
-remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command.
-undo | Restores an entity that was remediated.
+| Command | Description |
+|---|---|
+| `analyze` | Analyses the entity with various incrimination engines to reach a verdict. |
+| `getfile` | Gets a file from the device.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. |
+| `run` | Runs a PowerShell script from the library on the device. |
+| `library` | Lists files that were uploaded to the live response library. |
+| `putfile` | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. |
+| `remediate` | Remediates an entity on the device. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command.
+|`undo` | Restores an entity that was remediated. |
## Use live response commands
+
The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands#BKMK_c).
-The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity.
+The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the device, and take remediation actions on an entity.
### Get a file from the machine
-For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation.
+
+For scenarios when you'd like get a file from a device you're investigating, you can use the `getfile` command. This allows you to save the file from the device for further investigation.
>[!NOTE]
->There is a file size limit of 750mb.
+>The following file size limits apply:
+>- `getfile` limit: 3 GB
+>- `fileinfo` limit: 10 GB
+>- `library` limit: 250 MB
+
+### Download a file in the background
+
+To enable your security operations team to continue investigating an impacted device, files can now be downloaded in the background.
+
+- To download a file in the background, in the live response command console, type `download &`.
+- If you are waiting for a file to be downloaded, you can move it to the background by using Ctrl + Z.
+- To bring a file download to the foreground, in the live response command console, type `fg `.
+
+Here are some examples:
+
+
+|Command |What it does |
+|---------|---------|
+|`"C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. |
+|`fg 1234` |Returns a download with command ID *1234* to the foreground. |
+
### Put a file in the library
+
Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level.
Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them.
-You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with.
+You can have a collection of PowerShell scripts that can run on devices that you initiate live response sessions with.
+
+#### To upload a file in the library
-**To upload a file in the library:**
1. Click **Upload file to library**.
+
2. Click **Browse** and select the file.
+
3. Provide a brief description.
+
4. Specify if you'd like to overwrite a file with the same name.
+
5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
+
6. Click **Confirm**.
+
7. (Optional) To verify that the file was uploaded to the library, run the `library` command.
@@ -161,9 +210,8 @@ Anytime during a session, you can cancel a command by pressing CTRL + C.
>[!WARNING]
>Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled.
-
-
### Automatically run prerequisite commands
+
Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error.
You can use the auto flag to automatically run prerequisite commands, for example:
@@ -172,8 +220,8 @@ You can use the auto flag to automatically run prerequisite commands, for exampl
getfile c:\Users\user\Desktop\work.txt -auto
```
-
## Run a PowerShell script
+
Before you can run a PowerShell script, you must first upload it to the library.
After uploading the script to the library, use the `run` command to run the script.
@@ -183,9 +231,8 @@ If you plan to use an unsigned script in the session, you'll need to enable the
>[!WARNING]
>Allowing the use of unsigned scripts may increase your exposure to threats.
-
-
## Apply command parameters
+
- View the console help to learn about command parameters. To learn about an individual command, run:
`help `
@@ -202,9 +249,8 @@ If you plan to use an unsigned script in the session, you'll need to enable the
` -type file -id - auto` or `remediate file - auto`.
-
-
## Supported output types
+
Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands:
- `-output json`
@@ -213,8 +259,8 @@ Live response supports table and JSON format output types. For each command, the
>[!NOTE]
>Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown.
-
## Supported output pipes
+
Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt.
Example:
@@ -223,27 +269,27 @@ Example:
processes > output.txt
```
-
-
## View the command log
-Select the **Command log** tab to see the commands used on the machine during a session.
+
+Select the **Command log** tab to see the commands used on the device during a session.
Each command is tracked with full details such as:
- ID
- Command line
- Duration
- Status and input or output side bar
-
-
-
## Limitations
-- Live response sessions are limited to 10 live response sessions at a time
-- Large scale command execution is not supported
-- A user can only initiate one session at a time
-- A machine can only be in one session at a time
-- There is a file size limit of 750mb when downloading files from a machine
-## Related topic
+- Live response sessions are limited to 10 live response sessions at a time.
+- Large scale command execution is not supported.
+- A user can only initiate one session at a time.
+- A device can only be in one session at a time.
+- The following file size limits apply:
+ - `getfile` limit: 3 GB
+ - `fileinfo` limit: 10 GB
+ - `library` limit: 250 MB
+
+## Related article
- [Live response command examples](live-response-command-examples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
index 6459e6190e..7e0983fb5f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
@@ -41,10 +41,10 @@ The follow table shows the exclusion types supported by Microsoft Defender ATP f
Exclusion | Definition | Examples
---|---|---
-File extension | All files with the extension, anywhere on the machine | .test
-File | A specific file identified by the full path | /var/log/test.log
-Folder | All files under the specified folder | /var/log/
-Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat
cat
+File extension | All files with the extension, anywhere on the machine | `.test`
+File | A specific file identified by the full path | `/var/log/test.log`
+Folder | All files under the specified folder | `/var/log/`
+Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat`
## How to configure the list of exclusions
@@ -64,15 +64,15 @@ Select the type of exclusion that you wish to add and follow the prompts.
You can validate that your exclusion lists are working by using `curl` to download a test file.
-In the following Bash snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the *.testing extension*, replace *test.txt* with *test.testing*. If you are testing a path, ensure that you run the command within that path.
+In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
```bash
-$ curl -o test.txt http://www.eicar.org/download/eicar.com.txt
+$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
-If you do not have internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
+If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
```bash
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
index a3c0a5a7a2..e633d8184f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
@@ -53,7 +53,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
- inflating: WindowsDefenderATPOnboarding.py
+ inflating: MicrosoftDefenderATPOnboardingMacOs.py
```
## Application installation
@@ -87,7 +87,7 @@ The installation proceeds.
## Client configuration
-1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac.
+1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for Mac.
The client machine is not associated with orgId. Note that the *orgId* attribute is blank.
@@ -98,7 +98,7 @@ The installation proceeds.
2. Run the Python script to install the configuration file:
```bash
- $ /usr/bin/python WindowsDefenderATPOnboarding.py
+ $ /usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py
Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
index 9a7563b95c..08235662b7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
@@ -19,20 +19,40 @@ ms.topic: conceptual
# Intune-based deployment for Microsoft Defender ATP for Mac
+> [!NOTE]
+> This documentation explains the legacy method for deploying and configuring Microsoft Defender ATP on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and dfeploy the application and send it down to macOS devices.
+> This blog post explains the new features: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-simplifies-deployment-of-microsoft/ba-p/1322995
+> To configure the app go here: https://docs.microsoft.com/mem/intune/protect/antivirus-microsoft-defender-settings-macos
+> To deploy the app go here: https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps:
-- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-- [Client device setup](#client-device-setup)
-- [Create System Configuration profiles](#create-system-configuration-profiles)
-- [Publish application](#publish-application)
+
+1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
+1. [Client device setup](#client-device-setup)
+1. [Create System Configuration profiles](#create-system-configuration-profiles)
+1. [Publish application](#publish-application)
## Prerequisites and system requirements
Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
+## Overview
+
+The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via Intune. More detailed steps are available below.
+
+| Step | Sample file names | BundleIdentifier |
+|-|-|-|
+| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
+| [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A |
+| [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
+| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
+| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)
**Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
+| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdavtray |
+
## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Security Center:
@@ -86,23 +106,23 @@ Download the installation and onboarding packages from Microsoft Defender Securi
## Client device setup
-You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
+You do not need any special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
-1. You are asked to confirm device management.
+1. Confirm device management.
- 
+
- Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
+Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
- 
+
2. Select **Continue** and complete the enrollment.
- You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
+You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
- 
+
## Create System Configuration profiles
@@ -116,7 +136,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
6. Repeat steps 1 through 5 for more profiles.
7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
-8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.
+8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.
> [!CAUTION]
> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
@@ -187,7 +207,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
```
-9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload:
+9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload:
```xml
@@ -284,9 +304,9 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
- Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
+Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
- 
+
## Publish application
@@ -294,11 +314,13 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
2. Select **App type=Other/Line-of-business app**.
3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
4. Select **Configure** and add the required information.
-5. Use **macOS High Sierra 10.13** as the minimum OS.
+5. Use **macOS High Sierra 10.13** as the minimum OS.
6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
> [!CAUTION]
- > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy.
+ > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated.
+ >
+ > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy.
@@ -311,7 +333,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
9. Change **Assignment type** to **Required**.
-10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
+10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
@@ -341,7 +363,7 @@ Solution: Follow the steps above to create a device profile using WindowsDefende
## Logging installation issues
-For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues) .
+For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues).
## Uninstallation
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
index 04f3d87059..da29d3b4a2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
@@ -15,6 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
+ms.date: 04/10/2020
---
# JAMF-based deployment for Microsoft Defender ATP for Mac
@@ -24,11 +25,12 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps:
-- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-- [Create JAMF policies](#create-jamf-policies)
-- [Client device setup](#client-device-setup)
-- [Deployment](#deployment)
-- [Check onboarding status](#check-onboarding-status)
+
+1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
+1. [Create JAMF policies](#create-jamf-policies)
+1. [Client device setup](#client-device-setup)
+1. [Deployment](#deployment)
+1. [Check onboarding status](#check-onboarding-status)
## Prerequisites and system requirements
@@ -36,6 +38,19 @@ Before you get started, please see [the main Microsoft Defender ATP for Mac page
In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow.
+## Overview
+
+The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via JAMF. More detailed steps are available below.
+
+| Step | Sample file names | BundleIdentifier |
+|-|-|-|
+| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
+| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1)
**Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.plist | com.microsoft.wdav |
+| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#notification-settings) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.wdavtray |
+| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#jamf) | MDATP_Microsoft_AutoUpdate.mobileconfig | com.microsoft.autoupdate2 |
+| [Grant Full Disk Access to Microsoft Defender ATP](#privacy-preferences-policy-control) | Note: If there was one, MDATP_tcc_Catalina_or_newer.plist | com.microsoft.wdav.tcc |
+| [Approve Kernel Extension for Microsoft Defender ATP](#approved-kernel-extension) | Note: If there was one, MDATP_KExt.plist | N/A |
+
## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Security Center:
@@ -43,16 +58,16 @@ Download the installation and onboarding packages from Microsoft Defender Securi
1. In Microsoft Defender Security Center, go to **Settings > Machine management > Onboarding**.
2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android**.
3. Set the deployment method to **Mobile Device Management / Microsoft Intune**.
-
- >[!NOTE]
- >JamF falls under **Mobile Device Management**.
-
+
+ > [!NOTE]
+ > Jamf falls under **Mobile Device Management**.
+
4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
-5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
+6. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
```bash
$ ls -l
@@ -73,17 +88,18 @@ You need to create a configuration profile and a policy to start deploying Micro
### Configuration Profile
-The configuration profile contains a custom settings payload that includes:
+The configuration profile contains a custom settings payload that includes the following:
- Microsoft Defender ATP for Mac onboarding information
-- Approved Kernel Extensions payload, to enable running the Microsoft kernel driver
+- Approved Kernel Extensions payload to enable running the Microsoft kernel driver
+
+To set the onboarding information, add a property list file that is named **jamf/WindowsDefenderATPOnboarding.plist** as a custom setting. To do this, select **Computers** > **Configuration Profiles** > **New**, and then select **Application & Custom Settings** > **Configure**. From there, you can upload the property list.
-To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list.
>[!IMPORTANT]
- > You must set the Preference Domain as "com.microsoft.wdav.atp"
+ > You have to set the **Preference Domain** to **com.microsoft.wdav.atp**. There are some changes to the Custom Payloads and also to the Jamf Pro user interface in version 10.18 and later versions. For more information about the changes, see [Configuration Profile Payload Settings Specific to Jamf Pro](https://www.jamf.com/jamf-nation/articles/217/configuration-profile-payload-settings-specific-to-jamf-pro).
-
+
### Approved Kernel Extension
@@ -230,6 +246,7 @@ $ mdatp --health healthy
The above command prints "1" if the product is onboarded and functioning as expected.
If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
+
- 0 if the device is not yet onboarded
- 3 if the connection to the daemon cannot be established—for example, if the daemon is not running
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index 315ec0f230..19065efe0b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
->This article contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise organizations. To configure Microsoft Defender ATP for Mac using the command-line interface, see the [Resources](mac-resources.md#configuring-from-the-command-line) page.
+>This article contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise organizations. To configure Microsoft Defender ATP for Mac using the command-line interface, see [Resources](mac-resources.md#configuring-from-the-command-line).
## Summary
@@ -310,21 +310,12 @@ Manage the preferences of the endpoint detection and response (EDR) component of
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
-#### Enable / disable early preview
-
-Specify whether to enable EDR early preview features.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | earlyPreview |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
#### Device tags
Specify a tag name and its value.
+- The GROUP tag, tags the machine with the specified value. The tag is reflected in the portal under the machine page and can be used for filtering and grouping machines.
+
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
@@ -354,11 +345,15 @@ Specifies the value of tag
| **Data type** | String |
| **Possible values** | any string |
+> [!IMPORTANT]
+> - Only one value per tag type can be set.
+> - Type of tags are unique, and should not be repeated in the same configuration profile.
+
## Recommended configuration profile
-To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
+To get started, we recommend the following configuration for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
-The following configuration profile will:
+The following configuration profile (or, in case of JAMF, a property list that could be uploaded into the custom settings configuration profile) will:
- Enable real-time protection (RTP)
- Specify how the following threat types are handled:
- **Potentially unwanted applications (PUA)** are blocked
@@ -366,7 +361,7 @@ The following configuration profile will:
- Enable cloud-delivered protection
- Enable automatic sample submission
-### JAMF profile
+### Property list for JAMF configuration profile
```XML
@@ -485,9 +480,9 @@ The following configuration profile will:
## Full configuration profile example
-The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over Microsoft Defender ATP for Mac.
+The following templates contain entries for all settings described in this document and can be used for more advanced scenarios where you want more control over Microsoft Defender ATP for Mac.
-### JAMF profile
+### Property list for JAMF configuration profile
```XML
@@ -569,6 +564,18 @@ The following configuration profile contains entries for all settings described
automaticSampleSubmission
+ edr
+
+ tags
+
+
+ key
+ GROUP
+ value
+ ExampleTag
+
+
+
userInterface
hideStatusMenuIcon
@@ -695,6 +702,18 @@ The following configuration profile contains entries for all settings described
automaticSampleSubmission
+ edr
+
+ tags
+
+
+ key
+ GROUP
+ value
+ ExampleTag
+
+
+
userInterface
hideStatusMenuIcon
@@ -704,13 +723,24 @@ The following configuration profile contains entries for all settings described
```
+## Property list validation
+
+The property list must be a valid *.plist* file. This can be checked by executing:
+
+```bash
+$ plutil -lint com.microsoft.wdav.plist
+com.microsoft.wdav.plist: OK
+```
+
+If the file is well-formed, the above command outputs `OK` and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
+
## Configuration profile deployment
Once you've built the configuration profile for your enterprise, you can deploy it through the management console that your enterprise is using. The following sections provide instructions on how to deploy this profile using JAMF and Intune.
### JAMF deployment
-From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with `com.microsoft.wdav` as the preference domain and upload the .plist produced earlier.
+From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with `com.microsoft.wdav` as the preference domain and upload the *.plist* produced earlier.
>[!CAUTION]
>You must enter the correct preference domain (`com.microsoft.wdav`); otherwise, the preferences will not be recognized by Microsoft Defender ATP.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index e35c4b95e5..bda42ad846 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -13,7 +13,7 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual
---
@@ -59,7 +59,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
If an error occurs during installation, the installer will only report a general failure.
-The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
+The detailed log will be saved to `/Library/Logs/Microsoft/mdatp/install.log`. If you experience issues during installation, send us this file so we can help diagnose the cause.
## Uninstalling
@@ -72,6 +72,7 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Please note
### From the command line
- ```sudo rm -rf '/Applications/Microsoft Defender ATP.app'```
+- ```sudo rm -rf '/Library/Application Support/Microsoft/Defender/'```
## Configuring from the command line
@@ -98,29 +99,10 @@ Important tasks, such as controlling product settings and triggering on-demand s
|EDR |Add group tag to machine. EDR tags are used for managing machine groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
|EDR |Remove group tag from machine |`mdatp --edr --remove-tag [name]` |
+## Client Microsoft Defender ATP quarantine directory
+
+`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`.
+
## Microsoft Defender ATP portal information
-In the Microsoft Defender ATP portal, you'll see two categories of information.
-
-Antivirus alerts, including:
-
- - Severity
- - Scan type
- - Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
- - File information (name, path, size, and hash)
- - Threat information (name, type, and state)
-
-Device information, including:
-
- - Machine identifier
- - Tenant identifier
- - App version
- - Hostname
- - OS type
- - OS version
- - Computer model
- - Processor architecture
- - Whether the device is a virtual machine
-
- > [!NOTE]
- > Certain device information might be subject to upcoming releases. To send us feedback, use the Microsoft Defender ATP for Mac app and select **Help** > **Send feedback** on your device. Optionally, use the **Feedback** button in the Microsoft Defender Security Center.
+[This blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect in Microsoft Defender ATP Security Center.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
new file mode 100644
index 0000000000..564bfecdbd
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
@@ -0,0 +1,54 @@
+---
+title: Troubleshoot installation issues for Microsoft Defender ATP for Mac
+description: Troubleshoot installation issues in Microsoft Defender ATP for Mac.
+keywords: microsoft, defender, atp, mac, install
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Troubleshoot installation issues for Microsoft Defender ATP for Mac
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+## Installation failed
+
+For manual installation, it is Summary page of the installation wizard that says "An error occurred during installation. The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance". For MDM deployments it would be exposed as a generic installation failure as well.
+
+While we do not expose exact error to the end user, we keep a log file with installation progress in `/Library/Logs/Microsoft/mdatp/install.log`. Each installation session appends to this log file, you can use `sed` to output the last installation session only:
+
+```bash
+$ sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}' /Library/Logs/Microsoft/mdatp/install.log
+
+preinstall com.microsoft.wdav begin [2020-03-11 13:08:49 -0700] 804
+INSTALLER_SECURE_TEMP=/Library/InstallerSandboxes/.PKInstallSandboxManager/CB509765-70FC-4679-866D-8A14AD3F13CC.activeSandbox/89FA879B-971B-42BF-B4EA-7F5BB7CB5695
+correlation id=CB509765-70FC-4679-866D-8A14AD3F13CC
+[ERROR] Downgrade from 100.88.54 to 100.87.80 is not permitted
+preinstall com.microsoft.wdav end [2020-03-11 13:08:49 -0700] 804 => 1
+```
+
+In the example above the actual reason is prefixed with `[ERROR]`.
+The installation failed because a downgrade between these versions is not supported.
+
+## No MDATP's install log
+
+In rare cases installation leaves no trace in MDATP's /Library/Logs/Microsoft/mdatp/install.log file.
+You can verify that installation happened and analyze possible errors by querying macOS logs (this can be helpful in case of MDM deployment, when there is no client UI). It is recommended to have a narrow time window to query and filter by the logging process name, as there will be huge amount of information;
+
+```bash
+grep '^2020-03-11 13:08' /var/log/install.log
+
+log show --start '2020-03-11 13:00:00' --end '2020-03-11 13:08:50' --info --debug --source --predicate 'processImagePath CONTAINS[C] "install"' --style syslog
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md
new file mode 100644
index 0000000000..77c330a95d
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md
@@ -0,0 +1,46 @@
+---
+title: Troubleshoot license issues for Microsoft Defender ATP for Mac
+description: Troubleshoot license issues in Microsoft Defender ATP for Mac.
+keywords: microsoft, defender, atp, mac, performance
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Troubleshoot license issues for Microsoft Defender ATP for Mac
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+While you are going through [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md) and [Manual deployment](mac-install-manually.md) testing or a Proof Of Concept (PoC), you might get the following error:
+
+
+
+**Message:**
+
+No license found
+
+Looks like your organization does not have a license for Microsoft 365 Enterprise subscription.
+
+Contact your administrator for help.
+
+**Cause:**
+
+You deployed and/or installed the MDATP for macOS package ("Download installation package") but you might have run the configuration script ("Download onboarding package").
+
+**Solution:**
+
+Follow the MicrosoftDefenderATPOnboardingMacOs.py instructions documented here:
+[Client configuration](mac-install-manually.md#client-configuration)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
index 7770111d6d..33e4268575 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
@@ -61,6 +61,12 @@ The `Production` channel contains the most stable version of the product.
| **Data type** | String |
| **Possible values** | InsiderFast
External
Production |
+>[!WARNING]
+>This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender ATP for Mac, execute the following command after replacing `[channel-name]` with the desired channel:
+> ```bash
+> $ defaults write com.microsoft.autoupdate2 Applications -dict-add "/Applications/Microsoft Defender ATP.app" " { 'Application ID' = 'WDAV00' ; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName = '[channel-name]' ; }"
+> ```
+
### Set update check frequency
Change how often MAU searches for updates.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 34df1f32fc..57fde3cc75 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -19,6 +19,36 @@ ms.topic: conceptual
# What's new in Microsoft Defender Advanced Threat Protection for Mac
+> [!NOTE]
+> In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions.
+>
+> In the meantime, starting with macOS Catalina update 10.15.4, Apple introduced a user facing *Legacy System Extension* warning to signal applications that rely on kernel extensions.
+>
+> If you have previously whitelisted the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to whitelist the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to whitelist the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
+
+## 100.90.27
+
+- You can now [set an update channel](mac-updates.md#set-the-channel-name) for Microsoft Defender ATP for Mac that is different from the system-wide update channel
+- New product icon
+- Other user experience improvements
+- Bug fixes
+
+## 100.86.92
+
+- Improvements around compatibility with Time Machine
+- Addressed an issue where the product was sometimes not cleaning all files under `/Library/Application Support/Microsoft/Defender` during uninstallation
+- Reduced the CPU utilization of the product when Microsoft products are updated through Microsoft AutoUpdate
+- Other performance improvements & bug fixes
+
+## 100.86.91
+
+> [!CAUTION]
+> To ensure the most complete protection for your macOS devices and in alignment with Apple stopping delivery of macOS native security updates to OS versions older than [current – 2], MDATP for Mac deployment and updates will no longer be supported on macOS Sierra [10.12]. MDATP for Mac updates and enhancements will be delivered to devices running versions Catalina [10.15], Mojave [10.14], and High Sierra [10.13].
+>
+> If you already have MDATP for Mac deployed to your Sierra [10.12] devices, please upgrade to the latest macOS version to eliminate risks of losing protection.
+
+- Performance improvements & bug fixes
+
## 100.83.73
- Added more controls for IT administrators around [management of exclusions](mac-preferences.md#exclusion-merge-policy), [management of threat type settings](mac-preferences.md#threat-type-settings-merge-policy), and [disallowed threat actions](mac-preferences.md#disallowed-threat-actions)
@@ -37,9 +67,9 @@ ms.topic: conceptual
- Fixed an issue where Microsoft Defender ATP for Mac was sometimes interfering with Time Machine
- Added a new switch to the command-line utility for testing the connectivity with the backend service
-```bash
-$ mdatp --connectivity-test
-```
+ ```bash
+ $ mdatp --connectivity-test
+ ```
- Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view)
- Performance improvements & bug fixes
@@ -60,12 +90,12 @@ $ mdatp --connectivity-test
- Added support for macOS Catalina
-> [!CAUTION]
-> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
->
-> The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP:
->
-> - For manual deployments, see the updated instructions in the [Manual deployment](mac-install-manually.md#how-to-allow-full-disk-access) topic.
-> - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md#privacy-preferences-policy-control) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
+ > [!CAUTION]
+ > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
+ >
+ > The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP:
+ >
+ > - For manual deployments, see the updated instructions in the [Manual deployment](mac-install-manually.md#how-to-allow-full-disk-access) topic.
+ > - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md#privacy-preferences-policy-control) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
- Performance improvements & bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md
index 0c7105a289..cd57c99e3a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md
@@ -53,7 +53,7 @@ As part of the process of creating a machine group, you'll:
2. Click **Add machine group**.
-3. Enter the group name and automation settings and specify the matching rule that determines which machines belong to the group. For more information on automation levels, see [Understand the Automated investigation flow](automated-investigations.md#understand-the-automated-investigation-flow).
+3. Enter the group name and automation settings and specify the matching rule that determines which machines belong to the group. See [How the automated investigation starts](automated-investigations.md#how-the-automated-investigation-starts).
>[!TIP]
>If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Create and manage machine tags](machine-tags.md).
@@ -83,7 +83,6 @@ Machines that are not matched to any groups are added to Ungrouped machines (def
## Related topics
-## Related topic
- [Manage portal access using role-based based access control](rbac.md)
- [Create and manage machine tags](machine-tags.md)
- [Get list of tenant machine groups using Graph API](get-machinegroups-collection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index a38094be67..92e5b76fd8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -25,6 +25,7 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)]
## Methods
+
Method|Return Type |Description
:---|:---|:---
[List machines](get-machines.md) | [machine](machine.md) collection | List set of [machine](machine.md) entities in the org.
@@ -36,9 +37,11 @@ Method|Return Type |Description
[Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID.
[Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
[Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
+[Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID
## Properties
-Property | Type | Description
+
+Property | Type | Description
:---|:---|:---
id | String | [machine](machine.md) identity.
computerDnsName | String | [machine](machine.md) fully qualified name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
index 3380258c96..e570e0634a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
@@ -71,14 +71,15 @@ Filter by the following machine health states:
For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealthy-sensors.md).
-### Security state
+### Antivirus status
-Filter by machines that are well configured or require attention based on the security controls that are enabled in your organization. Applies to active Windows 10 machines only.
+Filter machines by antivirus status. Applies to active Windows 10 machines only.
-- **Well configured** - Machines have the security controls well configured.
-- **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization.
+- **Disabled** - Virus & threat protection is turned off.
+- **Not reporting** - Virus & threat protection is not reporting.
+- **Not updated** - Virus & threat protection is not up to date.
-For more information, see [View the Secure Score dashboard](secure-score-dashboard.md).
+For more information, see [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md).
### Threat mitigation status
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
index c66fbce85b..3c7b1fa724 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
@@ -79,7 +79,8 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
3. Select the **Trigerring IOC**.
4. Specify the action and scope on the alert.
- You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on a specific machine group.
+ You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and machine timeline and will appear as resolved across Microsoft Defender ATP APIs.
Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs.
+
5. Enter a rule name and a comment.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index 32343d94bd..8ae4bbb815 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -1,6 +1,6 @@
---
-title: Learn about the automated investigations dashboard in Microsoft Defender Security Center
-description: View the automated investigations list. View the status, detection source and other details for automated investigations.
+title: Review and approve actions following automated investigations in the Microsoft Defender Security Center
+description: Review and approve (or reject) remediation actions following an automated investigation.
keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, machines, duration, filter export
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -8,8 +8,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
+ms.author: deniseb
+author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -17,154 +17,58 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Learn about the automated investigations dashboard
-By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
+# Review and approve actions following an automated investigation
->[!NOTE]
->If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
+## Remediation actions
-Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide.
+When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed.
-From this view, you can also download the entire list in CSV format using the **Export** button, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria.
+When a verdict of *Malicious* is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection takes one of the following remediation actions automatically:
+- Quarantine a file
+- Remove a registry key
+- Kill a process
+- Stop a service
+- Remove a registry key
+- Disable a driver
+- Remove a scheduled task
-
+Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible so that you automated investigations complete in a timely manner.
+No actions are taken when a verdict of *No threats found* is reached for a piece of evidence.
+
+In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions).
+
+## Review pending actions
+
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard.
+
+2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
+
+3. Review any items on the **Pending** tab.
+
+ Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details.
+
+ You can also select multiple investigations to approve or reject actions on multiple investigations.
+
+
+## Review completed actions
+
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard.
+
+2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
+
+3. Select the **History** tab. (If need be, expand the time period to display more data.)
+
+4. Select an item to view more details about that remediation action.
-**Filters**
-You can use the following operations to customize the list of automated investigations displayed:
+## Next steps
+- [View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center)
-**Triggering alert**
-The alert that initiated the automated investigation.
+- [Get an overview of live response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/live-response)
-**Status**
-An automated investigation can be in one of the following status:
+## Related articles
-Status | Description
-:---|:---
-| No threats found | No malicious entities found during the investigation.
-| Failed | A problem has interrupted the investigation, preventing it from completing. |
-| Partially remediated | A problem prevented the remediation of some malicious entities. |
-| Pending action | Remediation actions require review and approval. |
-| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
-| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
-| Running | Investigation ongoing. Malicious entities found will be remediated. |
-| Remediated | Malicious entities found were successfully remediated. |
-| Terminated by system | Investigation was stopped by the system. |
-| Terminated by user | A user stopped the investigation before it could complete.
-| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
+- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
-
-
-**Detection source**
-Source of the alert that initiated the automated investigation.
-
-**Threat**
-The category of threat detected during the automated investigation.
-
-
-**Tags**
-Filter using manually added tags that capture the context of an automated investigation.
-
-**Machines**
-You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine.
-
-**Machine groups**
-Apply this filter to see specific machine groups that you might have created.
-
-**Comments**
-Select between filtering the list between automated investigations that have comments and those that don't.
-
-## Analyze automated investigations
-You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
-
-In this view, you'll see the name of the investigation, when it started and ended.
-
-
-
-The progress ring shows two status indicators:
-- Orange ring - shows the pending portion of the investigation
-- Green ring - shows the running time portion of the investigation
-
-
-
-In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds.
-
-The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval.
-
-From this view, you can also view and add comments and tags about the investigation.
-
-### Investigation page
-The investigation page gives you a quick summary on the status, alert severity, category, and detection source.
-
-You'll also have access to the following sections that help you see details of the investigation with finer granularity:
-
-- Investigation graph
-- Alerts
-- Machines
-- Evidence
-- Entities
-- Log
-- Pending actions
-
- >[!NOTE]
- >The Pending actions tab is only displayed if there are actual pending actions.
-
-- Pending actions history
-
- >[!NOTE]
- >The Pending actions history tab is only displayed when an investigation is complete.
-
-In any of the sections, you can customize columns to further expand to limit the details you see in a section.
-
-### Investigation graph
-The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
-
-### Alerts
-Shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
-
-Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing.
-
-Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history.
-
-Clicking on an alert title brings you the alert page.
-
-### Machines
-Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
-
-Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
-
-Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
-
-Clicking on an machine name brings you the machine page.
-
-### Evidence
-Shows details related to threats associated with this investigation.
-
-### Entities
-Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean.
-
-### Log
-Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
-
-As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
-
-Available filters include action type, action, status, machine name, and description.
-
-You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.
-
-### Pending actions history
-This tab is only displayed when an investigation is complete and shows all pending actions taken during the investigation.
-
-
-## Pending actions
-If there are pending actions on an automated investigation, you'll see a pop up similar to the following image.
-
-
-
-When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**. For more information, see [Action center](auto-investigation-action-center.md).
-
-
-## Related topic
-- [Investigate Microsoft Defender ATP alerts](investigate-alerts.md)
-- [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)
+- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index be8b72641f..9f02877b9e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -1,7 +1,7 @@
----
+---
title: Manage indicators
ms.reviewer:
-description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities.
+description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -26,7 +26,7 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).
+Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).
Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
@@ -54,7 +54,7 @@ You can create an indicator for:
- URLs/domains
>[!NOTE]
->There is a limit of 5000 indicators per tenant.
+>There is a limit of 15,000 indicators per tenant.
@@ -69,6 +69,7 @@ There are two ways you can create indicators for files:
### Before you begin
It's important to understand the following prerequisites prior to creating indicators for files:
+
- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
- Supported on machines on Windows 10, version 1703 or later.
@@ -81,7 +82,7 @@ It's important to understand the following prerequisites prior to creating indic
>[!NOTE]
->There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
+>There may be up to 2 hours of latency (usually less) between the time the action is taken and the actual file being blocked.
### Create an indicator for files from the settings page
@@ -103,18 +104,18 @@ One of the options when taking [response actions on a file](respond-file-alerts.
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it.
-Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.
+Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue.
-## Create indicators for IPs and URLs/domains (preview)
+## Create indicators for IPs and URLs/domains
Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser.
The threat intelligence data set for this has been managed by Microsoft.
-By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.
+By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.
### Before you begin
-It's important to understand the following prerequisites prior to creating indicators for IPS, URLs or domains:
-- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Protect your network](network-protection.md).
+It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains:
+- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md).
- The Antimalware client version must be 4.18.1906.x or later.
- Supported on machines on Windows 10, version 1709 or later.
- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md).
@@ -122,16 +123,17 @@ It's important to understand the following prerequisites prior to creating indic
>[!IMPORTANT]
> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
-> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages Network Protection (link) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS):
+> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
> NOTE:
>- IP is supported for all three protocols
->- Encrypted URLs can only be blocked on first party browsers
+>- Encrypted URLs (full path) can only be blocked on first party browsers
+>- Encrypted URLS (FQDN only) can be blocked outside of first party browsers
>- Full URL path blocks can be applied on the domain level and all unencrypted URLs
>[!NOTE]
->There may be up to 2 hours latency (usually less) between the time the action is taken, and the URL and IP being blocked.
+>There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
-### Create an indicator for IPs, URLs or domains from the settings page
+### Create an indicator for IPs, URLs, or domains from the settings page
1. In the navigation pane, select **Settings** > **Indicators**.
@@ -146,6 +148,46 @@ It's important to understand the following prerequisites prior to creating indic
5. Review the details in the Summary tab, then click **Save**.
+## Create indicators for certificates (preview)
+
+You can create indicators for certificates. Some common use cases include:
+
+- Scenarios when you need to deploy blocking technologies, such as [attack surface reduction rules](attack-surface-reduction.md) and [controlled folder access](controlled-folders.md) but need to allow behaviors from signed applications by adding the certificate in the allow list.
+- Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Windows Defender AV will prevent file executions (block and remediate) and the Automated Investigation and Remediation behave the same.
+
+
+### Before you begin
+
+It's important to understand the following requirements prior to creating indicators for certificates:
+
+- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
+- The Antimalware client version must be 4.18.1901.x or later.
+- Supported on machines on Windows 10, version 1703 or later.
+- The virus and threat protection definitions must be up-to-date.
+- This feature currently supports entering .CER or .PEM file extensions.
+
+>[!IMPORTANT]
+> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it’s trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities').
+>- The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality – only leaf certificates are supported.
+>- Microsoft signed certificates cannot be blocked.
+
+#### Create an indicator for certificates from the settings page:
+
+>[!IMPORTANT]
+> It can take up to 3 hours to create and remove a certificate IoC.
+
+1. In the navigation pane, select **Settings** > **Indicators**.
+
+2. Select the **Certificate** tab.
+
+3. Select **Add indicator**.
+
+4. Specify the following details:
+ - Indicator - Specify the entity details and define the expiration of the indicator.
+ - Action - Specify the action to be taken and provide a description.
+ - Scope - Define the scope of the machine group.
+
+5. Review the details in the Summary tab, then click **Save**.
## Manage indicators
@@ -162,8 +204,33 @@ You can also choose to upload a CSV file that defines the attributes of indicato
Download the sample CSV to know the supported column attributes.
+1. In the navigation pane, select **Settings** > **Indicators**.
+
+2. Select the tab of the entity type you'd like to import indicators for.
+
+3. Select **Import** > **Choose file**.
+
+4. Select **Import**. Do this for all the files you'd like to import.
+
+5. Select **Done**.
+
+The following table shows the supported parameters.
+
+Parameter | Type | Description
+:---|:---|:---
+indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
+indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required**
+action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
+title | String | Indicator alert title. **Required**
+description | String | Description of the indicator. **Required**
+expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional**
+severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional**
+recommendedActions | String | TI indicator alert recommended actions. **Optional**
+rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
+
+
+
## Related topic
- [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
- [Use the Microsoft Defender ATP indicators API](ti-indicator.md)
- [Use partner integrated solutions](partner-applications.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
index f42404e0ac..2634614f1b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
@@ -54,6 +54,9 @@ The Microsoft Defender ATP APIs can be grouped into three:
Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form.
+Watch this video for a quick overview of Microsoft Defender ATP's APIs.
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M]
+
The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, machine, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information see, [Supported APIs](exposed-apis-list.md).
The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate machines from the network, quarantine files, and others.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
index b005d81545..1dd8377db2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
@@ -34,6 +34,9 @@ Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution th
Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity.
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4yQ]
+
+
The integration provides the following major improvements to the existing Cloud App Security discovery:
- Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index 34a417fdef..a4991649d4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -24,6 +24,9 @@ ms.topic: conceptual
> For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
+
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
@@ -48,16 +51,15 @@ Microsoft Defender ATP uses the following combination of technology built into W
Threat & Vulnerability Management |
-
Attack surface reduction |
-
Next generation protection |
-
Endpoint detection and response |
-
Automated investigation and remediation |
-
Secure score |
-
Microsoft Threat Experts |
+
Attack surface reduction |
+
Next generation protection |
+
Endpoint detection and response |
+
Automated investigation and remediation |
+
Microsoft Threat Experts |
|
-Management and APIs |
+Centralized configuration and administration, APIs
| Microsoft Threat Protection |
@@ -97,11 +99,11 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft
-**[Secure score](overview-secure-score.md)**
+**[Configuration score](configuration-score.md)**
> [!NOTE]
-> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md).
-Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
+Microsoft Defender ATP includes a configuration score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
@@ -114,7 +116,7 @@ Microsoft Defender ATP's new managed threat hunting service provides proactive h
-**[Management and APIs](management-apis.md)**
+**[Centralized configuration and administration, APIs](management-apis.md)**
Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
@@ -131,15 +133,6 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
-## In this section
-To help you maximize the effectiveness of the security platform, you can configure individual capabilities that surface in Microsoft Defender Security Center.
-
-Topic | Description
-:---|:---
-[Overview](overview.md) | Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the complete threat protection platform.
-[Minimum requirements](minimum-requirements.md) | Learn about the requirements of the platform and the initial steps you need to take to get started with Microsoft Defender ATP.
-[Configure and manage capabilities](onboard.md)| Configure and manage the individual capabilities in Microsoft Defender ATP.
-[Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md) | Learn how to address issues that you might encounter while using the platform.
## Related topic
[Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
new file mode 100644
index 0000000000..b84dce1ebe
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@@ -0,0 +1,142 @@
+---
+title: Microsoft Defender ATP for Linux
+ms.reviewer:
+description: Describes how to install and use Microsoft Defender ATP for Linux.
+keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Microsoft Defender ATP for Linux
+
+> [!IMPORTANT]
+> **PUBLIC PREVIEW EDITION**
+>
+> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
+>
+> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+>
+> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Linux onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today.
+
+This topic describes how to install, configure, update, and use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux.
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4q3yP]
+
+
+
+> [!CAUTION]
+> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors.
+
+## How to install Microsoft Defender ATP for Linux
+
+### Prerequisites
+
+- Access to the Microsoft Defender Security Center portal
+- Beginner-level experience in Linux and BASH scripting
+- Administrative privileges on the device (in case of manual deployment)
+
+### Known issues
+
+- Logged on users do not appear in the ATP portal.
+- Running the product on CentOS / RHEL / Oracle Linux 7.0 or 7.1 with kernel versions lower than 3.10.0-327 can result in hanging the operating system. We recommend that you upgrade to version 7.2 or newer.
+- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
+
+ ```bash
+ $ sudo SUSEConnect --status-text
+ ```
+
+### Installation instructions
+
+There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Linux.
+
+In general you need to take the following steps:
+
+- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the Microsoft Defender ATP portal.
+- Deploy Microsoft Defender ATP for Linux using one of the following deployment methods:
+ - The command-line tool:
+ - [Manual deployment](linux-install-manually.md)
+ - Third-party management tools:
+ - [Deploy using Puppet configuration management tool](linux-install-with-puppet.md)
+ - [Deploy using Ansible configuration management tool](linux-install-with-ansible.md)
+
+If you experience any installation failures, refer to [Troubleshooting installation failures in Microsoft Defender ATP for Linux](linux-support-install.md).
+
+### System requirements
+
+- Supported Linux server distributions and versions:
+
+ - Red Hat Enterprise Linux 7.2 or higher
+ - CentOS 7.2 or higher
+ - Ubuntu 16.04 LTS or higher LTS
+ - Debian 9 or higher
+ - SUSE Linux Enterprise Server 12 or higher
+ - Oracle Linux 7.2 or higher
+
+- Minimum kernel version 2.6.38
+- The `fanotify` kernel option must be enabled
+ > [!CAUTION]
+ > Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
+
+- Disk space: 650 MB
+- The solution currently provides real-time protection for the following file system types:
+
+ - btrfs
+ - ext2
+ - ext3
+ - ext4
+ - tmpfs
+ - xfs
+
+ More file system types will be added in the future.
+
+After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
+
+### Network connections
+
+The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
+
+| Service location | DNS record |
+| ---------------------------------------- | ----------------------- |
+| Common URLs for all locations | x.cp.wd.microsoft.com
cdn.x.cp.wd.microsoft.com
eu-cdn.x.cp.wd.microsoft.com
wu-cdn.x.cp.wd.microsoft.com
officecdn-microsoft-com.akamaized.net
crl.microsoft.com
events.data.microsoft.com |
+| European Union | europe.x.cp.wd.microsoft.com
eu-v20.events.data.microsoft.com
usseu1northprod.blob.core.windows.net
usseu1westprod.blob.core.windows.net |
+| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com
uk-v20.events.data.microsoft.com
ussuk1southprod.blob.core.windows.net
ussuk1westprod.blob.core.windows.net |
+| United States | unitedstates.x.cp.wd.microsoft.com
us-v20.events.data.microsoft.com
ussus1eastprod.blob.core.windows.net
ussus1westprod.blob.core.windows.net |
+
+> [!NOTE]
+> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
+
+Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
+- Transparent proxy
+- Manual static proxy configuration
+
+If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md).
+
+> [!WARNING]
+> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
+>
+> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
+
+For troubleshooting steps, see [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md).
+
+## How to update Microsoft Defender ATP for Linux
+
+Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Linux, refer to [Deploy updates for Microsoft Defender ATP for Linux](linux-updates.md).
+
+## How to configure Microsoft Defender ATP for Linux
+
+Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
+
+## Resources
+
+- For more information about logging, uninstalling, or other topics, see [Resources](linux-resources.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index be43f23ee8..fe71625482 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -73,17 +73,23 @@ The following table lists the services and their associated URLs that your netwo
| Service location | DNS record |
| ---------------------------------------- | ----------------------- |
-| Common URLs for all locations | x.cp.wd.microsoft.com
cdn.x.cp.wd.microsoft.com
eu-cdn.x.cp.wd.microsoft.com
wu-cdn.x.cp.wd.microsoft.com
*.blob.core.windows.net
officecdn-microsoft-com.akamaized.net
crl.microsoft.com
events.data.microsoft.com |
-| European Union | europe.x.cp.wd.microsoft.com
eu-v20.events.data.microsoft.com |
-| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com
uk-v20.events.data.microsoft.com |
-| United States | unitedstates.x.cp.wd.microsoft.com
us-v20.events.data.microsoft.com |
+| Common URLs for all locations | x.cp.wd.microsoft.com
cdn.x.cp.wd.microsoft.com
eu-cdn.x.cp.wd.microsoft.com
wu-cdn.x.cp.wd.microsoft.com
officecdn-microsoft-com.akamaized.net
crl.microsoft.com
events.data.microsoft.com |
+| European Union | europe.x.cp.wd.microsoft.com
eu-v20.events.data.microsoft.com
usseu1northprod.blob.core.windows.net
usseu1westprod.blob.core.windows.net
winatp-gw-weu.microsoft.com
winatp-gw-neu.microsoft.com |
+| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com
uk-v20.events.data.microsoft.com
ussuk1southprod.blob.core.windows.net
ussuk1westprod.blob.core.windows.net
winatp-gw-ukw.microsoft.com
winatp-gw-uks.microsoft.com |
+| United States | unitedstates.x.cp.wd.microsoft.com
us-v20.events.data.microsoft.com
ussus1eastprod.blob.core.windows.net
ussus1westprod.blob.core.windows.net
winatp-gw-cus.microsoft.com
winatp-gw-eus.microsoft.com |
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
+- Proxy auto-config (PAC)
- Web Proxy Auto-discovery Protocol (WPAD)
- Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.
+> [!WARNING]
+> Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used.
+>
+> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Mac to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
+
To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
If you prefer the command line, you can also check the connection by running the following command in Terminal:
@@ -114,6 +120,10 @@ Microsoft regularly publishes software updates to improve performance, security,
Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md).
+## macOS kernel and system extensions
+
+In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. Visit [What's new in Microsoft Defender Advanced Threat Protection for Mac](mac-whatsnew.md) for relevant details.
+
## Resources
- For more information about logging, uninstalling, or other topics, see the [Resources](mac-resources.md) page.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
index a28cd30703..235ddd3611 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
@@ -22,9 +22,13 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Microsoft Threat Experts is a managed detection and response (MDR) service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed.
+Microsoft Threat Experts is a managed threat hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed.
-This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand.
+This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand.
+
+Watch this video for a quick overview of Microsoft Threat Experts.
+
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qZ0B]
## Before you begin
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index 5c52a93ff5..baef5fe6ab 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -13,7 +13,7 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual
---
@@ -24,12 +24,12 @@ ms.topic: conceptual
There are some minimum requirements for onboarding machines to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink).
->[!TIP]
->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
+> [!TIP]
+> - Learn about the latest enhancements in Microsoft Defender ATP:[Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced).
+> - Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
## Licensing requirements
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
@@ -37,8 +37,10 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
- Windows 10 Enterprise E5
- Windows 10 Education A5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
+- Microsoft 365 E5 Security
- Microsoft 365 A5 (M365 A5)
+For detailed licensing information, see the [Product terms page](https://www.microsoft.com/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product.
For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
@@ -51,13 +53,14 @@ For more information about licensing requirements for Microsoft Defender ATP pla
Access to Microsoft Defender ATP is done through a browser, supporting the following browsers:
- Microsoft Edge
- Internet Explorer version 11
-- Google Chrome
+- Google Chrome
->[!NOTE]
->While other browsers might work, the mentioned browsers are the ones supported.
+> [!NOTE]
+> While other browsers might work, the mentioned browsers are the ones supported.
## Hardware and software requirements
+
### Supported Windows versions
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro
@@ -65,6 +68,7 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo
- Windows 8.1 Pro
- Windows 10, version 1607 or later
- Windows 10 Enterprise
+ - [Windows 10 Enterprise LTSC](https://docs.microsoft.com/windows/whats-new/ltsc/)
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
@@ -72,7 +76,7 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- - Windows Server 2016, version 1803
+ - Windows Server, version 1803 or later
- Windows Server 2019
Machines on your network must be running one of these editions.
@@ -80,24 +84,25 @@ Machines on your network must be running one of these editions.
The hardware requirements for Microsoft Defender ATP on machines is the same as those for the supported editions.
> [!NOTE]
-> Machines that are running mobile versions of Windows are not supported.
+> Machines running mobile versions of Windows are not supported.
### Other supported operating systems
-- macOSX
-- Linux
-- Android
+- macOSX
+- Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux)
->[!NOTE]
->You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP for the integration to work.
+> [!NOTE]
+> You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP for the integration to work.
+>
+> Also note that Microsoft Defender ATP is currently only available in the Public Preview Edition for Linux.
### Network and data storage and configuration requirements
When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
> [!NOTE]
-> - You cannot change your data storage location after the first-time setup.
-> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data.
+> - You cannot change your data storage location after the first-time setup.
+> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data.
### Diagnostic data settings
@@ -129,12 +134,11 @@ By default, this service is enabled, but it's good practice to check to ensu
If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
-
**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
1. Open an elevated command-line prompt on the endpoint:
- a. Go to **Start** and type **cmd**.
+ a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
@@ -151,22 +155,18 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
```
-
#### Internet connectivity
Internet connectivity on machines is required either directly or through proxy.
The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.
-For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md) .
+For more information on additional proxy configuration settings, see [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md).
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
-
-
-
## Windows Defender Antivirus configuration requirement
-The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.
+The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.
You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
@@ -175,7 +175,7 @@ When Windows Defender Antivirus is not the active antimalware in your organizati
If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).
> [!NOTE]
-> Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
+> Your regular group policy doesn't apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
@@ -186,9 +186,6 @@ If you're running Windows Defender Antivirus as the primary antimalware product
If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
-
-
-
-## Related topic
+## Related topics
- [Validate licensing and complete setup](licensing.md)
- [Onboard machines](onboard-configure.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index 3c6f9f6bc7..26080c90cd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -27,9 +27,11 @@ ms.custom: asr
Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
-Network protection expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
+Network protection expands the scope of [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
-Network protection is supported beginning with Windows 10, version 1709.
+Network protection is supported beginning with Windows 10, version 1709.
+
+For more details about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
> [!TIP]
> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 3da4badfe6..5f38878dec 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -1,15 +1,15 @@
---
title: Threat & Vulnerability Management
description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration asessment, windows defender atp, microsoft defender atp, endpoint vulnerabilities
+keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, windows defender atp, microsoft defender atp, endpoint vulnerabilities, next generation
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -18,50 +18,85 @@ ms.topic: conceptual
---
# Threat & Vulnerability Management
+
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
+Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
-## Next-generation capabilities
-Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.
+Watch this video for a quick overview of Threat & Vulnerability Management.
+
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4mLsn]
+
+## Next-generation capabilities
+
+Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base.
It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft Microsoft Endpoint Configuration Manager.
-It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
+It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
+
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery
-- Built-in remediation processes through Microsoft Intune and Configuration Manager
+- Built-in remediation processes through Microsoft Intune and Configuration Manager
### Real-time discovery
-
+
To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:
+
- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
-- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, and software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
+- Visibility into software and vulnerabilities. Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
- Application runtime context. Visibility on application usage patterns for better prioritization and decision-making.
- Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations.
-
+
### Intelligence-driven prioritization
-
+
Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:
+
- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
-- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users.
-
+- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users.
+
### Seamless remediation
-
-Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
-- Remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
+
+Microsoft Defender ATP's Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
+
+- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
+## Before you begin
+
+Ensure that your machines:
+
+- Are onboarded to Microsoft Defender Advanced Threat Protection
+- Run with Windows 10 1709 (Fall Creators Update) or later
+
+>[!NOTE]
+>Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
+
+- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
+
+> Release | Security update KB number and link
+> :---|:---
+> Windows 10 Version 1709 | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
+> Windows 10 Version 1803 | [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
+> Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
+> Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
+
+- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
+- Have at least one security recommendation that can be viewed in the machine page
+- Are tagged or marked as co-managed
+
## Related topics
+
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
@@ -69,9 +104,6 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
index ab3dd486d7..5b7477d473 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
@@ -28,11 +28,14 @@ Offboard machine from Microsoft Defender ATP.
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+ - Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
[!include[Machine actions note](../../includes/machineactionsnote.md)]
+>[!Note]
+> This does not support offboarding macOS Devices.
+
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@@ -83,4 +86,4 @@ Content-type: application/json
{
"Comment": "Offboard machine by automation"
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
index 2e2b69385b..51d5efdc49 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@@ -95,9 +95,6 @@
#### [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)
-### [Secure score](overview-secure-score.md)
-
-
### [Threat analytics](threat-analytics.md)
@@ -298,8 +295,6 @@
##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
-### [Configure Secure score dashboard security controls](secure-score-dashboard.md)
-
### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)
@@ -336,7 +331,7 @@
##### [Understand Microsoft Defender ATP APIs](use-apis.md)
##### [Microsoft Defender ATP API license and terms](api-terms-of-use.md)
-##### [Get started with Microsoft Defender ATP APIs]()
+##### [Get started]()
###### [Introduction](apis-intro.md)
###### [Hello World](api-hello-world.md)
###### [Get access with application context](exposed-apis-create-app-webapp.md)
@@ -481,7 +476,6 @@
##### [Update data retention settings](data-retention-settings.md)
##### [Configure alert notifications](configure-email-notifications.md)
##### [Enable and create Power BI reports using Windows Security app data](powerbi-reports.md)
-##### [Enable Secure score security controls](enable-secure-score.md)
##### [Configure advanced features](advanced-features.md)
#### [Permissions]()
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
index 1a48280c33..68bfb931a3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
@@ -35,6 +35,8 @@ In general, to onboard devices to the service:
- Use the appropriate management tool and deployment method for your devices
- Run a detection test to verify that the devices are properly onboarded and reporting to the service
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr]
+
## In this section
Topic | Description
:---|:---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
index 800d493402..5ac688bcec 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@@ -28,23 +28,23 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevel-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevel-abovefoldlink).
Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
->[!IMPORTANT]
->This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview.md).
+> [!IMPORTANT]
+> This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview.md).
To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll need to:
- Configure and update System Center Endpoint Protection clients.
- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as instructed below.
->[!TIP]
+> [!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
## Configure and update System Center Endpoint Protection clients
->[!IMPORTANT]
->This step is required only if your organization uses System Center Endpoint Protection (SCEP).
+> [!IMPORTANT]
+> This step is required only if your organization uses System Center Endpoint Protection (SCEP).
Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
@@ -59,16 +59,16 @@ The following steps are required to enable this integration:
Review the following details to verify minimum system requirements:
- Install the [February 2018 monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
- >[!NOTE]
- >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
+ > [!NOTE]
+ > Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
- Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
- >[!NOTE]
- >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
- >Don't install .NET framework 4.0.x, since it will negate the above installation.
+ > [!NOTE]
+ > Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
+ > Don't install .NET Framework 4.0.x, since it will negate the above installation.
- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
@@ -93,29 +93,10 @@ Once completed, you should see onboarded endpoints in the portal within an hour.
### Configure proxy and Internet connectivity settings
- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway).
-- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Microsoft Defender ATP service:
-
-Agent Resource | Ports
-:---|:---
-| *.oms.opinsights.azure.com | 443 |
-| *.blob.core.windows.net | 443 |
-| *.azure-automation.net | 443 |
-| *.ods.opinsights.azure.com | 443 |
-| winatp-gw-cus.microsoft.com | 443 |
-| winatp-gw-eus.microsoft.com | 443 |
-| winatp-gw-neu.microsoft.com | 443 |
-| winatp-gw-weu.microsoft.com | 443 |
-|winatp-gw-uks.microsoft.com | 443 |
-|winatp-gw-ukw.microsoft.com | 443 |
-
+- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
## Offboard client endpoints
To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Microsoft Defender ATP.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevele-belowfoldlink)
-
-
-
-
-
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevele-belowfoldlink).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
index ff5e1ed7d9..0534d30935 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
@@ -25,6 +25,18 @@ ms.topic: article
To onboard machines without Internet access, you'll need to take the following general steps:
+> [!IMPORTANT]
+> The steps below are applicable only to machines running previous versions of Windows such as:
+Windows Server 2016 and earlier or Windows 8.1 and earlier.
+
+> [!NOTE]
+> An OMS gateway server can still be used as proxy for disconnected Windows 10 machines when configured via 'TelemetryProxyServer' registry or GPO.
+
+For more information, see the following articles:
+- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel)
+- [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
+- [Configure machine proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy)
+
## On-premise machines
- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
index 0d041b05e3..c304bcfd54 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
@@ -31,7 +31,6 @@ Topic | Description
:---|:---
[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
[Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
-[Configure Secure score dashboard security controls](secure-score-dashboard.md) | Configure the security controls in Secure score to increase the security posture of your organization.
[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP.
[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
new file mode 100644
index 0000000000..e3d22ad134
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
@@ -0,0 +1,458 @@
+---
+title: Onboard to the Microsoft Defender ATP service
+description:
+keywords:
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Onboard to the Microsoft Defender ATP service
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+Deploying Microsoft Defender ATP is a three-phase process:
+
+
+
+You are currently in the onboarding phase.
+
+
+
+To deploy Microsoft Defender ATP, you'll need to onboard devices to the service. Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements.
+
+The deployment guide uses Microsoft Endpoint Configuration Manager as the management tool to demonstrate an end-to-end deployment.
+
+This article will guide you on:
+- Setting up Microsoft Endpoint Configuration Manager
+- Endpoint detection and response configuration
+- Next-generation protection configuration
+- Attack surface reduction configuration
+
+## Onboarding using Microsoft Endpoint Configuration Manager
+### Collection creation
+To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
+deployment can target either and existing collection or a new collection can be
+created for testing. The onboarding like group policy or manual method does
+not install any agent on the system. Within the Configuration Manager console
+the onboarding process will be configured as part of the compliance settings
+within the console. Any system that receives this required configuration will
+maintain that configuration for as long as the Configuration Manager client
+continues to receive this policy from the management point. Follow the steps
+below to onboard systems with Configuration Manager.
+
+1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
+
+ 
+
+2. Right Click **Device Collection** and select **Create Device Collection**.
+
+ 
+
+3. Provide a **Name** and **Limiting Collection**, then select **Next**.
+
+ 
+
+4. Select **Add Rule** and choose **Query Rule**.
+
+ 
+
+5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
+
+ 
+
+6. Select **Criteria** and then choose the star icon.
+
+ 
+
+7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**.
+
+ 
+
+8. Select **Next** and **Close**.
+
+ 
+
+9. Select **Next**.
+
+ 
+
+After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
+
+## Endpoint detection and response
+### Windows 10
+From within the Microsoft Defender Security Center it is possible to download
+the '.onboarding' policy that can be used to create the policy in System Center Configuration
+Manager and deploy that policy to Windows 10 devices.
+
+1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
+
+
+
+2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager **.
+
+ 
+
+3. Select **Download package**.
+
+ 
+
+4. Save the package to an accessible location.
+5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
+
+6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
+
+ 
+
+7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
+
+ 
+
+8. Click **Browse**.
+
+9. Navigate to the location of the downloaded file from step 4 above.
+
+ 
+
+10. Click **Next**.
+11. Configure the Agent with the appropriate samples (**None** or **All file types**).
+
+ 
+
+12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
+
+ 
+
+14. Verify the configuration, then click **Next**.
+
+ 
+
+15. Click **Close** when the Wizard completes.
+
+16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
+
+ 
+
+17. On the right panel, select the previously created collection and click **OK**.
+
+ 
+
+
+### Previous versions of Windows Client (Windows 7 and Windows 8.1)
+Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
+
+1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
+
+2. Under operating system choose **Windows 7 SP1 and 8.1**.
+
+ 
+
+3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
+
+Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed.
+
+Edit the InstallMMA.cmd with a text editor, such as notepad and update the
+following lines and save the file:
+
+ 
+
+Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file:
+
+ 
+
+Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating
+Systems:
+
+- Server SKUs: Windows Server 2008 SP1 or Newer
+
+- Client SKUs: Windows 7 SP1 and later
+
+The MMA agent will need to be installed on Windows devices. To install the
+agent, some systems will need to download the [Update for customer experience
+and diagnostic
+telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+in order to collect the data with MMA. These system versions include but may not
+be limited to:
+
+- Windows 8.1
+
+- Windows 7
+
+- Windows Server 2016
+
+- Windows Server 2012 R2
+
+- Windows Server 2008 R2
+
+Specifically, for Windows 7 SP1, the following patches must be installed:
+
+- Install
+ [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
+
+- Install either [.NET Framework
+ 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
+ later) **or**
+ [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
+ Do not install both on the same system.
+
+To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps
+below to utilize the provided batch files to onboard the systems. The CMD file
+when executed, will require the system to copy files from a network share by the
+System, the System will install MMA, Install the DependencyAgent, and configure
+MMA for enrollment into the workspace.
+
+
+1. In Microsoft Endpoint Configuration Manager console, navigate to **Software
+ Library**.
+
+2. Expand **Application Management**.
+
+3. Right-click **Packages** then select **Create Package**.
+
+4. Provide a Name for the package, then click **Next**
+
+ 
+
+5. Verify **Standard Program** is selected.
+
+ 
+
+6. Click **Next**.
+
+ 
+
+7. Enter a program name.
+
+8. Browse to the location of the InstallMMA.cmd.
+
+9. Set Run to **Hidden**.
+
+10. Set **Program can run** to **Whether or not a user is logged on**.
+
+11. Click **Next**.
+
+12. Set the **Maximum allowed run time** to 720.
+
+13. Click **Next**.
+
+ 
+
+14. Verify the configuration, then click **Next**.
+
+ 
+
+15. Click **Next**.
+
+16. Click **Close**.
+
+17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP
+ Onboarding Package just created and select **Deploy**.
+
+18. On the right panel select the appropriate collection.
+
+19. Click **OK**.
+
+## Next generation protection
+Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
+
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
+
+ 
+
+2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
+
+ 
+
+ In certain industries or some select enterprise customers might have specific
+needs on how Antivirus is configured.
+
+
+ [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
+
+ For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
+
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+3. Right-click on the newly created antimalware policy and select **Deploy**.
+
+ 
+
+4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
+
+ 
+
+After completing this task, you now have successfully configured Windows
+Defender Antivirus.
+
+## Attack surface reduction
+The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
+Protection.
+
+All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode.
+
+To set ASR rules in Audit mode:
+
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+ 
+
+
+2. Select **Attack Surface Reduction**.
+
+
+3. Set rules to **Audit** and click **Next**.
+
+ 
+
+4. Confirm the new Exploit Guard policy by clicking on **Next**.
+
+ 
+
+
+5. Once the policy is created click **Close**.
+
+ 
+
+
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+ 
+
+7. Target the policy to the newly created Windows 10 collection and click **OK**.
+
+ 
+
+After completing this task, you now have successfully configured ASR rules in audit mode.
+
+Below are additional steps to verify whether ASR rules are correctly applied to
+endpoints. (This may take few minutes)
+
+
+1. From a web browser, navigate to .
+
+2. Select **Configuration management** from left side menu.
+
+ 
+
+3. Click **Go to attack surface management** in the Attack surface management panel.
+
+ 
+
+4. Click **Configuration** tab in Attack Surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
+
+ 
+
+5. Click each device shows configuration details of ASR rules.
+
+ 
+
+See [Optimize ASR rule deployment and
+detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details.
+
+
+### To set Network Protection rules in Audit mode:
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+ 
+
+2. Select **Network protection**.
+
+3. Set the setting to **Audit** and click **Next**.
+
+ 
+
+4. Confirm the new Exploit Guard Policy by clicking **Next**.
+
+ 
+
+5. Once the policy is created click on **Close**.
+
+ 
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+ 
+
+7. Select the policy to the newly created Windows 10 collection and choose **OK**.
+
+ 
+
+After completing this task, you now have successfully configured Network
+Protection in audit mode.
+
+### To set Controlled Folder Access rules in Audit mode:
+
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+ 
+
+2. Select **Controlled folder access**.
+
+3. Set the configuration to **Audit** and click **Next**.
+
+ 
+
+4. Confirm the new Exploit Guard Policy by clicking on **Next**.
+
+ 
+
+5. Once the policy is created click on **Close**.
+
+ 
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+ 
+
+7. Target the policy to the newly created Windows 10 collection and click **OK**.
+
+ 
+
+After completing this task, you now have successfully configured Controlled folder access in audit mode.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index 1247c43078..4fda24160f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -1,8 +1,8 @@
---
title: Overview of attack surface reduction
ms.reviewer:
-description: Learn about the attack surface reduction capability in Microsoft Defender ATP
-keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender, antivirus, av, windows defender
+description: Learn about the attack surface reduction capabilities of Microsoft Defender ATP.
+keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender advanced threat protection, microsoft defender, antivirus, av, windows defender
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -22,17 +22,19 @@ ms.topic: conceptual
# Overview of attack surface reduction
**Applies to:**
+
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
+Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
-|Article | Description |
-|-------|------|
-|[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. |
-|[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. |
-|[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. |
-|[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) |
-|[Web protection](./web-protection-overview.md) |Secure your machines against web threats and help you regulate unwanted content.
-|[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) |
-|[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) |
-|[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. |
+Article | Description
+-|-
+[Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus).
+[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites.
+[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run.
+[Exploit protection](./exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions.
+[Network protection](./network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus)
+[Web protection](./web-protection-overview.md) | Secure your machines against web threats and help you regulate unwanted content.
+[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus)
+[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering.
+[Attack surface reduction FAQ](./attack-surface-reduction-faq.md) | Frequently asked questions about Attack surface reduction rules, licensing, and more.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
index 4c4cf5edcf..261734d68b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
@@ -32,12 +32,10 @@ Inspired by the "assume breach" mindset, Microsoft Defender ATP continuously col
The response capabilities give you the power to promptly remediate threats by acting on the affected entities.
-## In this section
-Topic | Description
-:---|:---
-[Security operations dashboard](security-operations-dashboard.md) | Explore a high level overview of detections, highlighting where response actions are needed.
-[Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) | View and organize the incidents queue, and manage and investigate alerts.
-[Alerts queue](alerts-queue.md) | View and organize the machine alerts queue, and manage and investigate alerts.
-[Machines list](machines-view-overview.md) | Investigate machines with generated alerts and search for specific events over time.
-[Take response actions](response-actions.md) | Learn about the available response actions and apply them to machines and files.
+## Related topics
+- [Security operations dashboard](security-operations-dashboard.md)
+- [Incidents queue](view-incidents-queue.md)
+- [Alerts queue](alerts-queue.md)
+- [Machines list](machines-view-overview.md)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
deleted file mode 100644
index f08e397a67..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Overview of Secure score in Microsoft Defender Security Center
-description: Expand your visibility into the overall security posture of your organization
-keywords: secure score, security controls, improvement opportunities, security score over time, score, posture, baseline
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Overview of Secure score in Microsoft Defender Security Center
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->[!NOTE]
-> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks.
-
-The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
-
->[!IMPORTANT]
-> This feature is available for machines on Windows 10, version 1703 or later.
-
-
-The **Secure score dashboard** displays a snapshot of:
-- Microsoft secure score
-- Secure score over time
-- Top recommendations
-- Improvement opportunities
-
-
-
-
-## Microsoft secure score
-The Microsoft secure score tile is reflective of the sum of all the security controls that are configured according to the recommended Windows baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings.
-
-
-
-Each Microsoft security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported Microsoft security controls (security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
-
-The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
-
-In the example image, the total points for the security controls and Office 365 add up to 602 points.
-
-You can set the baselines for calculating the security control scores on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score.md).
-
-## Secure score over time
-You can track the progression of your organizational security posture over time using this tile. It displays the overall score in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture.
-
-
-
-You can mouse over specific date points to see the total score for that security control is on a specific date.
-
-
-## Top recommendations
-Reflects specific actions you can take to significantly increase the security stance of your organization and how many points will be added to the secure score if you take the recommended action.
-
-
-
-## Improvement opportunities
-Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control.
-
-Clicking on the affected machines link at the top of the table takes you to the Machines list. The list is filtered to reflect the list of machines where improvements can be made.
-
-
-
-
-
-
-Within the tile, you can click on each control to see the recommended optimizations.
-
-Clicking the link under the **Misconfigured machines** column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
-
-## Related topic
-- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Threat analytics](threat-analytics.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview.md b/windows/security/threat-protection/microsoft-defender-atp/overview.md
deleted file mode 100644
index 0e926f6f8d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/overview.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Overview of Microsoft Defender ATP
-ms.reviewer:
-description: Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the complete threat protection platform
-keywords: atp, microsoft defender atp, defender, mdatp, threat protection, platform, threat, vulnerability, asr, attack, surface, reduction, next-gen, protection, edr, endpoint, detection, response, automated, air, cyber threat hunting, advanced hunting
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Overview of Microsoft Defender ATP capabilities
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the complete threat protection platform.
-
->[!TIP]
->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
-
-## In this section
-
-Topic | Description
-:---|:---
-[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) | Reduce organizational vulnerability exposure and increase threat resilience while seamlessly connecting workflows across security stakeholders—security administrators, security operations, and IT administrators in remediating threats.
-[Attack surface reduction](overview-attack-surface-reduction.md) | Leverage exploit protection, attack surface reduction rules, and other capabilities to protect the perimeter of your organization. This set of capabilities also includes [network protection](network-protection.md) and [web protection](web-protection-overview.md), which regulate access to malicious IP addresses, domains, and URLs.
-[Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Microsoft Defender ATP so you can protect desktops, portable computers, and servers.
-[Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Microsoft Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats.
-[Automated investigation and remediation](automated-investigations.md) | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
-[Secure score](overview-secure-score.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place.
-[Microsoft Threat Experts](microsoft-threat-experts.md) | Managed cybersecurity threat hunting service. Learn how you can get expert-driven insights and data through targeted attack notification and access to experts on demand. **NOTE:**
Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
-[Advanced hunting](advanced-hunting-overview.md) | Use a powerful query-based threat-hunting tool to proactively find breach activity and create custom detection rules.
-[Management and APIs](management-apis.md) | Microsoft Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows.
-[Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other how Microsoft Defender ATP works with other Microsoft security solutions.
-[Portal overview](portal-overview.md) |Learn to navigate your way around Microsoft Defender Security Center.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index 480df72feb..db2e81192e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -22,25 +22,24 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
+Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat activity or data breaches.
You can use [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
+
- View, sort, and triage alerts from your endpoints
- Search for more information on observed indicators such as files and IP Addresses
-- Change Microsoft Defender ATP settings, including time zone and review licensing information.
+- Change Microsoft Defender ATP settings, including time zone and review licensing information
## Microsoft Defender Security Center
-When you open the portal, you’ll see the main areas of the application:
- 
+When you open the portal, you'll see:
-- (1) Navigation pane
-- (2) Main portal
-- (3) Search, Community center, Time settings, Help and support, Feedback
+- (1) Navigation pane (select the horizontal lines at the top of the navigation pane to show or hide it)
+- (2) Search, Community center, Localization, Help and support, Feedback
+
+ 
> [!NOTE]
> Malware related detections will only appear if your machines are using Windows Defender Antivirus as the default real-time protection antimalware product.
@@ -49,27 +48,27 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
-**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Machines list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Interoperability**, **Threat & vulnerability management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**.
-**Dashboards** | Access the Security operations, the Secure Score, or Threat analytics dashboard.
+**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Machines list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it.
+**Dashboards** | Access the active automated investigations, active alerts, automated investigations statistics, machines at risk, users at risk, machines with sensor issues, service health, detection sources, and daily machines reporting dashboards.
**Incidents** | View alerts that have been aggregated as incidents.
-**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and the corresponding number of alerts.
+**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and their exposure and risk levels.
**Alerts queue** | View alerts generated from machines in your organizations.
-**Automated investigations** | Displays a list of automated investigations that's been conducted in the network, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
+**Automated investigations** | Displays automated investigations that have been conducted in the network, triggering alert, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
-**Reports** | View graphs detailing alert trends over time, and alert summary charts categorizing threats by severity, status, and attack approach
-**Interoperability** | Lists supported partner applications that can work together with Microsoft Defender, as well as applications that are already connected to Microsoft Defender.
+**Reports** | View graphs detailing threat protection, machine health and compliance, web protection, and vulnerability.
+**Partners & APIs** | View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings.
**Threat & Vulnerability management** | View your configuration score, exposure score, exposed machines, vulnerable software, and take action on top security recommendations.
-**Evaluation and tutorials** | Manage test machines, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walkthrough in a trial environment.
-**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
-**Configuration management** | Displays on-boarded machines, your organizations' security baseline, predictive analysis, and allows you to perform attack surface management on your machines.
-**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure Score dashboard.
-**(2) Main portal** | Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
-**(3) Community center, Localization, Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product. **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. **Help and support** - Gives you access to the Microsoft Defender ATP guide, Microsoft support, and Premier support. **Feedback** - Access the feedback button to provide comments about the portal.
+**Evaluation and tutorials** | Manage test machines, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walk-through in a trial environment.
+**Service health** | Provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
+**Configuration management** | Displays on-boarded machines, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your machines.
+**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, machine management, IT service management, and network assessments.
+**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by machine, file, user, URL, IP, vulnerability, software, and recommendation. **Community center** - Access the Community center to learn, collaborate, and share experiences about the product. **Localization** - Set time zones. **Help and support** - Access the Microsoft Defender ATP guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Microsoft Defender ATP evaluation lab, consult a threat expert. **Feedback** - Provide comments about what you like or what we can do better.
> [!NOTE]
> For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions.
## Microsoft Defender ATP icons
+
The following table provides information on the icons used all throughout the portal:
Icon | Description
@@ -105,22 +104,23 @@ Icon | Description
| Memory allocation
| Process injection
| Powershell command run
- | Community center
+ | Community center
 | Notifications
 | Automated investigation - no threats found
 | Automated investigation - failed
 | Automated investigation - partially investigated
- | Automated investigation - terminated by system
+ | Automated investigation - terminated by system
 | Automated investigation - pending
 | Automated investigation - running
- | Automated investigation - remediated
+ | Automated investigation - remediated
 | Automated investigation - partially remediated
 | Threat & Vulnerability Management - threat insights
- | Threat & Vulnerability Management - possible active alert
+ | Threat & Vulnerability Management - possible active alert
 | Threat & Vulnerability Management - recommendation insights
## Related topics
-- [Understand the Microsoft Defender Advanced Threat Protection portal](use.md)
+
+- [Overview of Microsoft Defender Security Center](use.md)
- [View the Security operations dashboard](security-operations-dashboard.md)
-- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md)
+- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
index b865033486..b4b27d638f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
@@ -71,6 +71,7 @@ description | String | Description of the indicator. **Required**
expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional**
severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional**
recommendedActions | String | TI indicator alert recommended actions. **Optional**
+rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
## Response
@@ -87,16 +88,18 @@ Here is an example of the request.
POST https://api.securitycenter.windows.com/api/indicators
Content-type: application/json
{
- "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
- "indicatorType": "FileSha1",
- "title": "test",
- "application": "demo-test",
- "expirationTime": "2020-12-12T00:00:00Z",
- "action": "AlertAndBlock",
- "severity": "Informational",
- "description": "test",
- "recommendedActions": "nothing"
+ "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
+ "indicatorType": "FileSha1",
+ "title": "test",
+ "application": "demo-test",
+ "expirationTime": "2020-12-12T00:00:00Z",
+ "action": "AlertAndBlock",
+ "severity": "Informational",
+ "description": "test",
+ "recommendedActions": "nothing",
+ "rbacGroupNames": ["group1", "group2"]
}
+```
## Related topic
- [Manage indicators](manage-indicators.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
index 60c0833058..83b69c2140 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -22,9 +22,54 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+
+Deploying Microsoft Defender ATP is a three-phase process:
+
+
+
+
+You are currently in the preparation phase.
+
+
+Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Microsoft Defender ATP.
+
+
## Stakeholders and Sign-off
The following section serves to identify all the stakeholders that are involved
-in this project and need to sign-off, review, or stay informed. Add stakeholders
+in the project and need to sign-off, review, or stay informed.
+
+Add stakeholders
to the table below as appropriate for your organization.
- SO = Sign-off on this project
@@ -41,33 +86,6 @@ to the table below as appropriate for your organization.
| Enter name and email | **Workplace Architect** *A representative from the IT team in charge of defining how this change is aligned with the core workplace architecture in the organization.* | R |
| Enter name and email | **Security Analyst** *A representative from the CDOC team who can provide input on the detection capabilities, user experience and overall usefulness of this change from a security operations perspective.* | I |
-## Project Management
-
-### In Scope
-
-The following is in scope for this project:
-
-- Enabling Microsoft Defender ATP endpoint protection platform (EPP)
- capabilities
-
- - Next Generation Protection
-
- - Attack Surface Reduction
-
-- Enabling Microsoft Defender ATP endpoint detection and response (EDR)
- capabilities including automatic investigation and remediation
-
-- Enabling Microsoft Defender ATP threat and vulnerability management (TVM)
-- Use of System Center Configuration Manager to onboard endpoints into the service.
-
-### Out of scope
-
-The following are out of scope of this project:
-
-- Configuration of third-party solutions that might integrate with Microsoft
- Defender ATP.
-
-- Penetration testing in production environment.
## Environment
@@ -138,25 +156,29 @@ structure required for your environment.
## Adoption Order
-In many cases organizations will have existing endpoint security products in
-place. The bare minimum every organization should have is an antivirus solution. But in some cases an organization might also already implanted an EDR solution.
-Historically, replacing any security solution was time intensive and difficult
+In many cases, organizations will have existing endpoint security products in
+place. The bare minimum every organization should have is an antivirus solution. But in some cases, an organization might also have implanted an EDR solution already.
+
+Historically, replacing any security solution used to be time intensive and difficult
to achieve due to the tight hooks into the application layer and infrastructure
dependencies. However, because Microsoft Defender ATP is built into the
-operating system, replacing third-party solutions is easy to achieve.
+operating system, replacing third-party solutions is now easy to achieve.
-Choose which component of Microsoft Defender ATP to be used and remove the ones
-that do not apply. The table below indicates the Microsoft recommendation on the
-order on how the endpoint security suite should be enabled.
+Choose the component of Microsoft Defender ATP to be used and remove the ones
+that do not apply. The table below indicates the order Microsoft recommends for
+how the endpoint security suite should be enabled.
| Component | Description | Adoption Order Rank |
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
-| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
-| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Windows Defender Antivirus includes: | 2 |
-| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 3 |
-| Threat & Vulnerability Management (TVM) | Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: | 4 |
-| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
-| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
+| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
+|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable machine vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
[Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 |
+| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Windows Defender Antivirus includes:
-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus.
- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
[Learn more](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). |3 |
+| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 |
+| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
+| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
+
+## Next step
+|||
+|:-------|:-----|
+|
[Phase 2: Setup](production-deployment.md) | Set up Microsoft Defender ATP deployment
-## Related topic
-- [Production deployment](production-deployment.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 4cde145e4c..a92e6a198a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -24,14 +24,15 @@ ms.topic: conceptual
The Microsoft Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
-> [!TIP]
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
+> [!TIP]
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
For more information on new capabilities that are generally available, see [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md).
## Turn on preview features
+
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
Turn on the preview experience setting to be among the first to try upcoming features.
@@ -41,17 +42,19 @@ Turn on the preview experience setting to be among the first to try upcoming fea
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
## Preview features
-The following features are included in the preview release:
-- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information.
-
- - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
+The following features are included in the preview release:
+- [Create indicators for certificates](manage-indicators.md)
Create indicators to allow or block certificates.
+
+- [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md)
Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux.
+
+ - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019. See [Secure Configuration Assessment (SCA) for Windows Server now in public preview](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/secure-configuration-assessment-sca-for-windows-server-now-in/ba-p/1243885) and [Reducing risk with new Threat & Vulnerability Management capabilities](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/reducing-risk-with-new-threat-amp-vulnerability-management/ba-p/978145) blogs for more information.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
-- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization.
+- [Machine health and compliance report](machine-reports.md)
The machine health and compliance report provides high-level information about the devices in your organization.
- [Information protection](information-protection-in-windows-overview.md)
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/product-brief.md b/windows/security/threat-protection/microsoft-defender-atp/product-brief.md
deleted file mode 100644
index 2a83d109de..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/product-brief.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Microsoft Defender Advanced Threat Protection product brief
-description: Learn about the Microsoft Defender Advanced Threat Protection capabilities and licensing requirements
-keywords: Microsoft Defender Security Center, product brief, brief, capabilities, licensing
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Microsoft Defender Advanced Threat Protection product brief
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-Microsoft Defender ATP is a platform designed to
-help enterprise networks prevent, detect, investigate, and respond to advanced
-threats.
-
-
-
-## Platform capabilities
-
-Capability | Description
-:---|:---
-**Threat and Vulnerability Management** | This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-**Attack Surface Reduction** | The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
-**Next Generation Protection** | To further reinforce the security perimeter of the organizations network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
-**Endpoint Detection & Response** | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
-**Auto Investigation & Remediation** | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
-**Microsoft Threat Experts** | Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
-**Secure Score** | Microsoft Defender ATP includes a secure score to help dynamically assess the security state of the enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of the organization.
- **Advance Hunting** | Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in the organization.
-**Management and API** | Integrate Microsoft Defender Advanced Threat Protection into existing workflows.
- **Microsoft Threat Protection** | Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to the organization. | |
-
-Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
-
-- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
- collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP.
-
-
-- **Cloud security analytics**: Leveraging big-data, machine-learning, and
- unique Microsoft optics across the Windows ecosystem,
- enterprise cloud products (such as Office 365), and online assets, behavioral signals
- are translated into insights, detections, and recommended responses
- to advanced threats.
-
-- **Threat intelligence**: Generated by Microsoft hunters, security teams,
- and augmented by threat intelligence provided by partners, threat
- intelligence enables Microsoft Defender ATP to identify attacker
- tools, techniques, and procedures, and generate alerts when these
- are observed in collected sensor data.
-
-## Licensing requirements
-Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
-
-- Windows 10 Enterprise E5
-- Windows 10 Education A5
-- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
-- Microsoft 365 A5 (M365 A5)
-
-## Related topic
-- [Prepare deployment](prepare-deployment.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index 4e93583820..0c0a59b197 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -1,5 +1,5 @@
---
-title: Microsoft Defender ATP production deployment
+title: Set up Microsoft Defender ATP deployment
description:
keywords:
search.product: eADQiWindows 10XVcnh
@@ -17,25 +17,78 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Microsoft Defender ATP production deployment
+# Set up Microsoft Defender ATP deployment
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Proper planning is the foundation of a successful deployment. In this deployment scenario, you'll be guided through the steps on:
+
+Deploying Microsoft Defender ATP is a three-phase process:
+
+
+
+
+You are currently in the set up phase.
+
+In this deployment scenario, you'll be guided through the steps on:
+- Licensing validation
- Tenant configuration
- Network configuration
-- Onboarding using System Center Configuration Manager
-- Endpoint detection and response
-- Next generation protection
-- Attack surface reduction
+
>[!NOTE]
->For the purpose of guiding you through a typical deployment, this scenario will only cover the use of System Center Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
+>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
+
+## Check license state
+
+Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**.
+
+1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
+
+ 
+
+1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
+
+ On the screen you will see all the provisioned licenses and their current **Status**.
+
+ 
+
+
+## Cloud Service Provider validation
+
+To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center.
+
+1. From the **Partner portal**, click on the **Administer services > Office 365**.
+
+2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer admin center.
+
+ 
+
+
## Tenant Configuration
-When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client machine.
+When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a set up wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client machine.
1. From a web browser, navigate to .
@@ -50,7 +103,7 @@ When accessing [Microsoft Defender Security Center](https://securitycenter.windo
4. Set up preferences.
- **Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU or UK. You cannot change the location after this setup and Microsoft will not transfer the data from the specified geolocation.
+ **Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU or UK. You cannot change the location after this set up and Microsoft will not transfer the data from the specified geolocation.
**Data retention** - The default is 6 months.
@@ -107,11 +160,8 @@ services if a computer is not permitted to connect to the Internet. The static
proxy is configurable through Group Policy (GP). The group policy can be found
under:
-- Administrative Templates \> Windows Components \> Data Collection and
- Preview Builds \> Configure Authenticated Proxy usage for the Connected User
- Experience and Telemetry Service
-
- - Set it to **Enabled** and select**Disable Authenticated Proxy usage**
+ - Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
+ - Set it to **Enabled** and select **Disable Authenticated Proxy usage**
1. Open the Group Policy Management Console.
2. Create a policy or edit an existing policy based off the organizational practices.
@@ -205,398 +255,7 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https:
> [!NOTE]
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
-## Onboarding using System Center Configuration Manager
-### Collection creation
-To onboard Windows 10 devices with System Center Configuration Manager, the
-deployment can target either and existing collection or a new collection can be
-created for testing. The onboarding like group policy or manual method does
-not install any agent on the system. Within the Configuration Manager console
-the onboarding process will be configured as part of the compliance settings
-within the console. Any system that receives this required configuration will
-maintain that configuration for as long as the Configuration Manager client
-continues to receive this policy from the management point. Follow the steps
-below to onboard systems with Configuration Manager.
-
-1. In System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
-
- 
-
-2. Right Click **Device Collection** and select **Create Device Collection**.
-
- 
-
-3. Provide a **Name** and **Limiting Collection**, then select **Next**.
-
- 
-
-4. Select **Add Rule** and choose **Query Rule**.
-
- 
-
-5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
-
- 
-
-6. Select **Criteria** and then choose the star icon.
-
- 
-
-7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**.
-
- 
-
-8. Select **Next** and **Close**.
-
- 
-
-9. Select **Next**.
-
- 
-
-After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
-
-## Endpoint detection and response
-### Windows 10
-From within the Microsoft Defender Security Center it is possible to download
-the '.onboarding' policy that can be used to create the policy in System Center Configuration
-Manager and deploy that policy to Windows 10 devices.
-
-1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
-
-
-
-2. Under Deployment method select the supported version of **System Center Configuration Manager**.
-
- 
-
-3. Select **Download package**.
-
- 
-
-4. Save the package to an accessible location.
-5. In System Center Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
-
-6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
-
- 
-
-7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
-
- 
-
-8. Click **Browse**.
-
-9. Navigate to the location of the downloaded file from step 4 above.
-
- 
-
-10. Click **Next**.
-11. Configure the Agent with the appropriate samples (**None** or **All file types**).
-
- 
-
-12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
-
- 
-
-14. Verify the configuration, then click **Next**.
-
- 
-
-15. Click **Close** when the Wizard completes.
-
-16. In the System Center Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
-
- 
-
-17. On the right panel, select the previously created collection and click **OK**.
-
- 
-
-
-### Previous versions of Windows Client (Windows 7 and Windows 8.1)
-Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
-
-1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
-
-2. Under operating system choose **Windows 7 SP1 and 8.1**.
-
- 
-
-3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
-
-Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed.
-
-Edit the InstallMMA.cmd with a text editor, such as notepad and update the
-following lines and save the file:
-
- 
-
-Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file:
-
- 
-
-Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating
-Systems:
-
-- Server SKUs: Windows Server 2008 SP1 or Newer
-
-- Client SKUs: Windows 7 SP1 and later
-
-The MMA agent will need to be installed on Windows devices. To install the
-agent, some systems will need to download the [Update for customer experience
-and diagnostic
-telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
-in order to collect the data with MMA. These system versions include but may not
-be limited to:
-
-- Windows 8.1
-
-- Windows 7
-
-- Windows Server 2016
-
-- Windows Server 2012 R2
-
-- Windows Server 2008 R2
-
-Specifically, for Windows 7 SP1, the following patches must be installed:
-
-- Install
- [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
-
-- Install either [.NET Framework
- 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
- later) **or**
- [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
- Do not install both on the same system.
-
-To deploy the MMA with System Center Configuration Manager, follow the steps
-below to utilize the provided batch files to onboard the systems. The CMD file
-when executed, will require the system to copy files from a network share by the
-System, the System will install MMA, Install the DependencyAgent, and configure
-MMA for enrollment into the workspace.
-
-
-1. In System Center Configuration Manager console, navigate to **Software
- Library**.
-
-2. Expand **Application Management**.
-
-3. Right-click **Packages** then select **Create Package**.
-
-4. Provide a Name for the package, then click **Next**
-
- 
-
-5. Verify **Standard Program** is selected.
-
- 
-
-6. Click **Next**.
-
- 
-
-7. Enter a program name.
-
-8. Browse to the location of the InstallMMA.cmd.
-
-9. Set Run to **Hidden**.
-
-10. Set **Program can run** to **Whether or not a user is logged on**.
-
-11. Click **Next**.
-
-12. Set the **Maximum allowed run time** to 720.
-
-13. Click **Next**.
-
- 
-
-14. Verify the configuration, then click **Next**.
-
- 
-
-15. Click **Next**.
-
-16. Click **Close**.
-
-17. In the System Center Configuration Manager console, right-click the Microsoft Defender ATP
- Onboarding Package just created and select **Deploy**.
-
-18. On the right panel select the appropriate collection.
-
-19. Click **OK**.
-
-## Next generation protection
-Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
-
-1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
-
- 
-
-2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
-
- 
-
- In certain industries or some select enterprise customers might have specific
-needs on how Antivirus is configured.
-
-
- [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
-
- For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
-
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
-3. Right-click on the newly created antimalware policy and select **Deploy** .
-
- 
-
-4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
-
- 
-
-After completing this task, you now have successfully configured Windows
-Defender Antivirus.
-
-## Attack Surface Reduction
-The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
-Protection. All these features provide an audit mode and a block mode. In audit mode there is no end user impact all it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step by step move security controls into block mode.
-
-To set ASR rules in Audit mode:
-
-1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
- 
-
-
-2. Select **Attack Surface Reduction**.
-
-
-3. Set rules to **Audit** and click **Next**.
-
- 
-
-4. Confirm the new Exploit Guard policy by clicking on **Next**.
-
- 
-
-
-5. Once the policy is created click **Close**.
-
- 
-
-
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
- 
-
-7. Target the policy to the newly created Windows 10 collection and click **OK**.
-
- 
-
-After completing this task, you now have successfully configured ASR rules in audit mode.
-
-Below are additional steps to verify whether ASR rules are correctly applied to
-endpoints. (This may take few minutes)
-
-
-1. From a web browser, navigate to .
-
-2. Select **Configuration management** from left side menu.
-
- 
-
-3. Click **Go to attack surface management** in the Attack surface management panel.
-
- 
-
-4. Click **Configuration** tab in Attack Surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
-
- 
-
-5. Click each device shows configuration details of ASR rules.
-
- 
-
-See [Optimize ASR rule deployment and
-detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details.
-
-
-### To set Network Protection rules in Audit mode:
-1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
- 
-
-2. Select **Network protection**.
-
-3. Set the setting to **Audit** and click **Next**.
-
- 
-
-4. Confirm the new Exploit Guard Policy by clicking **Next**.
-
- 
-
-5. Once the policy is created click on **Close**.
-
- 
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
- 
-
-7. Select the policy to the newly created Windows 10 collection and choose **OK**.
-
- 
-
-After completing this task, you now have successfully configured Network
-Protection in audit mode.
-
-### To set Controlled Folder Access rules in Audit mode:
-
-1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
- 
-
-2. Select **Controlled folder access**.
-
-3. Set the configuration to **Audit** and click **Next**.
-
- 
-
-4. Confirm the new Exploit Guard Policy by clicking on **Next**.
-
- 
-
-5. Once the policy is created click on **Close**.
-
- 
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
- 
-
-7. Target the policy to the newly created Windows 10 collection and click **OK**.
-
- 
-
-After completing this task, you now have successfully configured Controlled folder access in audit mode.
-
+## Next step
+|||
+|:-------|:-----|
+|
[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
index e52e94be42..f2c30ec2e4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@@ -175,7 +175,7 @@ Here is an example return value:
## Code examples
### Get access token
-The following code example demonstrates how to obtain an access token and call the Microsoft Defender ATP API.
+The following code examples demonstrate how to obtain an access token for calling the Microsoft Defender ATP SIEM API.
```csharp
AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}", tenantId));
@@ -183,19 +183,114 @@ ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret
AuthenticationResult authenticationResult = context.AcquireTokenAsync(detectionsResource, clientCredentials).GetAwaiter().GetResult();
```
-### Use token to connect to the detections endpoint
+```PowerShell
+#Get current working directory
+$scriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
+#Paste below your Tenant ID, App ID and App Secret (App key).
+$tenantId = '' ### Paste your tenant ID here
+$appId = '' ### Paste your Application ID here
+$appSecret = '' ### Paste your Application secret here
+
+$resourceAppIdUri = 'https://graph.windows.net'
+$oAuthUri = "https://login.windows.net/$tenantId/oauth2/token"
+$authBody = [Ordered] @{
+ resource = "$resourceAppIdUri"
+ client_id = "$appId"
+ client_secret = "$appSecret"
+ grant_type = 'client_credentials'
+}
+
+#call API
+$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
+$authResponse
+Out-File -FilePath "$scriptDir\LatestSIEM-token.txt" -InputObject $authResponse.access_token
```
+
+```Bash
+tenantId='' ### Paste your tenant ID here
+appId='' ### Paste your Application ID here
+appSecret='' ### Paste your Application secret here
+resourceAppIdUri='https://graph.windows.net'
+oAuthUri="https://login.windows.net/$tenantId/oauth2/token"
+scriptDir=$(pwd)
+
+apiResponse=$(curl -s X POST "$oAuthUri" -d "resource=$resourceAppIdUri&client_id=$appId&client_secret=$appSecret&\
+ grant_type=client_credentials" | cut -d "{" -f2 | cut -d "}" -f1)
+IFS=","
+apiResponseArr=($apiResponse)
+IFS=":"
+tokenArr=(${apiResponseArr[6]})
+echo ${tokenArr[1]} | cut -d "\"" -f2 | cut -d "\"" -f1 >> $scriptDir/LatestSIEM-token.txt
+```
+
+### Use token to connect to the detections endpoint
+The following code examples demonstrate how to use an access token for calling the Microsoft Defender ATP SIEM API to get alerts.
+
+```csharp
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken);
HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult();
string detectionsJson = response.Content.ReadAsStringAsync().Result;
Console.WriteLine("Got detections list: {0}", detectionsJson);
-
```
+```PowerShell
+#Get current working directory
+$scriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
+#run the script Get-Token.ps1 - make sure you are running this script from the same folder of Get-SIEMToken.ps1
+$token = Get-Content "$scriptDir\LatestSIEM-token.txt"
+#Get Alert from the last xx hours 200 in this example. Make sure you have alerts in that time frame.
+$dateTime = (Get-Date).ToUniversalTime().AddHours(-200).ToString("o")
+
+#test SIEM API
+$url = 'https://wdatp-alertexporter-us.windows.com/api/alerts?limit=20&sinceTimeUtc=2020-01-01T00:00:00.000'
+
+#Set the WebRequest headers
+$headers = @{
+ 'Content-Type' = 'application/json'
+ Accept = 'application/json'
+ Authorization = "Bearer $token"
+}
+
+#Send the webrequest and get the results.
+$response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop
+$response
+Write-Host
+
+#Extract the alerts from the results. This works for SIEM API:
+$alerts = $response.Content | ConvertFrom-Json | ConvertTo-Json
+
+#Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file
+$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."}
+
+#Save the result as json and as csv
+$outputJsonPath = "$scriptDir\Latest Alerts $dateTimeForFileName.json"
+$outputCsvPath = "$scriptDir\Latest Alerts $dateTimeForFileName.csv"
+
+Out-File -FilePath $outputJsonPath -InputObject $alerts
+Get-Content -Path $outputJsonPath -Raw | ConvertFrom-Json | Select-Object -ExpandProperty value | Export-CSV $outputCsvPath -NoTypeInformation
+```
+
+```Bash
+#Get current working directory
+scriptDir=$(pwd)
+
+#get the token
+token=$(<$scriptDir/LatestSIEM-token.txt)
+
+#test the SIEM API, get alerts since 1/1/2020
+url='https://wdatp-alertexporter-us.windows.com/api/alerts?limit=20&sinceTimeUtc=2020-01-01T00:00:00.000'
+
+#send web requst to API and echo JSON content
+apiResponse=$(curl -s X GET "$url" -H "Content-Type: application/json" -H "Accept: application/json"\
+ -H "Authorization: Bearer $token" | cut -d "[" -f2 | cut -d "]" -f1)
+echo "If you see Alert info in JSON format, congratulations you accessed the MDATP SIEM API!"
+echo
+echo $apiResponse
+```
## Error codes
The Microsoft Defender ATP REST API returns the following error codes caused by an invalid request.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
index a617060626..9bc6ebcb3f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
@@ -63,6 +63,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
- Each event hub message in Azure Event Hubs contains list of records.
- Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the machine. Here every event will be decorated with this column as well. See [Machine Groups](machine-groups.md) for more information.
## Data types mapping:
@@ -78,7 +79,7 @@ To get the data types for event properties do the following:
```
-- Here is an example for Machine Info event:
+- Here is an example for Device Info event:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
index f0c242ed3a..682cc7e7d9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@@ -64,6 +64,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
- Each blob contains multiple rows.
- Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the machine. Here every event will be decorated with this column as well. See [Machine Groups](machine-groups.md) for more information.
## Data types mapping:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
index 7155ac0422..1aabe438b0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Raw Data Streaming API (Preview)
+# Raw Data Streaming API
**Applies to:**
@@ -29,6 +29,9 @@ ms.topic: article
Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](advanced-hunting-overview.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/).
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga]
+
+
## In this section
Topic | Description
diff --git a/windows/security/threat-protection/microsoft-defender-atp/rbac.md b/windows/security/threat-protection/microsoft-defender-atp/rbac.md
index 20269f37f3..3bf1ca9d9d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/rbac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/rbac.md
@@ -28,6 +28,8 @@ ms.topic: article
Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control over what users with access to the portal can see and do.
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bJ2a]
+
Large geo-distributed security operations teams typically adopt a tier-based model to assign and authorize access to security portals. Typical tiers include the following three levels:
Tier | Description
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 90191cad9b..9213bd067e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -126,7 +126,9 @@ You can roll back and remove a file from quarantine if you’ve determined that
```
> [!NOTE]
-> Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
+> In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
+>
+> Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days.
## Add indicator to block or allow a file
@@ -209,6 +211,8 @@ Results of deep analysis are matched against threat intelligence and any matches
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page.
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr]
+
**Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
> [!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
index 6a3f13571d..a6b23d0ed7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
@@ -97,7 +97,7 @@ The package contains the following folders:
|:---|:---------|
|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine. NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” |
|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). |
-|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections. - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack. - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. - FirewassExecutionLog.txt and pfirewall.log |
+|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections. - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack. - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. - FirewallExecutionLog.txt and pfirewall.log |
| Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. |
| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. |
| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
index 540c957c3f..19ccd7e62c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@@ -71,21 +71,18 @@ Request
Here is an example of the request.
->[!NOTE]
->For better performance, you can use server closer to your geo location:
-> - api-us.securitycenter.windows.com
-> - api-eu.securitycenter.windows.com
-> - api-uk.securitycenter.windows.com
+[!include[Improve request performance](../../includes/improve-request-performance.md)]
+
```
POST https://api.securitycenter.windows.com/api/advancedqueries/run
Content-type: application/json
{
- "Query":"ProcessCreationEvents
-| where InitiatingProcessFileName =~ \"powershell.exe\"
-| where ProcessCommandLine contains \"appdata\"
-| project EventTime, FileName, InitiatingProcessFileName
-| limit 2"
+ "Query":"DeviceProcessEvents
+ | where InitiatingProcessFileName =~ 'powershell.exe'
+ | where ProcessCommandLine contains 'appdata'
+ | project Timestamp, FileName, InitiatingProcessFileName, DeviceId
+ | limit 2"
}
```
@@ -96,32 +93,40 @@ Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
-```
-HTTP/1.1 200 OK
-Content-Type: application/json
+```json
{
- "Schema": [{
- "Name": "EventTime",
- "Type": "DateTime"
- },
- {
- "Name": "FileName",
- "Type": "String"
- },
- {
- "Name": "InitiatingProcessFileName",
- "Type": "String"
- }],
- "Results": [{
- "EventTime": "2018-07-09T07:16:26.8017265",
- "FileName": "csc.exe",
- "InitiatingProcessFileName": "powershell.exe"
- },
- {
- "EventTime": "2018-07-08T19:00:02.7798905",
- "FileName": "gpresult.exe",
- "InitiatingProcessFileName": "powershell.exe"
- }]
+ "Schema": [
+ {
+ "Name": "Timestamp",
+ "Type": "DateTime"
+ },
+ {
+ "Name": "FileName",
+ "Type": "String"
+ },
+ {
+ "Name": "InitiatingProcessFileName",
+ "Type": "String"
+ },
+ {
+ "Name": "DeviceId",
+ "Type": "String"
+ }
+ ],
+ "Results": [
+ {
+ "Timestamp": "2020-02-05T01:10:26.2648757Z",
+ "FileName": "csc.exe",
+ "InitiatingProcessFileName": "powershell.exe",
+ "DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
+ },
+ {
+ "Timestamp": "2020-02-05T01:10:26.5614772Z",
+ "FileName": "csc.exe",
+ "InitiatingProcessFileName": "powershell.exe",
+ "DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
+ }
+ ]
}
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
deleted file mode 100644
index 1ac2ee7415..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
+++ /dev/null
@@ -1,315 +0,0 @@
----
-title: Configure the security controls in Secure score
-description: Configure the security controls in Secure score
-keywords: secure score, dashboard, security recommendations, security control state, security score, score improvement, microsoft secure score, security controls, security control, improvement opportunities, edr, antivirus, av, os security updates
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Configure the security controls in Secure score
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> [!NOTE]
-> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
-
-Each security control lists recommendations that you can take to increase the security posture of your organization.
-
-### Endpoint detection and response (EDR) optimization
-
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool.
-
-> [!IMPORTANT]
-> This feature is available for machines on Windows 10, version 1607 or later.
-
-#### Minimum baseline configuration setting for EDR
-
-* Microsoft Defender ATP sensor is on
-* Data collection is working correctly
-* Communication to Microsoft Defender ATP service is not impaired
-
-##### Recommended actions
-
-You can take the following actions to increase the overall security score of your organization:
-
-* Turn on sensor
-* Fix sensor data collection
-* Fix impaired communications
-
-For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
-
-### Windows Defender Antivirus (Windows Defender AV) optimization
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AV.
-
-> [!IMPORTANT]
-> This feature is available for machines on Windows 10, version 1607 or later.
-
-#### Minimum baseline configuration setting for Windows Defender AV:
-A well-configured machine for Windows Defender AV meets the following requirements:
-
-- Windows Defender AV is reporting correctly
-- Windows Defender AV is turned on
-- Security intelligence is up-to-date
-- Real-time protection is on
-- Potentially Unwanted Application (PUA) protection is enabled
-
-You can take the following actions to increase the overall security score of your organization:
-
->[!NOTE]
-> For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the machine.
-
-- Fix antivirus reporting
- - This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md).
-- Turn on antivirus
-- Update antivirus Security intelligence
-- Turn on real-time protection
-- Turn on PUA protection
-
-For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md).
-
-### OS security updates optimization
-
-This tile shows you the number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds.
-
-> [!IMPORTANT]
-> This feature is available for machines on Windows 10, version 1607 or later.
-
-You can take the following actions to increase the overall security score of your organization:
-
-* Install the latest security updates
-* Fix sensor data collection
- * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
-
-For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter).
-
-### Windows Defender Exploit Guard (Windows Defender EG) optimization
-
-
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG. When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the Microsoft Defender ATP Machine timeline.
-
-> [!IMPORTANT]
-> This security control is only applicable for machines with Windows 10, version 1709 or later.
-
-#### Minimum baseline configuration setting for Windows Defender EG
-
-Machines are considered "well configured" for Microsoft Defender EG if the following requirements are met:
-
-* System level protection settings are configured correctly
-* Attack Surface Reduction rules are configured correctly
-* Controlled Folder Access setting is configured correctly
-
-##### System level protection
-
-The following system level configuration settings must be set to **On or Force On**:
-
-1. Control Flow Guard
-2. Data Execution Prevention (DEP)
-3. Randomize memory allocations (Bottom-up ASLR)
-4. Validate exception chains (SEHOP)
-5. Validate heap integrity
-
-> [!NOTE]
-> The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline.
-> Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection.
-
-##### Attack Surface Reduction (ASR) rules
-
-The following ASR rules must be configured to **Block mode**:
-
-Rule description | GUIDs
--|-
-Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
-Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
-Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-
-> [!NOTE]
-> The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline.
-> Consider enabling this rule in **Audit** or **Block mode** for better protection.
-
-##### Controlled Folder Access
-
-The Controlled Folder Access setting must be configured to **Audit mode** or **Enabled**.
-
-> [!NOTE]
-> Audit mode, allows you to see audit events in the Microsoft Defender ATP Machine timeline however it does not block suspicious applications.
-> Consider enabling Controlled Folder Access for better protection.
-
-##### Recommended actions
-
-You can take the following actions to increase the overall security score of your organization:
-
-- Turn on all system-level Exploit Protection settings
-- Set all ASR rules to enabled or audit mode
-- Turn on Controlled Folder Access
-- Turn on Windows Defender Antivirus on compatible machines
-
-### Windows Defender Application Guard (Windows Defender AG) optimization
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AG. When endpoints are configured according to the baseline, Windows Defender AG events shows on the Microsoft Defender ATP Machine timeline.
-
-A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG. When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft Defender ATP Machine timeline.
-
-> [!IMPORTANT]
-> This security control is only applicable for machines with Windows 10, version 1709 or later.
-
-#### Minimum baseline configuration setting for Windows Defender AG:
-A well-configured machine for Windows Defender AG meets the following requirements:
-
-- Hardware and software prerequisites are met
-- Windows Defender AG is turned on compatible machines
-- Managed mode is turned on
-
-You can take the following actions to increase the overall security score of your organization:
-
-* Ensure hardware and software prerequisites are met
-
- > [!NOTE]
- > This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on.
-
-* Turn on Microsoft Defender AG on compatible machines
-* Turn on managed mode
-
-For more information, see [Microsoft Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
-
-### Windows Defender SmartScreen optimization
-
-A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen.
-
-> [!WARNING]
-> Data collected by Microsoft Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data.
-
-> [!IMPORTANT]
-> This security control is only applicable for machines with Windows 10, version 1709 or later.
-
-#### Minimum baseline configuration setting for Windows Defender SmartScreen:
-
-The following settings must be configured with the following settings:
-
-* Check apps and files: **Warn** or **Block**
-* Microsoft Defender SmartScreen for Microsoft Edge: **Warn** or **Block**
-* Microsoft Defender SmartScreen for Microsoft store apps: **Warn** or **Off**
-
-You can take the following actions to increase the overall security score of your organization:
-
-- Set **Check app and files** to **Warn** or **Block**
-- Set **Windows Defender SmartScreen for Microsoft Edge** to **Warn** or **Block**
-- Set **Windows Defender SmartScreen for Microsoft store apps** to **Warn** or **Off**
-
-For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
-
-* Set **Check app and files** to **Warn** or **Block**
-* Set **Windows Defender SmartScreen for Microsoft Edge** to **Warn** or **Block**
-* Set **Windows Defender SmartScreen for Microsoft store apps** to **Warn** or **Off**
-
-For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
-
-### Windows Defender Firewall optimization
-
-A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Firewall.
-
-> [!IMPORTANT]
-> This security control is only applicable for machines with Windows 10, version 1709 or later.
-
-#### Minimum baseline configuration setting for Windows Defender Firewall
-
-* Microsoft Defender Firewall is turned on for all network connections
-* Secure domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
-* Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
-* Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
-
-For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy).
-
-> [!NOTE]
-> If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely.
-
-##### Recommended actions
-
-You can take the following actions to increase the overall security score of your organization:
-
-* Turn on firewall
-* Secure domain profile
-* Secure private profile
-* Secure public profile
-* Verify secure configuration of third-party firewall
-* Fix sensor data collection
- * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
-
-For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security).
-
-### BitLocker optimization
-
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker.
-
-> [!IMPORTANT]
-> This security control is only applicable for machines with Windows 10, version 1803 or later.
-
-#### Minimum baseline configuration setting for BitLocker
-
-* Ensure all supported drives are encrypted
-* Ensure that all suspended protection on drives resume protection
-* Ensure that drives are compatible
-
-##### Recommended actions
-
-You can take the following actions to increase the overall security score of your organization:
-
-* Encrypt all supported drives
-* Resume protection on all drives
-* Ensure drive compatibility
-* Fix sensor data collection
- * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
-
-For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview).
-
-### Windows Defender Credential Guard optimization
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Credential Guard.
-
-> [!IMPORTANT]
-> This security control is only applicable for machines with Windows 10, version 1709 or later.
-
-#### Minimum baseline configuration setting for Windows Defender Credential Guard:
-Well-configured machines for Windows Defender Credential Guard meets the following requirements:
-
-- Hardware and software prerequisites are met
-- Windows Defender Credential Guard is turned on compatible machines
-
-##### Recommended actions
-
-You can take the following actions to increase the overall security score of your organization:
-
-* Ensure hardware and software prerequisites are met
-* Turn on Credential Guard
-* Fix sensor data collection
- * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
-
-For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage).
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
-
-## Related topics
-
-* [Overview of Secure score](overview-secure-score.md)
-* [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-* [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-* [Exposure score](tvm-exposure-score.md)
-* [Configuration score](configuration-score.md)
-* [Security recommendations](tvm-security-recommendation.md)
-* [Remediation](tvm-remediation.md)
-* [Software inventory](tvm-software-inventory.md)
-* [Weaknesses](tvm-weaknesses.md)
-* [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
index ea54e6d0ea..00820b5fe4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
@@ -121,5 +121,5 @@ Click the user account to see details about the user account. For more informati
## Related topics
- [Understand the Microsoft Defender Advanced Threat Protection portal](use.md)
- [Portal overview](portal-overview.md)
-- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md)
+- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md
index 49e8e4c12d..414a3a54fc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/software.md
@@ -20,11 +20,12 @@ ms.topic: article
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
## Methods
+
Method |Return Type |Description
:---|:---|:---
[List software](get-software.md) | Software collection | List the organizational software inventory.
@@ -32,16 +33,17 @@ Method |Return Type |Description
[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of machines that are associated with the software ID.
[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
+[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
## Properties
-Property | Type | Description
+
+Property | Type | Description
:---|:---|:---
id | String | Software ID
-Name | String | Software name
-Vendor | String | Software vendor name
-Weaknesses | Long | Number of discovered vulnerabilities
+Name | String | Software name
+Vendor | String | Software vendor name
+Weaknesses | Long | Number of discovered vulnerabilities
publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
activeAlert | Boolean | Active alert is associated with this software
exposedMachines | Long | Number of exposed machines
-impactScore | Double | Exposure score impact of this software
-
+impactScore | Double | Exposure score impact of this software
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
index a1c5557fed..2ade5dcf42 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
@@ -26,6 +26,11 @@ Cyberthreats are emerging more frequently and prevalently. It is critical for or
Threat analytics is a set of reports published by Microsoft security researchers as soon as emerging threats and outbreaks are identified. The reports help you assess the impact of threats to your environment and identify actions that can contain them.
+Watch this short video to quickly understand how threat analytics can help you track the latest threats and stop them.
+
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bw1f]
+
## View the threat analytics dashboard
The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It provides several overviews about the threats covered in the reports:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 7df11c3d9e..d5491f5b3c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -8,8 +8,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -18,203 +18,97 @@ ms.topic: article
---
# Threat & Vulnerability Management scenarios
+
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
-## Before you begin
-Ensure that your machines:
-- Are onboarded to Microsoft Defender Advanced Threat Protection
-- Run with Windows 10 1709 (Fall Creators Update) or later
+## APIs
->[!NOTE]
->Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
+Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
+See the following topics for related APIs:
-- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
+- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
+- [Machine APIs](machine.md)
+- [Recommendation APIs](vulnerability.md)
+- [Score APIs](score.md)
+- [Software APIs](software.md)
+- [Vulnerability APIs](vulnerability.md)
-> Release | Security update KB number and link
-> :---|:---
-> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
-> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
-> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
-> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
+## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit
-- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
-- Have at least one security recommendation that can be viewed in the machine page
-- Are tagged or marked as co-managed
-
-## Reduce your threat and vulnerability exposure
-Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
-
-The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
-- Weaknesses, such as vulnerabilities discovered on the device
-- External and internal threats such as public exploit code and security alerts
-- Likelihood of the device to get breached given its current security posture
-- Value of the device to the organization given its role and content
-
-The exposure score is broken down into the following levels:
-- 0–29: low exposure score
-- 30–69: medium exposure score
-- 70–100: high exposure score
-
-You can remediate the issues based on prioritized security recommendations to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
-
-To lower down your threat and vulnerability exposure:
-
-1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. The **Security recommendation** page opens.
-
- >>
-
- >[!NOTE]
- > There are two types of recommendations:
- > - Security update which refers to recommendations that require a package installation
- > - Configuration change which refers to recommendations that require a registry or GPO modification
- > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
-
-2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. 
-
-3. Click **Installed machines** and select the affected machine from the list to open the flyout panel with the relevant machine details, exposure and risk levels, alert and incident activities. 
-
-4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. 
-
-5. Allow a few hours for the changes to propagate in the system.
-
-6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
-
-## Improve your security configuration
->[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). The secure score page is available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page.
-
-You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
-
-1. From the Configuration score widget, select **Security controls**. The **Security recommendations** page opens and shows the list of issues related to security controls.
-
- >
-
-2. Select the first item on the list. The flyout panel will open with a description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
- 
-
-3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
-
- >.
-
- >You will see a confirmation message that the remediation task has been created.
- >
-
-4. Save your CSV file.
- 
-
-5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
-
-6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
-
-## Request a remediation
->[!NOTE]
->To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
-
-The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow.
-
-Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
-
-1. Click a security recommendation you would like to request remediation for, and then click **Remediation options**.
-
-2. Select **Open a ticket in Intune (for AAD joined devices)**, select a due date, and add optional notes for the IT Administrator. Click **Submit request**.
-
-3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
-
-4. Go to the **Remediation** page to view the status of your remediation request.
-
-See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
-
->[!NOTE]
->If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
-
-## File for exception
-With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request.
-
-There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
-
-Exceptions can be created for both *Security update* and *Configuration change* recommendations.
-
-When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
-
-
-1. Navigate to the **Security recommendations** page under the **Threat & Vulnerability Management** section menu.
-
-2. Click the top-most recommendation. A flyout panel opens with the recommendation details.
-
-3. Click **Exception options**.
-
-
-4. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
-
-> 
-
-5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
-
-
-6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
-
-
-## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit
-
-1. Go to **Advanced hunting** from the left-hand navigation pane.
+1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center.
2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names.
3. Enter the following queries:
```kusto
-// Search for machines with High active alerts or Critical CVE public exploit
-DeviceTvmSoftwareInventoryVulnerabilities
-| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId
+// Search for machines with High active alerts or Critical CVE public exploit
+DeviceTvmSoftwareInventoryVulnerabilities
+| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId
| where IsExploitAvailable == 1 and CvssScore >= 7
-| summarize NumOfVulnerabilities=dcount(CveId),
-DeviceName=any(DeviceName) by DeviceId
+| summarize NumOfVulnerabilities=dcount(CveId),
+DeviceName=any(DeviceName) by DeviceId
| join kind =inner(DeviceAlertEvents) on DeviceId
-| summarize NumOfVulnerabilities=any(NumOfVulnerabilities),
-DeviceName=any(DeviceName) by DeviceId, AlertId
+| summarize NumOfVulnerabilities=any(NumOfVulnerabilities),
+DeviceName=any(DeviceName) by DeviceId, AlertId
| project DeviceName, NumOfVulnerabilities, AlertId
-| order by NumOfVulnerabilities desc
+| order by NumOfVulnerabilities desc
```
-## Conduct an inventory of software or software versions which have reached their end-of-life
-End-of-life for software or software versions means that they will no longer be supported nor serviced. When you use software or software versions which have reached their end-of-life, you're exposing your organization to security vulnerabilities, legal, and financial risks.
+## Find and remediate software or software versions which have reached end-of-support (EOS)
-It is crucial for you as Security and IT Administrators to work together and ensure that your organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem.
+End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
+
+It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates.
+
+To find software or software versions which have reached end-of-support:
-To conduct an inventory of software or software versions which have reached their end of life:
1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**.
-2. Go to the **Filters** panel and select **Software uninstall** from **Remediation Type** options if you want to see the list of software recommendations associated with software which have reached their end-of-life (tagged as **EOL software**). Select **Software update** from **Remediation Type** options if you want to see the list of software recommendations associated with software and software versions which have reached their end-of-life (tagged as **EOL versions installed**).
-3. Select a software that you'd like to investigate. A fly-out screen opens where you can select **Open software page**.
-
+2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**.
-4. In the **Software page** select the **Version distribution** tab to know which versions of the software have reached their end-of-life, and how many vulnerabilities were discovered in it.
-
+ 
-After you have identified which software and software versions are vulnerable due to its end-of-life status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.
+3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page.
+ 
+
+### List of versions and dates
+
+To view a list of version that have reached end of support, or end or support soon, and those dates, follow the below steps:
+
+1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected.
+
+ 
+
+2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support.
+
+ 
+
+3. Select one of the versions in the table to open. For example, version 3.5.2150.0. A flyout will appear with the end of support date.
+
+
+
+After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.
## Related topics
+
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Advanced hunting overview](overview-hunting.md)
- [All advanced hunting tables](advanced-hunting-reference.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
index e0ce98100b..34dcdcc230 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
@@ -72,11 +72,12 @@ IE and Microsoft Edge use the **Region** settings configured in the **Clocks, La
#### Known issues with regional formats
**Date and time formats**
-There are some known issues with the time and date formats.
+There are some known issues with the time and date formats. If you configure your regional settings to anything other than the supported formats, the portal may not correctly reflect your settings.
-The following date formats are supported:
-- MM/dd/yyyy
-- dd/MM/yyyy
+The following date and time formats are supported:
+- Date format MM/dd/yyyy
+- Date format dd/MM/yyyy
+- Time format hh:mm:ss (12 hour format)
The following date and time formats are currently not supported:
- Date format yyyy-MM-dd
@@ -84,7 +85,7 @@ The following date and time formats are currently not supported:
- Date format dd/MM/yy
- Date format MM/dd/yy
- Date format with yy. Will only show yyyy.
-- Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour format is supported.
+- Time format HH:mm:ss (24 hour format)
**Decimal symbol used in numbers**
Decimal symbol used is always a dot, even if a comma is selected in the **Numbers** format settings in **Region** settings. For example, 15,5K is displayed as 15.5K.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
index 8e21eddb4d..d415db238d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
@@ -52,5 +52,14 @@ If while trying to take an action during a live response session, you encounter
4. Navigate to your TEMP folder.
5. Run the action you wanted to take on the copied file.
+## Slow live response sessions or delays during initial connections
+Live response leverages Microsoft Defender ATP sensor registration with WNS service in Windows.
+If you are having connectivity issues with live response, please confirm the following:
+1. `notify.windows.com` is not blocked in your environment. For more information see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
+2. WpnService (Windows Push Notifications System Service) is not disabled.
+Please refer to the articles below to fully understand the WpnService service behavior and requirements:
+- [Windows Push Notification Services (WNS) overview](https://docs.microsoft.com/windows/uwp/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview)
+- [Enterprise Firewall and Proxy Configurations to Support WNS Traffic](https://docs.microsoft.com/windows/uwp/design/shell/tiles-and-notifications/firewall-allowlist-config)
+- [Microsoft Push Notifications Service (MPNS) Public IP ranges](https://www.microsoft.com/en-us/download/details.aspx?id=44535)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
index e49cc30afe..56a0d71130 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
@@ -73,7 +73,7 @@ You'll need to whitelist the `securitycenter.windows.com` and all sub-domains un
## Portal communication issues
-If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communciation.
+If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communication.
- `*.blob.core.windows.net
crl.microsoft.com`
@@ -89,4 +89,4 @@ crl.microsoft.com`
## Related topics
-- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing.md)
\ No newline at end of file
+- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
index e4cd47a5a8..317cac63d6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
@@ -13,7 +13,7 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: troubleshooting
---
@@ -68,7 +68,7 @@ If the script fails and the event is an error, you can check the event ID in the
Event ID | Error Type | Resolution steps
:---|:---|:---
5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
-10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator.
+10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
Verify that the script has been run as an administrator.
15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again.
15 | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions.
30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
@@ -79,7 +79,7 @@ Event ID | Error Type | Resolution steps
### Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
-If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment.
+If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment.
Use the following tables to understand the possible causes of issues while onboarding:
@@ -87,7 +87,7 @@ Use the following tables to understand the possible causes of issues while onboa
- Known issues with non-compliance table
- Mobile Device Management (MDM) event logs table
-If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt.
+If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt.
**Microsoft Intune error codes and OMA-URIs**:
@@ -140,7 +140,7 @@ If the deployment tools used does not indicate an error in the onboarding proces
2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**.
> [!NOTE]
- > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP.
+ > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP.
3. Select **Operational** to load the log.
@@ -282,28 +282,125 @@ You might also need to check the following:
- Check **Event Viewer** > **Applications and Services Logs** > **Operation Manager** to see if there are any errors.
-- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example,
+- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example,
-- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running.
+- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running.
-- Check to see that machines are reflected in the **Machines list** in the portal.
+- Check to see that machines are reflected in the **Machines list** in the portal.
+
+## Confirming onboarding of newly built machines
+There may be instances when onboarding is deployed on a newly built machine but not completed.
+
+The steps below provide guidance for the following scenario:
+- Onboarding package is deployed to newly built machines
+- Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed
+- Machine is turned off or restarted before the end user performs a first logon
+- In this scenario, the SENSE service will not start automatically even though onboarding package was deployed
+
+>[!NOTE]
+>The following steps are only relevant when using Microsoft Endpoint Configuration Manager (current branch)
-## Licensing requirements
-Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
+1. Create an application in Microsoft Endpoint Configuration Manager current branch.
-- Windows 10 Enterprise E5
-- Windows 10 Education E5
-- Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
+ 
-For more information, see [Windows 10 Licensing](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx#tab=2).
+2. Select **Manually specify the application information**.
+ 
+3. Specify information about the application, then select **Next**.
+ 
+
+4. Specify information about the software center, then select **Next**.
+ 
+
+5. In **Deployment types** select **Add**.
+ 
+
+6. Select **Manually specify the deployment type information**, then select **Next**.
+ 
+
+7. Specify information about the deployment type, then select **Next**.
+ 
+
+8. In **Content** > **Installation program** specify the command: `net start sense`.
+ 
+
+9. In **Detection method**, select **Configure rules to detect the presence of this deployment type**, then select **Add Clause**.
+
+ 
+
+10. Specify the following detection rule details, then select **OK**:
+ 
+
+11. In **Detection method** select **Next**.
+ 
+
+12. In **User Experience**, specify the following information, then select **Next**:
+ 
+
+13. In **Requirements**, select **Next**.
+ 
+
+14. In **Dependencies**, select **Next**.
+ 
+
+15. In **Summary**, select **Next**.
+ 
+
+16. In **Completion**, select **Close**.
+
+ 
+
+17. In **Deployment types**, select **Next**.
+
+ 
+
+18. In **Summary**, select **Next**.
+ 
+
+ The status is then displayed
+ 
+
+19. In **Completion**, select **Close**.
+
+ 
+
+20. You can now deploy the application by right-clicking the app and selecting **Deploy**.
+
+ 
+
+21. In **General** select **Automatically distribute content for dependencies** and **Browse**.
+ 
+
+22. In **Content** select **Next**.
+ 
+
+23. In **Deployment settings**, select **Next**.
+ 
+
+24. In **Scheduling** select **As soon as possible after the available time**, then select **Next**.
+ 
+
+25. In **User experience**, select **Commit changes at deadline or during a maintenance window (requires restarts)**, then select **Next**.
+ 
+
+26. In **Alerts** select **Next**.
+ 
+
+27. In **Summary**, select **Next**.
+ 
+
+ The status is then displayed
+ 
+
+28. In **Completion**, select **Close**.
+ 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink)
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 97a1b56853..05264dcf03 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -1,6 +1,6 @@
---
-title: What's in the dashboard and what it means for my organization's security posture
-description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their org's security resilience.
+title: Threat & Vulnerability Management dashboard insights
+description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience.
keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
search.appverid: met150
search.product: eADQiWindows 10XVcnh
@@ -8,72 +8,85 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Threat & Vulnerability Management dashboard overview
+# Threat & Vulnerability Management dashboard insights
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
+
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable machine vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager
You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
+
- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
-- Correlate EDR insights with endpoint vulnerabilities and process them
+- Correlate EDR insights with endpoint vulnerabilities and process them
- Select remediation options, triage and track the remediation tasks
- Select exception options and track active exceptions
> [!NOTE]
> Machines that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and configuration score.
+Watch this video for a quick overview of what is in the Threat & Vulnerability Management dashboard.
+
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r1nv]
+
## Threat & Vulnerability Management in Microsoft Defender Security Center
-When you open the portal, you’ll see the main areas of the capability:
- 
-
- 
+When you open the portal, you'll see the main areas of the capability:
-- (1) Menu in the navigation pane
-- (2) Threat & Vulnerability Management icon
+- (1) Menu to open the navigation pane
+- (2) Threat & Vulnerability Management navigation pane
- (3) Threat & Vulnerability Management dashboard
-You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
+ 
+
+ 
+
+You can navigate through the portal using the menu options available in all sections. Refer to the following tables for a description of each section.
+
+## Threat & Vulnerability Management navigation pane
Area | Description
:---|:---
-(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
-(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**.
-**Dashboards** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
-**Security recommendations** | See the list of security recommendations, their related components, whether software or software versions in your network have reached their end-of-life, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
-**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation and exception](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information.
-**Software inventory** | See the list of software, versions, weaknesses, whether there’s an exploit found on the software, whether the software or software version has reached its end-of-life, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
-**Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information.
-(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**.
-**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data that you want to see in the dashboard and widgets by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages only.
-**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. See [Exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score) for more information.
-**Organization Configuration score** | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. You can click the bars and it takes you to the **Security recommendation** page for details. See [Configuration score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score) for more information.
-**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it takes you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
-**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts , associated public exploits , and recommendation insights . Tags also indicates the remediation type required, such as **Configuration change**, **Software uninstall** (if the software has reached its end-of-life), and **Software update** (if the software version has reached its end-of-life, or if the vulnerable version requires security updates and needs to be updated to the latest one). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
-**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
-**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities, and active exceptions.
-**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.
+**Dashboard** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
+[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP.
+[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
+[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates.
+[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
-See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
+## Threat & Vulnerability Management dashboard
+
+Area | Description
+:---|:---
+**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data you want to see in the dashboard and cards by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages.
+[**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
+[**Configuration score**](configuration-score.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. Selecting the bars will take you to the **Security recommendation** page.
+**Machine exposure distribution** | See how many machines are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Machines list** page and view the affected machine names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
+**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
+**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
+**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.
+**Top exposed machines** | View exposed machine names and their exposure level. Select a machine name from the list to go to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed machines. Select **Show more** to see the rest of the exposed machines list. From the machines list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine.
+
+See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons) for more information on the icons used throughout the portal.
## Related topics
+
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
@@ -81,4 +94,5 @@ See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/t
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index ad6de378c5..0305625c65 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -1,54 +1,85 @@
---
title: Exposure score
-description: The Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) exposure score reflects how vulnerable your organization is to cybersecurity threats.
-keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score
+description: The Microsoft Defender ATP exposure score reflects how vulnerable your organization is to cybersecurity threats.
+keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score, threat and vulnerability management, Microsoft Defender Advanced Threat Protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 06/30/2019
---
# Exposure score
+
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Your exposure score reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation.
+Your Exposure score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation.
-The widget also gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
+The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
-
+
## How it works
-Several factors affect your organization exposure score:
-- Weakness discovered on the device
-- Likelihood of a device getting breached
-- Value of the device to the organization
-- Relevant alert discovered on the device
+Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
-Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details.
+The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
+
+- Weaknesses, such as vulnerabilities discovered on the device
+- External and internal threats such as public exploit code and security alerts
+- Likelihood of the device to get breached given its current security posture
+- Value of the device to the organization given its role and content
+
+The exposure score is broken down into the following levels:
+
+- 0–29: low exposure score
+- 30–69: medium exposure score
+- 70–100: high exposure score
+
+You can remediate the issues based on prioritized [security recommendations](tvm-security-recommendation.md) to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
+
+## Reduce your threat and vulnerability exposure
+
+To lower your threat and vulnerability exposure, follow these steps.
+
+1. Review the **Top security recommendations** from your [**Threat & Vulnerability Management dashboard**](tvm-dashboard-insights.md) and select an item on the list.
+
+ 
+
+ Always prioritize recommendations that are associated with ongoing threats:
+
+ -  Threat insight icon
+ -  Active alert icon
+
+2. The **Security recommendations** page will open, and a flyout for the recommendation you selected will open. The flyout panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Select **Open software page** option from the flyout panel. 
+
+3. Select **Installed machines** and then the affected machine from the list. A flyout panel will open with the relevant machine details, exposure and risk levels, alert and incident activities. 
+
+4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. 
+
+5. Allow a few hours for the changes to propagate in the system.
+
+6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
## Related topics
+
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index ffd3002549..239b7afd31 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -8,135 +8,101 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/11/2019
---
-# Remediation and exception
+# Remediation activities and exceptions
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
>[!NOTE]
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
-After your organization's cybersecurity weaknesses are identified and mapped to actionable security recommendations, you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
+After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
-You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
+Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
-## Navigate through your remediation options
-You can access the remediation page in a few places in the portal:
-- Security recommendation flyout panel
-- Remediation in the navigation menu
-- Top remediation activities widget in the dashboard
+## Navigate to the Remediation page
-*Security recommendation flyout page*
-
You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard.
-1. From the flyout panel, you'll see the security recommendation details including your next steps. Click **Remediation options**.
-2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
+You can access the Remediation page a few different ways:
->[!NOTE]
->If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
+- Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
+- Top remediation activities card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
-3. Select a remediation due date.
-4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
+### Navigation menu
-If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization.
-*Remediation in the navigation menu*
-1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. You can filter your view based on remediation type, machine remediation progress, and exception justification. If you want to see the remediation activities of software which have reached their end-of-life, select **Software uninstall** from the **Remediation type** filter. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Software update** from the **Remediation type** filter. Select **In progress** then click **Apply**.
-
+### Top remediation activities in the dashboard
-2. Select the remediation activity that you need to see or process.
-
+View **Top remediation activities** in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.
-*Top remediation activities widget in the dashboard*
-1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** widget. The list is sorted and prioritized based on what is listed in the **Top security recommendations**.
-2. Select the remediation activity that you need to see or process.
+
-## How it works
+## Remediation activities
-When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity.
+When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
-It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune.
+Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete.
+
-The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
+## Exceptions
-## When to file for exception instead of remediating issues
-You can file exceptions to exclude certain recommendation from showing up in reports and affecting risk scores or secure scores.
+When you [file for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md), you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [configuration score](configuration-score.md).
-When you select a security recommendation, it opens up a flyout screen with details and options for your next step. You can either **Open software page**, choose from **Remediation options**, go through **Exception options** to file for exceptions, or **Report inaccuracy**.
+The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status.
-Select **Exception options** and a flyout screen opens.
+
-
+### Exception actions and statuses
-### Exception justification
-If the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The following list details the justifications behind the exception options:
+You can take the following actions on an exception:
-- **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus
-- **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow
-- **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive
-- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
-- **Other** - False positive
-
-
- 
+- Cancel - You can cancel the exceptions you've filed any time
+- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded
-### Exception visibility
-The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab.
-However, you also have the option to filter your view based on exception justification, type, and status.
+The following statuses will be a part of an exception:
-
-
-Aside from that, there's also an option to **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard.
-
-
-
-Clicking the link opens up to the **Security recommendations** page, where you can select the item exempted item with details.
-
-
-
-### Actions on exceptions
-- Cancel - You can cancel the exceptions you've filed any time
-- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded
-
-### Exception status
-- **Canceled** - The exception has been canceled and is no longer in effect
-- **Expired** - The exception that you've filed is no longer in effect
-- **In effect** - The exception that you've filed is in progress
+- **Canceled** - The exception has been canceled and is no longer in effect
+- **Expired** - The exception that you've filed is no longer in effect
+- **In effect** - The exception that you've filed is in progress
### Exception impact on scores
-Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Secure Score (for configurations) of your organization in the following manner:
-- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores
-- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
-- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Secure Score results out of the exception option that you made
+
+Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Configuration Score (for configurations) of your organization in the following manner:
+
+- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores
+- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
+- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Configuration Score results out of the exception option that you made
The exception impact shows on both the Security recommendations page column and in the flyout pane.
-
+
+
+### View exceptions in other places
+
+Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard to open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status.
+
+
## Related topics
+
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
-- [Security recommendation](tvm-security-recommendation.md)
+- [Security recommendations](tvm-security-recommendation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-
-
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index a33b2a7311..c3e900103b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -1,6 +1,6 @@
---
-title: Security recommendation
-description: The weaknesses identified in the environment are mapped to actionable security recommendations and prioritized by their impact on the organizational exposure score.
+title: Security recommendations
+description: Get actionable security recommendations prioritized by threat, likelihood to be breached, and value.
keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -8,110 +8,168 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/11/2019
---
-# Security recommendation
+# Security recommendations
+
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!TIP]
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
-The cyber security weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
+Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance.
-Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
+Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
-## The basis of the security recommendation
-Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time.
+## How it works
-- Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
+Each machine in the organization is scored based on three important factors to help customers to focus on the right things at the right time.
-- Breach likelihood - Your organization's security posture and resilience against threats
+- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
-- Business value - Your organization's assets, critical processes, and intellectual properties
+- **Breach likelihood** - Your organization's security posture and resilience against threats
+- **Business value** - Your organization's assets, critical processes, and intellectual properties
-## Navigate through your security recommendations
+## Navigate to the Security recommendations page
-You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need, as you require it.
+Access the Security recommendations page a few different ways:
-*Security recommendations option from the left navigation menu*
+- Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
+- Top security recommendations in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
-1. Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open up the list of security recommendations for the threats and vulnerabilities found in your organization. It gives you an overview of the security recommendation context: weaknesses found, related components, the application and operating system where the threat or vulnerabilities were found, network, accounts, and security controls, associated breach, threats, and recommendation insights, exposed machine trends, status, remediation type and activities.
-
+View related security recommendations in the following places:
- >[!NOTE]
- > The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what’s on the left, which means an increase or decrease at the end of even a single machine will change the graph's color.
+- Software page
+- Machine page
- You can filter your view based on related components, status, and remediation type. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Active**, then select **Software update** from the **Remediation Type** filter, and click **Apply**.
-
+### Navigation menu
-2. Select the security recommendation that you need to investigate or process.
-
+Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization.
-
-*Top security recommendations from the dashboard*
+### Top security recommendations in the Threat & Vulnerability Management dashboard
-In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
+In a given day as a Security Administrator, you can take a look at the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [configuration score](configuration-score.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
-The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value.
+
-You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, vulnerabilities, other threats found, how many exposed devices are associated with the security recommendation, and business impact of each security recommendation on the organizational exposure and configuration score.
+The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation.
-From that page, you can do any of the following depending on what you need to do:
+## Security recommendations overview
-- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-life, and charts so you can see the exposure trend over time.
+View recommendations, the number of weaknesses found, related components, threat insights, number of exposed machines, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags.
-- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
+The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the number of exposed machines, the color of the graph will change into green.
-- Choose from exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive.
+
+
+### Icons
+
+Useful icons also quickly calls your attention to: -  possible active alerts
-  associated public exploits
-  recommendation insights
+
+### Investigate
+
+Select the security recommendation that you want to investigate or process.
+
+
+
+From the flyout, you can do any of the following:
+
+- **Open software page** - Open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-support, and charts of the exposure trend over time.
+
+- **Remediation options** - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
+
+- **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet.
+
+>[!NOTE]
+>When a change is made on a machine, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center.
+
+## Request remediation
+
+The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
+
+### Enable Microsoft Intune connection
+
+To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**.
+
+See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+### Remediation request steps
+
+1. Select a security recommendation you would like to request remediation for, and then select **Remediation options**.
+
+2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within Threat & Vulnerability Management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to machines.
+
+3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
+
+4. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request.
+
+If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+>[!NOTE]
+>If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
+
+## File for exception
+
+As an alternative to a remediation request, you can create exceptions for recommendations.
+
+There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
+
+Exceptions can be created for both Security update and Configuration change recommendations.
+
+When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
+
+1. Select a security recommendation you would like create an exception for, and then **Exception options**.
+
+
+2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
+
+ The following list details the justifications behind the exception options:
+
+ - **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus
+ - **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow
+ - **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive
+ - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization
+ - **Other** - False positive
+
+3. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
+
+4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and select the **Exceptions** tab to view all your exceptions (current and past).
## Report inaccuracy
-You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information in the machine page.
+You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information.
-1. Select the **Security recommendation** tab.
+1. Open the Security recommendation.
-2. Click **:** beside the security recommendation that you want to report about, then select **Report inaccuracy**.
-
-
A flyout pane opens.
-
+2. Select the three dots beside the security recommendation that you want to report, then select **Report inaccuracy**.
-3. From the flyout pane, select the inaccuracy category from the drop-down menu.
-
+
-4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
-
-5. Include your machine name for investigation context.
-
- >[!TIP]
- > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
-
-6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
+3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
+4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
## Related topics
+
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index 4428d8a925..2f1c8da158 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -8,74 +8,84 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/11/2019
---
# Software inventory
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
-## Navigate through your software inventory
-1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached their end-of-life.
-
-2. In the **Software inventory** page, select the software that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**.
-3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified. From the **Version distribution** tab, you can also filter the view by **Version EOL** if you want to see the software versions that has reached their end-of-life which needs to be uninstalled, replaced, or updated.
-
## How it works
-In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment.
+
+In the field of discovery, we are leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md).
Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
+## Navigate to the Software inventory page
+
+You can access the Software inventory page by selecting **Software inventory** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md).
+
+View software on specific machines in the individual machines pages from the [machines list](machines-view-overview.md).
+
+## Software inventory overview
+
+The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support.
+
+
+Select the software that you want to investigate and a flyout panel opens up with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**.
+
+
+
+## Software pages
+
+Once you are in the Software inventory page and have opened the flyout panel by selecting a software to investigate, select **Open software page** (see image in the previous section). A full page will appear with all the details of a specific software and the following information:
+
+- Side panel with vendor information, prevalence of the software in the organization (including number of machines it is installed on, and exposed machines that are not patched), whether and exploit is available, and impact to your exposure score
+- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed machines
+- Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the machines that the software is installed on, and the specific versions of the software with the number of machines that have each version installed and number of vulnerabilities.
+
+
+
+## Software evidence
+
+We now show evidence of where we detected a specific software on a machine from the registry, disk or both machine on where we detected a certain software.
+You can find it on any machines found in the [machines list](machines-view-overview.md) in a section called "Software Evidence."
+
+From the Microsoft Defender Security Center navigation panel, go to **Machines list** > select the name of a machine to open the machine page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence.
+
+
+
## Report inaccuracy
-You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information in the machine page.
-
-1. Select the **Software inventory** tab.
-
-2. Click **:** beside the software that you want to report about, and then select **Report inaccuracy**.
-
-
A flyout pane opens.
-
-
-3. From the flyout pane, select the inaccuracy category from the **Software inventory inaccuracy reason** drop-down menu.
-
-
-4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
-
-5. Include your machine name for investigation context.
-
- >[!NOTE]
- > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
-
-6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
+You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information.
+1. Open the software flyout on the Software inventory page.
+2. Select **Report inaccuracy**.
+3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
+4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
## Related topics
+
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
-- [Security recommendation](tvm-security-recommendation.md)
+- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
-
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
index 568f6d7c1d..64933d374c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
@@ -1,15 +1,15 @@
---
-title: Threat & Vulnerability Management supported operating systems
+title: Threat & Vulnerability Management supported operating systems and platforms
description: Before you begin, ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your all devices are properly accounted for.
-keywords: mdatp-tvm supported os, mdatp-tvm, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
+keywords: threat & vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
search.appverid: met150
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -19,9 +19,10 @@ ms.topic: article
# Threat & Vulnerability Management supported operating systems and platforms
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
@@ -33,17 +34,19 @@ Windows 7 | Operating System (OS) vulnerabilities
Windows 8.1 | Not supported
Windows 10 1607-1703 | Operating System (OS) vulnerabilities
Windows 10 1709+ |Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2008R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
-Windows Server 2012R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
-Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
-Windows Server 2019 | Operating System (OS) vulnerabilities
Software product vulnerabilities
+Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+Windows Server 2019 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
MacOS | Not supported (planned)
Linux | Not supported (planned)
-Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements) list.
+Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list.
## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
@@ -51,5 +54,5 @@ Some of the above prerequisites might be different from the [Minimum requirement
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index de5dd35eec..4b7a5cb97e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -8,26 +8,26 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 10/31/2019
---
# Weaknesses
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
-The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights.
+The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, and threat insights.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network:
@@ -36,105 +36,95 @@ The **Weaknesses** page lists down the vulnerabilities found in the infected sof
>- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
>- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
+## Navigate to the Weaknesses page
-## Navigate through your organization's weaknesses page
-You can access the list of vulnerabilities in a few places in the portal:
+Access the Weaknesses page a few different ways:
+
+- Selecting **Weaknesses** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
- Global search
-- Weaknesses option in the navigation menu
-- Top vulnerable software widget in the dashboard
-- Discovered vulnerabilities page in the machine page
-*Vulnerabilities in global search*
-1. Click the global search drop-down menu.
-2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then click the search icon. The **Weaknesses** page opens with the CVE information that you are looking for.
-
-3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.
+### Navigation menu
- > [!NOTE]
- > To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search.
+Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open the list of CVEs.
-*Weaknesses page in the menu*
-1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization.
-2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, dates when it was published and updated, related software, exploit kits available, vulnerability type, link to useful reference, and number of exposed machines which users can also export.
-
+### Vulnerabilities in global search
-*Top vulnerable software widget in the dashboard*
-1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
-
-2. Click the software that you want to investigate and it takes you to the software page. You will see the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation.
-3. Select the **Discovered vulnerabilities** tab.
-4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+1. Go to the global search drop-down menu.
+2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you are looking for.
+
+3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.
-*Discovered vulnerabilities in the machine page*
-1. Go to the left-hand navigation menu bar, then select the machine icon. The **Machines list** page opens.
-
-2. In the **Machines list** page, select the machine that you want to investigate.
-
-
A flyout pane opens with machine details and response action options.
-
-3. In the flyout pane, select **Open machine page**. A page opens with details and response options for the machine you want to investigate.
-
-4. Select **Discovered vulnerabilities**.
-5. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search.
-## How it works
-When new vulnerabilities are released, you would want to know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page.
+## Weaknesses overview
-If the **Exposed Machines** column shows 0, that means you are not at risk.
+If the **Exposed Machines** column shows 0, that means you are not at risk. If exposed machines exist, the next step is to remediate the vulnerabilities in those machines to reduce the risk to your assets and organization.
-If exposed machines exist, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk.
+
-You can also see the related alert and threat insights in the **Threat** column.
-
-The breach insights icon is highlighted if there is a vulnerability found in your organization. Prioritize an investigation because it means there might be a breach in your organization.
-
-
-
-The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has zero-day exploitation news, disclosures, or related security advisories.
-
-
+### Breach and threat insights
+You can view the related breach and threat insights in the **Threat** column when the icons are colored red.
>[!NOTE]
- > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and breach insight  icon.
+ > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon  and breach insight icon .
+
+The breach insights icon is highlighted if there is a vulnerability found in your organization.
+
+
+The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit or connected to specific advanced persistent campaigns or activity groups. Threat Analytics report links are provided that you can read with zero-day exploitation news, disclosures, or related security advisories.
+
+
+
+## View Common Vulnerabilities and Exposures (CVE) entries in other places
+
+### Top vulnerable software in the dashboard
+
+1. Go to the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
+
+2. Select the software that you want to investigate to go a drill down page.
+3. Select the **Discovered vulnerabilities** tab.
+4. Select the vulnerability that you want to investigate. A flyout panel will appear with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+
+
+
+### Discover vulnerabilities in the machine page
+
+View related weaknesses information in the machine page.
+
+1. Go to the Microsoft Defender Security Center navigation menu bar, then select the machine icon. The **Machines list** page opens.
+2. In the **Machines list** page, select the machine name that you want to investigate.
+
+3. The machine page will open with details and response options for the machine you want to investigate.
+4. Select **Discovered vulnerabilities**.
+
+5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.
+
+#### CVE Detection logic
+
+Similar to the software evidence, we now show the detection logic we applied on a machine in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the machine page) that shows the detection logic and source.
+
+
## Report inaccuracy
-You can report a false positive when you see any vague, inaccurate, missing, or already remediated vulnerability information in the machine page.
-
-1. Select the **Discovered vulnerabilities** tab.
-
-2. Click **:** beside the vulnerability that you want to report about, and then select **Report inaccuracy**.
-
-
A flyout pane opens.
-
-
-3. From the flyout pane, select the inaccuracy category from the **Discovered vulnerability inaccuracy reason** drop-down menu.
-
-
-4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
-
-5. Include your machine name for investigation context.
-
- > [!NOTE]
- > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
-
-6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
+You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information.
+1. Open the CVE on the Weaknesses page.
+2. Select **Report inaccuracy**.
+3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
+4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
## Related topics
+
+- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
-- [Security recommendation](tvm-security-recommendation.md)
+- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
-- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
-- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
+- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md
index dbf6830312..1b86e94b66 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/use.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/use.md
@@ -29,7 +29,7 @@ Microsoft Defender Security Center is the portal where you can access Microsoft
Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network.
-Use the **Secure Score** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization.
+Use the **Threat & Vulnerability Management** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization.
Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown.
@@ -39,5 +39,5 @@ Topic | Description
:---|:---
[Portal overview](portal-overview.md) | Understand the portal layout and area descriptions.
[View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
-[View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) | The **Secure Score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
+[View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines.
[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify machines for the presence or absence of mitigations.
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index 379bc21985..a2a976d975 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -70,7 +70,7 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
For more information on the available commands, see [Investigate machines using Live response](live-response.md).
-4. Click **Next** to assign the role to an Azure AD group.
+4. Click **Next** to assign the role to an Azure AD Security group.
5. Use the filter to select the Azure AD group that you'd like to add to this role.
@@ -79,7 +79,8 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
7. Apply the configuration settings.
-After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created.
+> [!IMPORTANT]
+> After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created.
## Edit roles
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
index 5a60f9e9ae..e64f5c502c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -26,7 +26,7 @@ ms.topic: article
Web content filtering is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns.
-You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions.
+You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions. If an element on the page you’re viewing is making calls to a resource which is blocked, you will see a block notification.
Web content filtering is available on most major web browsers, with blocks performed by SmartScreen (Edge) and Network Protection (Internet Explorer, Chrome, Firefox, and all other browsers). See the prerequisites section for more information about browser support.
@@ -73,7 +73,7 @@ Cyren's web content classification technology is integrated by design into Micro
Learn more at https://www.cyren.com/products/url-filtering.
-### Cyren permissions
+### Cyren Permissions
"Sign in and read user profile" allows Cyren to read your tenant info from your Microsoft Defender ATP account, such as your tenant ID, which will be tied to your Cyren license.
@@ -81,7 +81,10 @@ Learn more at https://www.cyren.com/products/url-filtering.
### Signing up for a Cyren License
-Cyren is offering a 60-day free trial for all Microsoft Defender ATP customers. To sign up, please follow the steps below from the portal.
+Cyren is offering a 60-day free trial for all Microsoft Defender ATP customers. To sign up, please follow the steps below from the portal.
+
+>[!NOTE]
+>Make sure to add the URL you get redirected to by the signup process to the list of approved domains.
>[!NOTE]
>A user with AAD app admin/global admin permissions is required to complete these steps.
@@ -168,4 +171,4 @@ You need to be logged in to an AAD account with either App administrator or Glob
- [Web protection overview](web-protection-overview.md)
- [Web threat protection](web-threat-protection.md)
- [Monitor web security](web-protection-monitoring.md)
-- [Respond to web threats](web-protection-response.md)
\ No newline at end of file
+- [Respond to web threats](web-protection-response.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index 2d9187a57f..2d474782f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -27,6 +27,13 @@ The following features are generally available (GA) in the latest release of Mic
For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection).
+RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
+`https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+Defender+ATP%22&locale=en-us`
+
+## April 2020
+
+- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
+
## November-December 2019
- [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md)
Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](endpoint-detection-response-mac-preview.md).
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png
new file mode 100644
index 0000000000..74f9fb15ed
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png
new file mode 100644
index 0000000000..daa96d291d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png differ
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/images/windows-defender-security-center.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-smartscreen/images/windows-defender-security-center.png
rename to windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png
rename to windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
similarity index 55%
rename from windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
rename to windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 939db827c5..60760b7cac 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -1,7 +1,7 @@
---
-title: Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10)
-description: A list of all available setttings for Windows Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
-keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen
+title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10)
+description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
+keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -13,13 +13,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
---
-# Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
+# Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
**Applies to:**
- Windows 10
- Windows 10 Mobile
-Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
+Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
@@ -35,48 +35,48 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreenWindows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen |
At least Windows Server 2012, Windows 8 or Windows RT |
-This policy setting turns on Windows Defender SmartScreen. If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Windows Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site). If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on. If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen. |
+This policy setting turns on Microsoft Defender SmartScreen. If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site). If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on. If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. |
| Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control |
Windows 10, version 1703 |
-This setting helps protect PCs by allowing users to install apps only from the Microsoft Store. Windows Defender SmartScreen must be enabled for this feature to work properly. If you enable this setting, your employees can only install apps from the Microsoft Store. If you disable this setting, your employees can install apps from anywhere, including as a download from the Internet. If you don't configure this setting, your employees can choose whether they can install from anywhere or only from Microsoft Store. |
+This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.This setting does not protect against malicious content from USB devices, network shares or other non-internet sources. Important: Using a trustworthy browser helps ensure that these protections work as expected. |
Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreenWindows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen |
Microsoft Edge on Windows 10 or later |
-This policy setting turns on Windows Defender SmartScreen. If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off. If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on. If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen. |
+This policy setting turns on Microsoft Defender SmartScreen. If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on. If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. |
Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for filesWindows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files |
Microsoft Edge on Windows 10, version 1511 or later |
-This policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious files. If you enable this setting, it stops employees from bypassing the warning, stopping the file download. If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files. |
+This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files. If you enable this setting, it stops employees from bypassing the warning, stopping the file download. If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files. |
Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sitesWindows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites |
Microsoft Edge on Windows 10, version 1511 or later |
-This policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious sites. If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site. If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site. |
+This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites. If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site. If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site. |
| Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter |
Internet Explorer 9 or later |
-This policy setting prevents the employee from managing Windows Defender SmartScreen. If you enable this policy setting, the employee isn't prompted to turn on Windows Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee. If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Windows Defender SmartScreen during the first-run experience. |
+This policy setting prevents the employee from managing Microsoft Defender SmartScreen. If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee. If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience. |
| Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings |
Internet Explorer 8 or later |
-This policy setting determines whether an employee can bypass warnings from Windows Defender SmartScreen. If you enable this policy setting, Windows Defender SmartScreen warnings block the employee. If you disable or don't configure this policy setting, the employee can bypass Windows Defender SmartScreen warnings. |
+This policy setting determines whether an employee can bypass warnings from Microsoft Defender SmartScreen. If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee. If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings. |
| Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet |
Internet Explorer 9 or later |
-This policy setting determines whether the employee can bypass warnings from Windows Defender SmartScreen. Windows Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet. If you enable this policy setting, Windows Defender SmartScreen warnings block the employee. If you disable or don't configure this policy setting, the employee can bypass Windows Defender SmartScreen warnings. |
+This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet. If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee. If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings. |
## MDM settings
If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.
-For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer).
+For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer).
| Setting |
@@ -91,8 +91,8 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
- URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
- Data type. Integer
- Allowed values:
-- 0 . Turns off Windows Defender SmartScreen in Edge.
-- 1. Turns on Windows Defender SmartScreen in Edge.
+- 0 . Turns off Microsoft Defender SmartScreen in Edge.
+- 1. Turns on Microsoft Defender SmartScreen in Edge.
@@ -115,8 +115,8 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
- URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
- Data type. Integer
- Allowed values:
-- 0 . Turns off Windows Defender SmartScreen in Windows for app and file execution.
-- 1. Turns on Windows Defender SmartScreen in Windows for app and file execution.
+- 0 . Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
+- 1. Turns on Microsoft Defender SmartScreen in Windows for app and file execution.
@@ -127,8 +127,8 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
- URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
- Data type. Integer
- Allowed values:
-- 0 . Employees can ignore Windows Defender SmartScreen warnings and run malicious files.
-- 1. Employees can't ignore Windows Defender SmartScreen warnings and run malicious files.
+- 0 . Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
+- 1. Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.
@@ -139,8 +139,8 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
- URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
- Data type. Integer
- Allowed values:
-- 0 . Employees can ignore Windows Defender SmartScreen warnings.
-- 1. Employees can't ignore Windows Defender SmartScreen warnings.
+- 0 . Employees can ignore Microsoft Defender SmartScreen warnings.
+- 1. Employees can't ignore Microsoft Defender SmartScreen warnings.
@@ -151,16 +151,16 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
- URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
- Data type. Integer
- Allowed values:
-- 0 . Employees can ignore Windows Defender SmartScreen warnings for files.
-- 1. Employees can't ignore Windows Defender SmartScreen warnings for files.
+- 0 . Employees can ignore Microsoft Defender SmartScreen warnings for files.
+- 1. Employees can't ignore Microsoft Defender SmartScreen warnings for files.
## Recommended Group Policy and MDM settings for your organization
-By default, Windows Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Windows Defender SmartScreen to block high-risk interactions instead of providing just a warning.
+By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning.
-To better help you protect your organization, we recommend turning on and using these specific Windows Defender SmartScreen Group Policy and MDM settings.
+To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
| Group Policy setting |
@@ -168,7 +168,7 @@ To better help you protect your organization, we recommend turning on and using
| Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen |
-Enable. Turns on Windows Defender SmartScreen. |
+Enable. Turns on Microsoft Defender SmartScreen. |
| Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites |
@@ -176,7 +176,7 @@ To better help you protect your organization, we recommend turning on and using
| Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files |
-Enable. Stops employees from ingnoring warning messages and continuing to download potentially malicious files. |
+Enable. Stops employees from ignoring warning messages and continuing to download potentially malicious files. |
| Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreen |
@@ -191,7 +191,7 @@ To better help you protect your organization, we recommend turning on and using
| Browser/AllowSmartScreen |
-1. Turns on Windows Defender SmartScreen. |
+1. Turns on Microsoft Defender SmartScreen. |
| Browser/PreventSmartScreenPromptOverride |
@@ -199,11 +199,11 @@ To better help you protect your organization, we recommend turning on and using
| Browser/PreventSmartScreenPromptOverrideForFiles |
-1. Stops employees from ingnoring warning messages and continuing to download potentially malicious files. |
+1. Stops employees from ignoring warning messages and continuing to download potentially malicious files. |
| SmartScreen/EnableSmartScreenInShell |
-1. Turns on Windows Defender SmartScreen in Windows. Requires at least Windows 10, version 1703. |
+1. Turns on Microsoft Defender SmartScreen in Windows. Requires at least Windows 10, version 1703. |
| SmartScreen/PreventOverrideForFilesInShell |
@@ -214,7 +214,7 @@ To better help you protect your organization, we recommend turning on and using
## Related topics
- [Threat protection](../index.md)
-- [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)
+- [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md)
- [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies)
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
new file mode 100644
index 0000000000..973fe53199
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -0,0 +1,93 @@
+---
+title: Microsoft Defender SmartScreen overview (Windows 10)
+description: Conceptual info about Microsoft Defender SmartScreen.
+keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+ms.author: macapara
+audience: ITPro
+ms.localizationpriority: medium
+ms.date: 11/27/2019
+ms.reviewer:
+manager: dansimp
+---
+
+# Microsoft Defender SmartScreen
+
+**Applies to:**
+
+- Windows 10
+- Windows 10 Mobile
+- Microsoft Edge
+
+Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
+
+**Microsoft Defender SmartScreen determines whether a site is potentially malicious by:**
+
+- Analyzing visited webpages looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
+
+- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
+
+**Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:**
+
+- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
+
+- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution.
+
+## Benefits of Microsoft Defender SmartScreen
+
+Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are:
+
+- **Anti-phishing and anti-malware support.** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
+
+- **Reputation-based URL and app protection.** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.
+
+- **Operating system integration.** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
+
+- **Improved heuristics and diagnostic data.** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
+
+- **Management through Group Policy and Microsoft Intune.** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
+
+- **Blocking URLs associated with potentially unwanted applications.** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md).
+
+> [!IMPORTANT]
+> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
+
+## Submit files to Microsoft Defender SmartScreen for review
+
+If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more info, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
+
+When submitting Microsoft Defender Smartscreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu.
+
+
+
+## Viewing Microsoft Defender SmartScreen anti-phishing events
+
+When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx).
+
+## Viewing Windows event logs for Microsoft Defender SmartScreen
+Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer.
+
+Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it:
+
+```
+wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true
+```
+
+> [!NOTE]
+> For information on how to use the Event Viewer, see [Windows Event Viewer](https://docs.microsoft.com/host-integration-server/core/windows-event-viewer1).
+
+
+EventID | Description
+-|-
+1000 | Application Windows Defender SmartScreen Event
+1001 | Uri Windows Defender SmartScreen Event
+1002 | User Decision Windows Defender SmartScreen Event
+
+## Related topics
+- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
+- [Threat protection](../index.md)
+- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings)
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
new file mode 100644
index 0000000000..728d759855
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
@@ -0,0 +1,88 @@
+---
+title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows 10)
+description: Learn how employees can use Windows Security to set up Microsoft Defender SmartScreen. Microsoft Defender SmartScreen protects users from running malicious apps.
+keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 10/13/2017
+ms.reviewer:
+manager: dansimp
+ms.author: macapara
+---
+
+# Set up and use Microsoft Defender SmartScreen on individual devices
+
+**Applies to:**
+- Windows 10, version 1703
+- Windows 10 Mobile
+- Microsoft Edge
+
+Microsoft Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files.
+
+## How users can use Windows Security to set up Microsoft Defender SmartScreen
+Starting with Windows 10, version 1703, users can use Windows Security to set up Microsoft Defender SmartScreen for an individual device; unless an administrator has used Group Policy or Microsoft Intune to prevent it.
+
+>[!NOTE]
+>If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee.
+
+**To use Windows Security to set up Microsoft Defender SmartScreen on a device**
+1. Open the Windows Security app, and then select **App & browser control** > **Reputation-based protection settings**.
+
+2. In the **Reputation-based protection** screen, choose from the following options:
+
+ - In the **Check apps and files** area:
+
+ - **On.** Warns users that the apps and files being downloaded from the web are potentially dangerous but allows the action to continue.
+
+ - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files.
+
+ - In the **Microsoft Defender SmartScreen for Microsoft Edge** area:
+
+ - **On.** Warns users that sites and downloads are potentially dangerous but allows the action to continue while running in Microsoft Edge.
+
+ - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files.
+ - In the **Potentially unwanted app blocking** area:
+
+ - **On.** Turns on both the 'Block apps' and 'Block downloads settings. To learn more, see [How Microsoft identifies malware and potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria#potentially-unwanted-application-pua).
+ - **Block apps.** This setting will prevent new apps from installing on the device and warn users of apps that are existing on the device.
+
+ - **Block downloads.** This setting will alert users and stop the downloads of apps in the Microsoft Edge browser (based on Chromium).
+
+ - **Off.** Turns off Potentially unwanted app blocking, so a user isn't alerted or stopped from downloading or installing potentially unwanted apps.
+
+ - In the **Microsoft Defender SmartScreen from Microsoft Store apps** area:
+
+ - **On.** Warns users that the sites and downloads used by Microsoft Store apps are potentially dangerous but allows the action to continue.
+
+ - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
+
+ 
+
+## How Microsoft Defender SmartScreen works when a user tries to run an app
+Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization.
+
+By default, users can bypass Microsoft Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Microsoft Defender SmartScreen (not recommended).
+
+## How users can report websites as safe or unsafe
+Microsoft Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11.
+
+**To report a website as safe from the warning message**
+- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions.
+
+**To report a website as unsafe from Microsoft Edge**
+- If a site seems potentially dangerous, users can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**.
+
+**To report a website as unsafe from Internet Explorer 11**
+- If a site seems potentially dangerous, users can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**.
+
+## Related topics
+- [Threat protection](../index.md)
+
+- [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md)
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index fe80c5c8a4..ee51de1614 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -86,7 +86,7 @@ Windows Defender SmartScreen notifies users if they click on reported phishing a
For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows Windows Defender SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, Windows Defender SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, Windows Defender SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings.
-For more information, see [Windows Defender SmartScreen overview](windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
+For more information, see [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md).
### Windows Defender Antivirus
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 4c475c71c0..0ac210bfc0 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -41,10 +41,10 @@ The Security Compliance Toolkit consists of:
- Windows Server 2012 R2
- Microsoft Office security baseline
- - Office 365 ProPlus (Sept 2019)
+ - Microsoft 365 Apps for enterprise (Sept 2019)
- Microsoft Edge security baseline
- - Version 79
+ - Version 80
- Tools
- Policy Analyzer tool
diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
index b777bb0066..378bc21d36 100644
--- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
@@ -20,7 +20,8 @@ ms.date: 04/19/2017
# Administer security policy settings
**Applies to**
-- Windows 10
+
+- Windows 10
This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
@@ -30,90 +31,46 @@ Security settings policies are rules that you can configure on a device, or mult
Security settings can control:
-- User authentication to a network or device.
-- The resources that users are permitted to access.
-- Whether to record a user’s or group’s actions in the event log.
-- Membership in a group.
+- User authentication to a network or device.
+- The resources that users are permitted to access.
+- Whether to record a user's or group's actions in the event log.
+- Membership in a group.
For info about each setting, including descriptions, default settings, and management and security considerations, see [Security policy settings reference](security-policy-settings-reference.md).
To manage security configurations for multiple computers, you can use one of the following options:
-- Edit specific security settings in a GPO.
-- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security.
-## What’s changed in how settings are administered?
+- Edit specific security settings in a GPO.
+- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security.
+
+## What's changed in how settings are administered
Over time, new ways to manage security policy settings have been introduced, which include new operating system features and the addition of new settings. The following table lists different means by which security policy settings can be administered.
-
-
-
-
-
-
-
-
-
-
-Security Policy snap-in |
-Secpol.msc
-MMC snap-in designed to manage only security policy settings. |
-
-
-Security editor command line tool |
-Secedit.exe
-Configures and analyzes system security by comparing your current configuration to specified security templates. |
-
-
-Security Compliance Manager |
-Tool download
-A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications. |
-
-
-Security Configuration Wizard |
-Scw.exe
-SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles. |
-
-
-Security Configuration Manager tool |
-This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain. |
-
-
-Group Policy |
-Gpmc.msc and Gpedit.msc
-The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device. |
-
-
-Software Restriction Policies
-See Administer Software Restriction Policies. |
-Gpedit.msc
-Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run. |
-
-
-AppLocker
-See Administer AppLocker. |
-Gpedit.msc
-Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications. |
-
-
-
-
+|Tool or feature |Description and use |
+|---------|---------|
+|[Security Policy snap-in](#using-the-local-security-policy-snap-in)|Secpol.msc
MMC snap-in designed to manage only security policy settings.|
+|[Security editor command line tool](#using-the-secedit-command-line-tool) |Secedit.exe
Configures and analyzes system security by comparing your current configuration to specified security templates.|
+|[Security Compliance Manager](#using-the-security-compliance-manager)|Tool download
A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications.|
+|[Security Configuration Wizard](#using-the-security-configuration-wizard)|Scw.exe
SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles.|
+|[Security Configuration Manager tool](#working-with-the-security-configuration-manager)|This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.|
+|[Group Policy](#working-with-group-policy-tools)|Gpmc.msc and Gpedit.msc
The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device.|
+|Software Restriction Policies
See [Administer Software Restriction Policies](https://docs.microsoft.com/windows-server/identity/software-restriction-policies/administer-software-restriction-policies)|Gpedit.msc
Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.|
+|Administer AppLocker
See [Administer AppLocker](/windows/device-security/applocker/administer-applocker)|Gpedit.msc
Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications.|
+
## Using the Local Security Policy snap-in
The Local Security Policy snap-in (Secpol.msc) restricts the view of local policy objects to the following policies and features:
-- Account Policies
-- Local Policies
-- Windows Firewall with Advanced Security
-- Network List Manager Policies
-- Public Key Policies
-- Software Restriction Policies
-- Application Control Policies
-- IP Security Policies on Local Computer
-- Advanced Audit Policy Configuration
+- Account Policies
+- Local Policies
+- Windows Firewall with Advanced Security
+- Network List Manager Policies
+- Public Key Policies
+- Software Restriction Policies
+- Application Control Policies
+- IP Security Policies on Local Computer
+- Advanced Audit Policy Configuration
Policies set locally might be overwritten if the computer is joined to the domain.
@@ -123,12 +80,12 @@ The Local Security Policy snap-in is part of the Security Configuration Manager
The secedit command-line tool works with security templates and provides six primary functions:
-- The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server.
-- The **Analyze** parameter compares the server’s security configuration with the selected template.
-- The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also.
-- The **Export** parameter allows you to export the settings from a database into a security settings template.
-- The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue.
-- The **Generate Rollback** parameter saves the server’s current security settings into a security template so it can be used to restore most of the server’s security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template.
+- The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server.
+- The **Analyze** parameter compares the server's security configuration with the selected template.
+- The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also.
+- The **Export** parameter allows you to export the settings from a database into a security settings template.
+- The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue.
+- The **Generate Rollback** parameter saves the server's current security settings into a security template so it can be used to restore most of the server's security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template.
## Using the Security Compliance Manager
@@ -136,10 +93,10 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl
**To administer security policies by using the Security Compliance Manager**
-1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](https://blogs.technet.com/b/secguide/) blog.
-2. Read the relevant security baseline documentation that is included in this tool.
-3. Download and import the relevant security baselines. The installation process steps you through baseline selection.
-4. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
+1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](https://blogs.technet.com/b/secguide/) blog.
+1. Read the relevant security baseline documentation that is included in this tool.
+1. Download and import the relevant security baselines. The installation process steps you through baseline selection.
+1. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
## Using the Security Configuration Wizard
@@ -155,62 +112,36 @@ The following are considerations for using SCW:
- SCW detects server role dependencies. If you select a server role, it automatically selects dependent server roles.
- All apps that use the IP protocol and ports must be running on the server when you run SCW.
- In some cases, you must be connected to the Internet to use the links in the SCW help.
- > **Note** The SCW is available only on Windows Server and only applicable to server installations.
-
+ > [!NOTE]
+ > The SCW is available only on Windows Server and only applicable to server installations.
+
The SCW can be accessed through Server Manager or by running scw.exe. The wizard steps you through server security configuration to:
-- Create a security policy that can be applied to any server on your network.
-- Edit an existing security policy.
-- Apply an existing security policy.
-- Roll back the last applied security policy.
+- Create a security policy that can be applied to any server on your network.
+- Edit an existing security policy.
+- Apply an existing security policy.
+- Roll back the last applied security policy.
-The Security Policy Wizard configures services and network security based on the server’s role, as well as configures auditing and registry settings.
+The Security Policy Wizard configures services and network security based on the server's role, as well as configures auditing and registry settings.
-For more information about SCW, including procedures, see [Security Configuration Wizard](https://technet.microsoft.com/library/cc754997.aspx).
+For more information about SCW, including procedures, see [Security Configuration Wizard](https://docs.microsoft.com/previous-versions/orphan-topics/ws.11/cc754997(v=ws.11)).
## Working with the Security Configuration Manager
The Security Configuration Manager tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.
-For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](https://technet.microsoft.com/library/cc758219(WS.10).aspx).
+For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc758219(v=ws.10)).
The following table lists the features of the Security Configuration Manager.
-
-
-
-
-
-
-
-
-
-
-Security Configuration and Analysis |
-Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer. |
-
-
-Security templates |
-Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer. |
-
-
-Security Settings extension to Group Policy |
-Edits individual security settings on a domain, site, or organizational unit. |
-
-
-Local Security Policy |
-Edits individual security settings on your local computer. |
-
-
-Secedit |
-Automates security configuration tasks at a command prompt. |
-
-
-
-
+|Security Configuration Manager tools |Description |
+|---------|---------|
+|[Security Configuration and Analysis](#security-configuration-and-analysis) |Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.|
+|[Security templates](#security-templates) |Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.|
+|[Security Settings extension to Group Policy](#security-settings-extension-to-group-policy) |Edits individual security settings on a domain, site, or organizational unit.|
+|[Local Security Policy](#local-security-policy)|Edits individual security settings on your local computer.|
+|Secedit |Automates security configuration tasks at a command prompt.|
+
### Security Configuration and Analysis
Security Configuration and Analysis is an MMC snap-in for analyzing and configuring local system security.
@@ -238,19 +169,19 @@ To apply a security template to your local device, you can use Security Configur
Security templates can be used to define:
-- Account Policies
- - Password Policy
- - Account Lockout Policy
- - Kerberos Policy
-- Local Policies
- - Audit Policy
- - User Rights Assignment
- - Security Options
-- Event Log: Application, system, and security Event Log settings
-- Restricted Groups: Membership of security-sensitive groups
-- System Services: Startup and permissions for system services
-- Registry: Permissions for registry keys
-- File System: Permissions for folders and files
+- Account Policies
+ - Password Policy
+ - Account Lockout Policy
+ - Kerberos Policy
+- Local Policies
+ - Audit Policy
+ - User Rights Assignment
+ - Security Options
+- Event Log: Application, system, and security Event Log settings
+- Restricted Groups: Membership of security-sensitive groups
+- System Services: Startup and permissions for system services
+- Registry: Permissions for registry keys
+- File System: Permissions for folders and files
Each template is saved as a text-based .inf file. This enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template.
@@ -260,15 +191,15 @@ Organizational units, domains, and sites are linked to Group Policy Objects. The
Security settings or security policies are rules that are configured on a device or multiple device for protecting resources on a device or network. Security settings can control:
-- How users are authenticated to a network or device
-- What resources users are authorized to use.
-- Whether or not a user's or group's actions are recorded in the event log.
-- Group membership.
+- How users are authenticated to a network or device
+- What resources users are authorized to use.
+- Whether or not a user's or group's actions are recorded in the event log.
+- Group membership.
You can change the security configuration on multiple computers in two ways:
-- Create a security policy by using a security template with Security Templates, and then import the template through security settings to a Group Policy Object.
-- Change a few select settings with security settings.
+- Create a security policy by using a security template with Security Templates, and then import the template through security settings to a Group Policy Object.
+- Change a few select settings with security settings.
### Local Security Policy
@@ -276,59 +207,61 @@ A security policy is a combination of security settings that affect the security
With the local security policy, you can control:
-- Who accesses your device.
-- What resources users are authorized to use on your device.
-- Whether or not a user’s or group's actions are recorded in the event log.
+- Who accesses your device.
+- What resources users are authorized to use on your device.
+- Whether or not a user's or group's actions are recorded in the event log.
If your local device is joined to a domain, you are subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you are a member of. If you are getting a policy from more than one source, conflicts are resolved in the following order of precedence.
-1. Organizational unit policy
-2. Domain policy
-3. Site policy
-4. Local computer policy
+1. Organizational unit policy
+1. Domain policy
+1. Site policy
+1. Local computer policy
If you modify the security settings on your local device by using the local security policy, then you are directly modifying the settings on your device. Therefore, the settings take effect immediately, but this may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts.
### Using the Security Configuration Manager
-For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](https://technet.microsoft.com/library/cc784762(WS.10).aspx). This section contains information in this topic about:
+For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784762(v=ws.10)). This section contains information in this topic about:
-- [Applying security settings](#bkmk-applysecsettings)
-- [Importing and exporting security templates](#bkmk-impexpsectmpl)
-- [Analyzing security and viewing results](#bkmk-anasecviewresults)
-- [Resolving security discrepancies](#bkmk-resolvesecdiffs)
-- [Automating security configuration tasks](#bkmk-autoseccfgtasks)
+- [Applying security settings](#applying-security-settings)
+- [Importing and exporting security templates](#importing-and-exporting-security-templates)
+- [Analyzing security and viewing results](#analyzing-security-and-viewing-results)
+- [Resolving security discrepancies](#resolving-security-discrepancies)
+- [Automating security configuration tasks](#automating-security-configuration-tasks)
### Applying security settings
Once you have edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object:
-- When a device is restarted, the settings on that device will be refreshed.
-- To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe.
+- When a device is restarted, the settings on that device will be refreshed.
+- To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe.
**Precedence of a policy when more than one policy is applied to a computer**
For security settings that are defined by more than one policy, the following order of precedence is observed:
-1. Organizational Unit Policy
-2. Domain Policy
-3. Site Policy
-4. Local computer Policy
+1. Organizational Unit Policy
+1. Domain Policy
+1. Site Policy
+1. Local computer Policy
For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override
both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence.
-> **Note** Use gpresult.exe to find out what policies are applied to a device and in what order.
+
+> [!NOTE]
+> Use gpresult.exe to find out what policies are applied to a device and in what order.
For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.
-
+
**Persistence in security settings**
Security settings may still persist even if a setting is no longer defined in the policy that originally applied it.
Persistence in security settings occurs when:
-- The setting has not been previously defined for the device.
-- The setting is for a registry object.
-- The setting is for a file system object.
+- The setting has not been previously defined for the device.
+- The setting is for a registry object.
+- The setting is for a file system object.
All settings applied through local policy or a Group Policy Object are stored in a local database on your device. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database, then the setting does not revert to anything and remains defined as is. This behavior is sometimes called "tattooing."
@@ -350,42 +283,14 @@ Security Configuration and Analysis performs security analysis by comparing the
Security Configuration and Analysis displays the analysis results by security area, using visual flags to indicate problems. It displays the current system and base configuration settings for each security attribute in the security areas. To change the analysis database settings, right-click the entry, and then click **Properties**.
-
-
-
-
-
-
-
-
-
-
-Red X |
-The entry is defined in the analysis database and on the system, but the security setting values do not match. |
-
-
-Green check mark |
-The entry is defined in the analysis database and on the system and the setting values match. |
-
-
-Question mark |
-The entry is not defined in the analysis database and, therefore, was not analyzed.
-If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area. |
-
-
-Exclamation point |
-This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system. |
-
-
-No highlight |
-The item is not defined in the analysis database or on the system. |
-
-
-
-
+|Visual flag |Meaning |
+|---------|---------|
+|Red X |The entry is defined in the analysis database and on the system, but the security setting values do not match.|
+|Green check mark |The entry is defined in the analysis database and on the system and the setting values match.|
+|Question mark |The entry is not defined in the analysis database and, therefore, was not analyzed.
If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.|
+|Exclamation point |This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system.|
+|No highlight |The item is not defined in the analysis database or on the system.|
+
If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis.
To avoid continued flagging of settings that you have investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template.
@@ -394,11 +299,12 @@ To avoid continued flagging of settings that you have investigated and determine
You can resolve discrepancies between analysis database and system settings by:
-- Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**.
-- Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels.
-- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
-Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
-You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
+- Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**.
+- Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels.
+- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
+Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
+You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies.
+In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
### Automating security configuration tasks
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
index ad211f1718..5e75ce5325 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
@@ -92,7 +92,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Accounts that have the **Deny log on as a batch job** user right could be used to schedule jobs that could consume excessive computer resources and cause a denial-of-service condition.
+Accounts that have the **Log on as a batch job** user right could be used to schedule jobs that could consume excessive computer resources and cause a denial-of-service condition.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
index 727eb7097a..5d4835f444 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 07/13/2017
+ms.date: 2/6/2020
---
# Increase scheduling priority
@@ -75,15 +75,15 @@ A user who is assigned this user right could increase the scheduling priority of
### Countermeasure
-Verify that only Administrators and Window Manager/Window Manager Group have the **Increase scheduling priority** user right assigned to them.
+Verify that only Administrators and Window Manager\Window Manager Group have the **Increase scheduling priority** user right assigned to them.
### Potential impact
-None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager/Window Manager Group is the default configuration.
+None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager\Window Manager Group is the default configuration.
> [!Warning]
> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
->
+>
> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
index e1d64c8cfd..84ae5e963d 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
@@ -2,7 +2,7 @@
title: Interactive logon Don't display username at sign-in (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Interactive logon Don't display username at sign-in security policy setting.
ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd
-ms.reviewer:
+ms.reviewer:
ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
@@ -20,9 +20,9 @@ ms.date: 04/19/2017
# Interactive logon: Don't display username at sign-in
**Applies to**
-- Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8, Windows 10
+- Windows 10, Windows Server 2019
-Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display username at sign-in** security policy setting.
+Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display username at sign-in** security policy setting.
## Reference
@@ -56,7 +56,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Domain controller effective default settings | Not defined|
| Member server effective default settings | Not defined|
| Effective GPO default settings on client computers | Not defined|
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index accf7f1ab2..07e009dc0e 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -28,6 +28,9 @@ Describes the best practices, location, values, management, and security conside
Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy.
+> [!NOTE]
+> If the **Interactive logon: Machine inactivity limit** security policy setting is configured, the device locks not only when inactive time exceeds the inactivity limit, but also when the screensaver activates or when the display turns off because of power settings.
+
### Possible values
The automatic lock of the device is set in elapsed seconds of inactivity, which can range from zero (0) to 599,940 seconds (166.65 hours).
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
index 217b812683..300344160d 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -1,6 +1,6 @@
---
-title: Interactive logon Prompt user to change password before expiration (Windows 10)
-description: Best practices, security considerations, and more for the security policy setting, Interactive logon Prompt user to change password before expiration.
+title: Interactive log-on prompt user to change password before expiration (Windows 10)
+description: Best practices and security considerations for an interactive log-on prompt for users to change passwords before expiration.
ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9
ms.reviewer:
ms.author: dansimp
@@ -17,52 +17,52 @@ ms.topic: conceptual
ms.date: 04/19/2017
---
-# Interactive logon: Prompt user to change password before expiration
+# Interactive log on: Prompt the user to change passwords before expiration
**Applies to**
- Windows 10
-Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting.
+This article describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting.
## Reference
-The **Interactive logon: Prompt user to change password before expiration** policy setting determines how many days in advance users are warned that their passwords are about to expire. With this advance warning, the user has time to construct a password that is sufficiently strong.
+This policy setting determines when users are warned that their passwords are about to expire. This warning gives users time to select a strong password before their current password expires to avoid losing system access.
### Possible values
-- A user-defined number of days from 0 through 999.
-- Not defined.
+- A user-defined number of days from 0 through 999
+- Not defined
### Best practices
-1. Configure user passwords to expire periodically. Users will need warning that their passwords are going to expire, or they might inadvertently get locked out of the system. This could lead to confusion for users who access the network locally, or make it impossible for users who access the network through dial-up or virtual private network (VPN) connections to log on.
-2. Set **Interactive logon: Prompt user to change password before expiration** to 5 days. When their password expiration date is 5 or fewer days away, users will see a dialog box each time they log on to the domain.
-3. Do not set the value to 0, which results in displaying the password expiration warning every time the user logs on.
+- Configure user passwords to expire periodically. Users need warning that their password is going to expire, or they might get locked out of the system.
+- Set **Interactive logon: Prompt user to change password before expiration** to five days. When their password expiration date is five or fewer days away, users will see a dialog box each time that they log on to the domain.
+- Don't set the value to zero, which displays the password expiration warning every time the user logs on.
### Location
-Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+*Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options*
### Default values
-The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+The following table lists the default values for this policy. Default values are also listed on the policy’s property page.
-| Server type or GPO | Default value |
+| Server type or Group Policy Object | Default value |
| - | - |
| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | 5 days|
-| DC Effective Default Settings | 5 days |
-| Member Server Effective Default Settings| 5 days |
-| Client Computer Effective Default Settings | 5 days|
+| Stand-Alone Server Default Settings | Five days|
+| DC Effective Default Settings | Five days |
+| Member Server Effective Default Settings| Five days |
+| Client Computer Effective Default Settings | Five days|
## Policy management
-This section describes features and tools that are available to help you manage this policy.
+This section describes features and tools that you can use to manage this policy.
### Restart requirement
-None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
### Policy conflict considerations
@@ -70,24 +70,24 @@ None.
### Group Policy
-This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+Configure this policy setting by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, it can be configured on the local computer through the Local Security Policy snap-in.
## Security considerations
-This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and possible negative consequences of the countermeasure.
### Vulnerability
-If user passwords are configured to expire periodically in your organization, users need to be warned when this is about to happen, or they may be locked out of the device inadvertently when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections.
+If user passwords are configured to expire periodically in your organization, users need to be warned before expiration. Otherwise, they may get locked out of the devices inadvertently.
### Countermeasure
-Configure the **Interactive logon: Prompt user to change password before expiration** setting to 5 days.
+Configure the **Interactive logon: Prompt user to change password before expiration** setting to five days.
### Potential impact
-Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days.
+Users see a dialog-box that prompts them to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days.
## Related topics
-- [Security Options](security-options.md)
+- [Security options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
index c9c8515fe5..a20693d19b 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
@@ -32,6 +32,9 @@ If smart cards are used for authentication, the device should automatically lock
If you select **Force Logoff** in the property sheet for this policy setting, the user is automatically logged off when the smart card is removed. Users will have to reinsert their smart cards and reenter their PINs when they return to their workstations.
+> [!NOTE]
+> This policy depends on **Smart Card Removal Policy** service. The service must be running for the policy to take effect, so it is recommended to set the startup type of the service to **Automatic**.
+
### Possible values
- No Action
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index d36aa5c106..457ba6494f 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -1,6 +1,6 @@
---
title: Microsoft network client Digitally sign communications (always) (Windows 10)
-description: Best practices, security considerations and more for the security policy setting, Microsoft network client Digitally sign communications (always).
+description: Best practices and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
ms.reviewer:
manager: dansimp
@@ -20,46 +20,46 @@ ms.date: 06/28/2018
- Windows 10
- Windows Server
-Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.
+This article describes the best practices, location, values, policy management, and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.
## Reference
-The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
+The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-the-middle" attacks that modify SMB packets in transit, the SMB protocol supports digital signing of SMB packets.
-Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data access failure.
+Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." Misuse of these policy settings is a common error that can cause data access failure.
-Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+Beginning with SMBv2 clients and servers, signing can be either *required* or *not required*. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
-There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2.
+Negotiation occurs between the SMB client and the SMB server to decide whether signing will be used. The following table shows the effective behavior for SMBv3 and SMBv2.
-| | Server – Required | Server – Not Required |
+| | Server – required | Server – not required |
|---------------------------|---------------------|------------------------|
-| **Client – Required** | Signed | Signed |
-| **Client – Not Required** | Signed 1 | Not Signed2 |
+| **Client – required** | Signed | Signed |
+| **Client – not required** | Signed 1 | Not signed2 |
1 Default for domain controller SMB traffic
2 Default for all other SMB traffic
-Performance of SMB signing is improved in SMBv2. For more details, see [Potential impact](#potential-impact).
+Performance of SMB signing is improved in SMBv2. For more information, see [Potential impact](#potential-impact).
### Possible values
- Enabled
- Disabled
-### Best practices
+### Best practice
Enable **Microsoft network client: Digitally sign communications (always)**.
### Location
-Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+*Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options*
### Default values
-The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+The following table lists the default values for this policy. Default values are also listed on the policy’s property page.
| Server type or GPO | Default value |
| - | - |
@@ -72,33 +72,33 @@ The following table lists the actual and effective default values for this polic
## Policy management
-This section describes features and tools that are available to help you manage this policy.
+This section describes features and tools that you can use to manage this policy.
### Restart requirement
-None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
## Security considerations
-This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure.
### Vulnerability
-Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data.
+Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it to make the server perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication and gain unauthorized access to data.
-SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
+SMB is the resource-sharing protocol that's supported by many versions of the Windows operating system. It's the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't happen.
### Countermeasure
Enable **Microsoft network client: Digitally sign communications (always)**.
->[!NOTE]
->An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
+> [!NOTE]
+> An alternative countermeasure that could protect all network traffic is to implement digital signatures through IPsec. There are hardware-based accelerators for IPsec encryption and signing that can be used to minimize the performance impact on servers. No such accelerators are available for SMB signing.
### Potential impact
-Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you are using a 1 Gb Ethernet network or slower storage speed with a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing may be greater.
+Storage speeds affect performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage for signing. If you're using a 1-Gb Ethernet network or slower storage speed with a modern CPU, there's limited degradation in performance. If you're using a faster network (such as 10 Gb), the performance impact of signing may be greater.
## Related topics
-- [Security Options](security-options.md)
+- [Security options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index 01dea39c48..4870151b22 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -1,6 +1,6 @@
---
title: Network security Allow PKU2U authentication requests to this computer to use online identities (Windows 10)
-description: Best practices and more for the security policy setting, Network Security Allow PKU2U authentication requests to this computer to use online identities.
+description: Best practices for the Network Security Allow PKU2U authentication requests to this computer to use online identities security setting.
ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926
ms.reviewer:
ms.author: dansimp
@@ -22,45 +22,41 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
-Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting.
+This article describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting.
## Reference
-Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system, and it supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs.
+Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system. It supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs.
-When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
+When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that's used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When it's validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
-> [!Note]
-> The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**.
+> [!NOTE]
+> Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager.
-This policy is not configured by default on domain-joined devices. This would disallow the online identities to be able to authenticate to the domain-joined computers in Windows 7 and later.
+This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 and later.
### Possible values
-- **Enabled**
+- **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
- This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
+ > [!NOTE]
+ > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server.
-> [!Note]
-> KU2U is disabled by default on Windows Server. Remote desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device, or Hybrid Azure AD-joined domain member Windows 10 device, fails. To resolve this, enable PKU2U on the Server.
+- **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
-- **Disabled**
-
- This will prevent online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
-
-- Not set. Not configuring this policy prevents online IDs from being used to authenticate the user. This is the default on domain-joined devices
+- ***Not set***: Not configuring this policy prevents online IDs from being used to authenticate the user. This option is the default on domain-joined devices.
### Best practices
-Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or do not configure this policy to exclude online identities from being used to authenticate.
+Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate.
### Location
-Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+*Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options*
### Default values
-The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+The following table lists the effective default values for this policy. Default values are also listed on the policy’s property page.
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
@@ -73,20 +69,20 @@ The following table lists the actual and effective default values for this polic
## Security considerations
-This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure.
### Vulnerability
-Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft Account, so that account can log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). Although this is beneficial for workgroups or home groups, using this feature in a domain-joined environment might circumvent your established security policies.
+Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is beneficial for workgroups or home groups. But in a domain-joined environment, it might circumvent established security policies.
### Countermeasure
-Set this policy to Disabled or do not configure this security policy for domain-joined devices.
+Set this policy to *Disabled* or don't configure this security policy for domain-joined devices.
### Potential impact
-If you do not set or disable this policy, the PKU2U protocol will not be used to authenticate between peer devices, which forces users to follow domain defined access control policies. If you enable this policy, you will allow your users to authenticate by using local certificates between systems that are not part of a domain that uses PKU2U. This will allow users to share resources between devices
+If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. If you enable this policy, you allow your users to authenticate by using local certificates between systems that aren't part of a domain that uses PKU2U. This configuration allows users to share resources between devices.
## Related topics
-- [Security Options](security-options.md)
+- [Security options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index 20fd54f909..b713a96ecb 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -14,7 +14,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 09/08/2017
---
# Password must meet complexity requirements
@@ -59,6 +58,9 @@ Additional settings that can be included in a custom Passfilt.dll are the use of
### Best practices
+> [!TIP]
+> For the latest best practices, see [Password Guidance](https://www.microsoft.com/research/publication/password-guidance).
+
Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This makes a brute force attack difficult, but still not impossible.
The use of ALT key character combinations can greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements can result in unhappy users and an extremely busy Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of this range can represent standard alphanumeric characters that do not add additional complexity to the password.)
@@ -104,6 +106,6 @@ If your organization has more stringent security requirements, you can create a
The use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in additional Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128–0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.)
-## Related topics
+## Related articles
- [Password Policy](password-policy.md)
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index a6ae751c35..a8bd08c42d 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -20,7 +20,8 @@ ms.date: 04/19/2017
# Security policy settings
**Applies to**
-- Windows 10
+
+- Windows 10
This reference topic describes the common scenarios, architecture, and processes for security settings.
@@ -28,43 +29,43 @@ Security policy settings are rules that administrators configure on a computer o
Security settings can control:
-- User authentication to a network or device.
-- The resources that users are permitted to access.
-- Whether to record a user’s or group’s actions in the event log.
-- Membership in a group.
+- User authentication to a network or device.
+- The resources that users are permitted to access.
+- Whether to record a user's or group's actions in the event log.
+- Membership in a group.
To manage security configurations for multiple devices, you can use one of the following options:
-- Edit specific security settings in a GPO.
-- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, applied to a local device, or used to analyze security.
+- Edit specific security settings in a GPO.
+- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, applied to a local device, or used to analyze security.
For more info about managing security configurations, see [Administer security policy settings](administer-security-policy-settings.md).
The Security Settings extension of the Local Group Policy Editor includes the following types of security policies:
-- **Account Policies.** These polices are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies:
+- **Account Policies.** These polices are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies:
- - **Password Policy.** These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts.
- - **Account Lockout Policy.** These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts.
- - **Kerberos Policy.** These policies are used for domain user accounts; they determine Kerberos-related settings, such as ticket lifetimes and enforcement.
+ - **Password Policy.** These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts.
+ - **Account Lockout Policy.** These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts.
+ - **Kerberos Policy.** These policies are used for domain user accounts; they determine Kerberos-related settings, such as ticket lifetimes and enforcement.
-- **Local Policies.** These policies apply to a computer and include the following types of policy settings:
+- **Local Policies.** These policies apply to a computer and include the following types of policy settings:
- - **Audit Policy.** Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both).
-
- >**Note:** For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies.
-
- - **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device
- - **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on.
+ - **Audit Policy.** Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both).
-- **Windows Firewall with Advanced Security.** Specify settings to protect the device on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your device and the network.
-- **Network List Manager Policies.** Specify settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices.
-- **Public Key Policies.** Specify settings to control Encrypting File System, Data Protection, and BitLocker Drive Encryption in addition to certain certificate paths and services settings.
-- **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site.
-- **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files.
-- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address.
-- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under
-Local Policies.
+ > [!NOTE]
+ > For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies.
+
+ - **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device
+ - **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on.
+
+- **Windows Firewall with Advanced Security.** Specify settings to protect the device on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your device and the network.
+- **Network List Manager Policies.** Specify settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices.
+- **Public Key Policies.** Specify settings to control Encrypting File System, Data Protection, and BitLocker Drive Encryption in addition to certain certificate paths and services settings.
+- **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site.
+- **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files.
+- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address.
+- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies.
## Policy-based security settings management
@@ -80,72 +81,72 @@ As part of your security strategy, you can create GPOs with security settings po
You can create an organizational unit (OU) structure that groups devices according to their roles. Using OUs is the best method for separating specific security requirements for the different roles in your network. This approach also allows you to apply customized security templates to each class of server or computer. After creating the security templates, you create a new GPO for each of the OUs, and then import the security template (.inf file) into the new GPO.
-Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template’s security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random
-offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred.
+Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template's security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred.
+
+> [!NOTE]
+> These refresh settings vary between versions of the operating system and can be configured.
->**Note:** These refresh settings vary between versions of the operating system and can be configured.
-
By using Group Policy−based security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update a number of servers with any additional changes required in the future.
### Dependencies on other operating system technologies
For devices that are members of a Windows Server 2008 or later domain, security settings policies depend on the following technologies:
-- **Active Directory Domain Services (AD DS)**
+- **Active Directory Domain Services (AD DS)**
- The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon.
+ The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon.
-- **Group Policy**
+- **Group Policy**
- The infrastructure within AD DS that enables directory-based configuration management of user and computer settings on devices running Windows Server. By using Group Policy, you can define configurations for groups of users and computers, including policy settings, registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security.
+ The infrastructure within AD DS that enables directory-based configuration management of user and computer settings on devices running Windows Server. By using Group Policy, you can define configurations for groups of users and computers, including policy settings, registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security.
-- **Domain Name System (DNS)**
+- **Domain Name System (DNS)**
- A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses.
+ A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses.
-- **Winlogon**
+- **Winlogon**
- A part of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a credential provider, and any number of network providers.
+ A part of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a credential provider, and any number of network providers.
-- **Setup**
+- **Setup**
- Security configuration interacts with the operating system setup process during a clean installation or upgrade from earlier versions of Windows Server.
+ Security configuration interacts with the operating system setup process during a clean installation or upgrade from earlier versions of Windows Server.
-- **Security Accounts Manager (SAM)**
+- **Security Accounts Manager (SAM)**
- A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs.
+ A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs.
-- **Local Security Authority (LSA)**
+- **Local Security Authority (LSA)**
- A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system.
+ A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system.
-- **Windows Management Instrumentation (WMI)**
+- **Windows Management Instrumentation (WMI)**
- A feature of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI provides access to information about objects in a managed environment. Through WMI and the WMI application programming interface (API), applications can query for and make changes to static information in the Common Information Model (CIM) repository and dynamic information maintained by the various types of providers.
+ A feature of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI provides access to information about objects in a managed environment. Through WMI and the WMI application programming interface (API), applications can query for and make changes to static information in the Common Information Model (CIM) repository and dynamic information maintained by the various types of providers.
-- **Resultant Set of Policy (RSoP)**
+- **Resultant Set of Policy (RSoP)**
- An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device.
+ An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device.
-- **Service Control Manager (SCM)**
+- **Service Control Manager (SCM)**
- Used for configuration of service startup modes and security.
+ Used for configuration of service startup modes and security.
-- **Registry**
+- **Registry**
- Used for configuration of registry values and security.
+ Used for configuration of registry values and security.
-- **File system**
+- **File system**
- Used for configuration of security.
+ Used for configuration of security.
-- **File system conversions**
+- **File system conversions**
- Security is set when an administrator converts a file system from FAT to NTFS.
+ Security is set when an administrator converts a file system from FAT to NTFS.
-- **Microsoft Management Console (MMC)**
+- **Microsoft Management Console (MMC)**
- The user interface for the Security Settings tool is an extension of the Local Group Policy Editor MMC snap-in.
+ The user interface for the Security Settings tool is an extension of the Local Group Policy Editor MMC snap-in.
### Security settings policies and Group Policy
@@ -153,25 +154,25 @@ The Security Settings extension of the Local Group Policy Editor is part of the
The following diagram shows Security Settings and related features.
-**Security Settings Policies and Related Features**
+#### Security Settings Policies and Related Features
-- **Scesrv.dll**
+- **Scesrv.dll**
- Provides the core security engine functionality.
+ Provides the core security engine functionality.
-- **Scecli.dll**
+- **Scecli.dll**
- Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set of Policy (RSoP).
+ Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set of Policy (RSoP).
-- **Wsecedit.dll**
+- **Wsecedit.dll**
- The Security Settings extension of Local Group Policy Editor. scecli.dll is loaded into wsecedit.dll to support the Security Settings user interface.
+ The Security Settings extension of Local Group Policy Editor. scecli.dll is loaded into wsecedit.dll to support the Security Settings user interface.
-- **Gpedit.dll**
+- **Gpedit.dll**
- The Local Group Policy Editor MMC snap-in.
+ The Local Group Policy Editor MMC snap-in.
## Security Settings extension architecture
@@ -185,57 +186,56 @@ The security settings configuration and analysis tools include a security config
The following list describes these primary features of the security configuration engine and other Security Settings−related features.
-- **scesrv.dll**
+- **scesrv.dll**
- This .dll is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation.
+ This .dll is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation.
- Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry.
+ Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry.
- Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it is not.
+ Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it is not.
- Communication between parts of the Security Settings extension occurs by using the following methods:
+ Communication between parts of the Security Settings extension occurs by using the following methods:
- - Component Object Model (COM) calls
- - Local Remote Procedure Call (LRPC)
- - Lightweight Directory Access Protocol (LDAP)
- - Active Directory Service Interfaces (ADSI)
- - Server Message Block (SMB)
- - Win32 APIs
- - Windows Management Instrumentation (WMI) calls
+ - Component Object Model (COM) calls
+ - Local Remote Procedure Call (LRPC)
+ - Lightweight Directory Access Protocol (LDAP)
+ - Active Directory Service Interfaces (ADSI)
+ - Server Message Block (SMB)
+ - Win32 APIs
+ - Windows Management Instrumentation (WMI) calls
- On domain controllers, scesrv.dll receives notifications of changes made to SAM and the LSA that need to be synchronized across domain controllers. Scesrv.dll incorporates those changes into the Default Domain Controller Policy GPO by using in-process scecli.dll template modification APIs.
- Scesrv.dll also performs configuration and analysis operations.
+ On domain controllers, scesrv.dll receives notifications of changes made to SAM and the LSA that need to be synchronized across domain controllers. Scesrv.dll incorporates those changes into the Default Domain Controller Policy GPO by using in-process scecli.dll template modification APIs.
+ Scesrv.dll also performs configuration and analysis operations.
-- **Scecli.dll**
+- **Scecli.dll**
- This is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files.
+ This is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files.
- The command-line version of the security configuration and analysis user interfaces, secedit.exe, uses scecli.dll.
+ The command-line version of the security configuration and analysis user interfaces, secedit.exe, uses scecli.dll.
- Scecli.dll implements the client-side extension for Group Policy.
+ Scecli.dll implements the client-side extension for Group Policy.
- Scesrv.dll uses scecli.dll to download applicable Group Policy files from SYSVOL in order to apply Group Policy security settings to the local device.
+ Scesrv.dll uses scecli.dll to download applicable Group Policy files from SYSVOL in order to apply Group Policy security settings to the local device.
- Scecli.dll logs application of security policy into WMI (RSoP).
+ Scecli.dll logs application of security policy into WMI (RSoP).
- Scesrv.dll policy filter uses scecli.dll to update Default Domain Controller Policy GPO when changes are made to SAM and LSA.
+ Scesrv.dll policy filter uses scecli.dll to update Default Domain Controller Policy GPO when changes are made to SAM and LSA.
-- **Wsecedit.dll**
+- **Wsecedit.dll**
- The Security Settings extension of the Group Policy Object Editor snap-in. You use this tool to configure security settings in a Group Policy Object for a site, domain, or organizational unit. You can also use Security Settings to import security templates to a GPO.
+ The Security Settings extension of the Group Policy Object Editor snap-in. You use this tool to configure security settings in a Group Policy Object for a site, domain, or organizational unit. You can also use Security Settings to import security templates to a GPO.
-- **Secedit.sdb**
+- **Secedit.sdb**
- This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes.
+ This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes.
-- **User databases**
+- **User databases**
- A user database is any database other than the system database created by administrators for the purposes of configuration or analysis of security.
+ A user database is any database other than the system database created by administrators for the purposes of configuration or analysis of security.
-- **.Inf Templates**
+- **.Inf Templates**
- These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into
- the system database during policy propagation.
+ These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into the system database during policy propagation.
## Security settings policy processes and interactions
@@ -245,39 +245,39 @@ For a domain-joined device, where Group Policy is administered, security setting
When a computer starts and a user logs on, computer policy and user policy are applied according to the following sequence:
-1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start.
-2. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors:
+1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start.
+1. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors:
- - Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory.
- - The location of the device in Active Directory.
- - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
+ - Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory.
+ - The location of the device in Active Directory.
+ - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
-3. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed.
-4. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior.
-5. The user presses CTRL+ALT+DEL to log on.
-6. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect.
-7. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors:
+1. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed.
+1. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior.
+1. The user presses CTRL+ALT+DEL to log on.
+1. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect.
+1. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors:
- - Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory.
- - Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting.
- - The location of the user in Active Directory.
- - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
+ - Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory.
+ - Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting.
+ - The location of the user in Active Directory.
+ - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
-8. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed.
-9. Logon scripts run. Group Policy−based logon scripts are hidden and asynchronous by default. The user object script runs last.
-10. The operating system user interface that is prescribed by Group Policy appears.
+1. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed.
+1. Logon scripts run. Group Policy−based logon scripts are hidden and asynchronous by default. The user object script runs last.
+1. The operating system user interface that is prescribed by Group Policy appears.
### Group Policy Objects storage
A Group Policy Object (GPO) is a virtual object that is identified by a Globally Unique Identifier (GUID) and stored at the domain level. The policy setting information of a GPO is stored in the following two locations:
-- **Group Policy containers in Active Directory.**
+- **Group Policy containers in Active Directory.**
- The Group Policy container is an Active Directory container that contains GPO properties, such as version information, GPO status, plus a list of other component settings.
+ The Group Policy container is an Active Directory container that contains GPO properties, such as version information, GPO status, plus a list of other component settings.
-- **Group Policy templates in a domain’s system volume folder (SYSVOL).**
+- **Group Policy templates in a domain's system volume folder (SYSVOL).**
- The Group Policy template is a file system folder that includes policy data specified by .admx files, security settings, script files, and information about applications that are available for installation. The Group Policy template is located in the SYSVOL folder in the domain\\Policies subfolder.
+ The Group Policy template is a file system folder that includes policy data specified by .admx files, security settings, script files, and information about applications that are available for installation. The Group Policy template is located in the SYSVOL folder in the \\\Policies subfolder.
The **GROUP\_POLICY\_OBJECT** structure provides information about a GPO in a GPO list, including the version number of the GPO, a pointer to a string that indicates the Active Directory portion of the GPO, and a pointer to a string that specifies the path to the file system portion of the GPO.
@@ -285,21 +285,21 @@ The **GROUP\_POLICY\_OBJECT** structure provides information about a GPO in a GP
Group Policy settings are processed in the following order:
-1. **Local Group Policy Object.**
+1. **Local Group Policy Object.**
- Each device running a Windows operating system beginning with Windows XP has exactly one Group Policy Object that is stored locally.
+ Each device running a Windows operating system beginning with Windows XP has exactly one Group Policy Object that is stored locally.
-2. **Site.**
+1. **Site.**
- Any Group Policy Objects that have been linked to the site are processed next. Processing is synchronous and in an order that you specify.
+ Any Group Policy Objects that have been linked to the site are processed next. Processing is synchronous and in an order that you specify.
-3. **Domain.**
+1. **Domain.**
- Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy.
+ Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy.
-4. **Organizational units.**
+1. **Organizational units.**
- Group Policy Objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy Objects that are linked to its child organizational unit, and so on. Finally, the Group Policy Objects that are linked to the organizational unit that contains the user or device are processed.
+ Group Policy Objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy Objects that are linked to its child organizational unit, and so on. Finally, the Group Policy Objects that are linked to the organizational unit that contains the user or device are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no Group Policy Objects can be linked. If several Group Policy Objects are linked to an organizational unit, their processing is synchronous and in an order that you specify.
@@ -311,34 +311,34 @@ This is the default processing order and administrators can specify exceptions t
In the context of Group Policy processing, security settings policy is processed in the following order.
-1. During Group Policy processing, the Group Policy engine determines which security settings policies to apply.
-2. If security settings policies exist in a GPO, Group Policy invokes the Security Settings client-side extension.
-3. The Security Settings extension downloads the policy from the appropriate location such as a specific domain controller.
-4. The Security Settings extension merges all security settings policies according to precedence rules. The processing is according to the Group Policy processing order of local, site, domain, and organizational unit (OU), as described earlier in the “Group Policy processing order” section. If multiple GPOs are in effect for a given device and there are no conflicting policies, then the policies are cumulative and are merged.
+1. During Group Policy processing, the Group Policy engine determines which security settings policies to apply.
+1. If security settings policies exist in a GPO, Group Policy invokes the Security Settings client-side extension.
+1. The Security Settings extension downloads the policy from the appropriate location such as a specific domain controller.
+1. The Security Settings extension merges all security settings policies according to precedence rules. The processing is according to the Group Policy processing order of local, site, domain, and organizational unit (OU), as described earlier in the "Group Policy processing order" section. If multiple GPOs are in effect for a given device and there are no conflicting policies, then the policies are cumulative and are merged.
- This example uses the Active Directory structure shown in the following figure. A given computer is a member of OU2, to which the **GroupMembershipPolGPO** GPO is linked. This computer is also subject to the **UserRightsPolGPO** GPO, which is linked to OU1, higher in the hierarchy. In this case, no conflicting policies exist so the device receives all of the policies contained in both the **UserRightsPolGPO** and the **GroupMembershipPolGPO** GPOs.
+ This example uses the Active Directory structure shown in the following figure. A given computer is a member of OU2, to which the **GroupMembershipPolGPO** GPO is linked. This computer is also subject to the **UserRightsPolGPO** GPO, which is linked to OU1, higher in the hierarchy. In this case, no conflicting policies exist so the device receives all of the policies contained in both the **UserRightsPolGPO** and the **GroupMembershipPolGPO** GPOs.
- **Multiple GPOs and Merging of Security Policy**
+ **Multiple GPOs and Merging of Security Policy**
- 
+ 
-5. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb.
-6. The security settings policies are applied to devices.
+1. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb.
+1. The security settings policies are applied to devices.
The following figure illustrates the security settings policy processing.
**Security Settings Policy Processing**
-
+
### Merging of security policies on domain controllers
Password policies, Kerberos, and some security options are only merged from GPOs that are linked at the root level on the domain. This is done to keep those settings synchronized across all domain controllers in the domain. The following security options are merged:
-- Network Security: Force logoff when logon hours expire
-- Accounts: Administrator account status
-- Accounts: Guest account status
-- Accounts: Rename administrator account
-- Accounts: Rename guest account
+- Network Security: Force logoff when logon hours expire
+- Accounts: Administrator account status
+- Accounts: Guest account status
+- Accounts: Rename administrator account
+- Accounts: Rename guest account
Another mechanism exists that allows security policy changes made by administrators by using net accounts to be merged into the Default Domain Policy GPO. User rights changes that are made by using Local Security Authority (LSA) APIs are filtered into the Default Domain Controllers Policy GPO.
@@ -350,9 +350,9 @@ If an application is installed on a primary domain controller (PDC) with operati
After you have edited the security settings policies, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object in the following instances:
-- When a device is restarted.
-- Every 90 minutes on a workstation or server and every 5 minutes on a domain controller. This refresh interval is configurable.
-- By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO has not changed.
+- When a device is restarted.
+- Every 90 minutes on a workstation or server and every 5 minutes on a domain controller. This refresh interval is configurable.
+- By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO has not changed.
### Persistence of security settings policy
@@ -360,12 +360,12 @@ Security settings can persist even if a setting is no longer defined in the poli
Security settings might persist in the following cases:
-- The setting has not been previously defined for the device.
-- The setting is for a registry security object.
-- The settings are for a file system security object.
+- The setting has not been previously defined for the device.
+- The setting is for a registry security object.
+- The settings are for a file system security object.
-All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is.
-This behavior is sometimes referred to as “tattooing.”
+All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is.
+This behavior is sometimes referred to as "tattooing".
Registry and file security settings will maintain the values applied through Group Policy until that setting is set to other values.
@@ -377,8 +377,9 @@ Both Apply Group Policy and Read permissions are required to have the settings f
By default, all GPOs have Read and Apply Group Policy both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. Security settings policies are computer-based. To specify which client computers will or will not have a Group Policy Object applied to them, you can deny them either the Apply Group Policy or Read permission on that Group Policy Object. Changing these permissions allows you to limit the scope of the GPO to a specific set of computers within a site, domain, or OU.
-**Note:** Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.
-
+> [!NOTE]
+> Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.
+
### Migration of GPOs containing security settings
In some situations, you might want to migrate GPOs from one domain environment to another environment. The two most common scenarios are test-to-production migration, and production-to-production migration. The GPO copying process has implications for some types of security settings.
@@ -387,12 +388,12 @@ Data for a single GPO is stored in multiple locations and in various formats; so
The following security policies can contain security principals and might require some additional work to successfully move them from one domain to another.
-- User rights assignment
-- Restricted groups
-- Services
-- File system
-- Registry
-- The GPO DACL, if you choose to preserve it during a copy operation
+- User rights assignment
+- Restricted groups
+- Services
+- File system
+- Registry
+- The GPO DACL, if you choose to preserve it during a copy operation
To ensure that data is copied correctly, you can use Group Policy Management Console (GPMC). When migrating a GPO from one domain to another, GPMC ensures that all relevant data is properly copied. GPMC also offers migration tables, which can be used to update domain-specific data to new values as part of the migration process. GPMC hides much of the complexity involved in the migrating GPO operations, and it provides simple and reliable mechanisms for performing operations such as copy and backup of GPOs.
@@ -400,6 +401,6 @@ To ensure that data is copied correctly, you can use Group Policy Management Con
| Topic | Description |
| - | - |
-| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.|
-| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.|
-| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|
+| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.|
+| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.|
+| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
index 4a75974332..fb06a1c928 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -22,7 +22,7 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
-Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting.
+This article describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting.
## Reference
@@ -38,11 +38,12 @@ This policy setting determines the behavior of all User Account Control (UAC) po
Admin Approval Mode and all related UAC policies are disabled.
- >**Note:** If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced.
+ > [!NOTE]
+ > If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced.
### Best practices
-- Enable this policy to allow all other UAC features and policies to function.
+- Turn on this policy to allow all other UAC features and policies to function.
### Location
@@ -67,11 +68,11 @@ This section describes features and tools that are available to help you manage
### Restart requirement
-A restart of the computer is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy.
+The computer must be restarted before this policy is effective when changes to this policy are saved locally or distributed through Group Policy.
### Group Policy
-All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console or Local Security Policy snap-in for a domain, site, or organizational unit.
## Security considerations
@@ -79,11 +80,11 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-This is the setting that turns UAC on or off. If this setting is disabled, UAC is not used, and any security benefits and risk mitigations that are dependent on UAC are not present on the computer.
+This setting turns on or turns off UAC. If this setting isn't turned on, UAC isn't used, and any security benefits and risk mitigations that are dependent on UAC aren't present on the computer.
### Countermeasure
-Enable the **User Account Control: Run all users, including administrators, as standard users** setting.
+Turn on the **User Account Control: Run all users, including administrators, as standard users** setting.
### Potential impact
diff --git a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md
index 228378515b..9b7b2cffbf 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md
@@ -13,7 +13,7 @@ author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 02/05/2020
-ms.reviewer:
+ms.reviewer: shwetaj
manager: dansimp
audience: ITPro
ms.topic: article
diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index 17897257a2..0483497ae8 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.reviewer:
+ms.reviewer: ksarens
manager: dansimp
---
@@ -22,14 +22,12 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can perform various Windows Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*.
-
-This utility can be useful when you want to automate Windows Defender Antivirus use.
-
-You can find the utility in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_. You must run it from a command prompt.
+You can perform various Windows Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Windows Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
> [!NOTE]
> You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+>
+> If you're running an updated Windows Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\`.
The utility has the following commands:
@@ -44,11 +42,11 @@ MpCmdRun.exe -scan -2
| Command | Description |
|:----|:----|
| `-?` **or** `-h` | Displays all available options for this tool |
-| `-Scan [-ScanType [0\|1\|2\|3]] [-File [-DisableRemediation] [-BootSectorScan]] [-Timeout ] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. |
+| `-Scan [-ScanType [0\|1\|2\|3]] [-File [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout ] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. CpuThrottling will honor the configured CPU throttling from policy |
| `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing |
| `-GetFiles` | Collects support information |
| `-GetFilesDiagTrack` | Same as `-GetFiles`, but outputs to temporary DiagTrack folder |
-| `-RemoveDefinitions [-All]` | Restores the installed Security intelligence to a previous backup copy or to the original default set |
+| `-RemoveDefinitions [-All]` | Restores the installed Security intelligence to a previous backup copy or to the original default set |
| `-RemoveDefinitions [-DynamicSignatures]` | Removes only the dynamically downloaded Security intelligence |
| `-RemoveDefinitions [-Engine]` | Restores the previous installed engine |
| `-SignatureUpdate [-UNC \| -MMPC]` | Checks for new Security intelligence updates |
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
index 981c05b0ae..14125ae30d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -47,7 +47,7 @@ To configure the Group Policy settings described in the following table:
Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
---|---|---|---
-See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
+Email scanning See [Email scanning limitations](#ref1)| Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available
Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
@@ -72,29 +72,19 @@ For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.
## Email scanning limitations
-We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
-
-Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails.
-
-You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
+Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
- DBX
- MBX
- MIME
-PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
+PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) will also be scanned, but Windows Defender cannot remediate threats detected inside PST files.
-If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
+If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually:
- Email subject
- Attachment name
->[!WARNING]
->There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
->
-> - [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
-> - [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
-
## Related topics
- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index c5ea9149b8..af838d196f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -50,7 +50,7 @@ Block at first sight requires a number of settings to be configured correctly or
### Confirm block at first sight is enabled with Intune
-1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**.
+1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Windows Defender Antivirus**.
> [!NOTE]
> The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
@@ -119,19 +119,19 @@ If you had to change any of the settings, you should re-deploy the Group Policy
### Confirm block at first sight is enabled with the Windows Security app
-You can confirm that block at first sight is enabled in Windows Settings.
+You can confirm that block at first sight is enabled in your Windows security settings.
-Block at first sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
+Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
### Confirm Block at First Sight is enabled on individual clients
-1. Open the Windows Security app by clicking the shield icon in the task bar.
+1. Open the Windows Security app.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Manage Settings** under **Virus & threat protection settings**:
+2. Select **Virus & threat protection**, and then, under **Virus & threat protection settings**, select **Manage Settings**.
-3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
+3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
> [!NOTE]
> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
index 03cf88d610..e0805ca3fb 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 02/05/2020
+ms.date: 03/12/2020
ms.reviewer:
manager: dansimp
---
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index 7f217bed68..bc096eac9e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -12,7 +12,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 12/10/2018
ms.reviewer:
manager: dansimp
---
@@ -33,11 +32,11 @@ You can exclude certain files from Windows Defender Antivirus scans by modifying
> [!NOTE]
> Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
-This topic describes how to configure exclusion lists for the files and folders.
+This article describes how to configure exclusion lists for the files and folders.
Exclusion | Examples | Exclusion list
---|---|---
-Any file with a specific extension | All files with the `.test` extension, anywhere on the machine | Extension exclusions
+Any file with a specific extension | All files with the specified extension, anywhere on the machine.
Valid syntax: `.test` and `test` | Extension exclusions
Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions
A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions
A specific process | The executable file `c:\test\process.exe` | File and folder exclusions
@@ -90,21 +89,22 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
-4. Double-click the **Path Exclusions** setting and add the exclusions:
+4. Double-click the **Path Exclusions** setting and add the exclusions.
- 1. Set the option to **Enabled**.
- 2. Under the **Options** section, click **Show...**.
- 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
+ - Set the option to **Enabled**.
+ - Under the **Options** section, click **Show...**.
+ - Specify each folder on its own line under the **Value name** column.
+ - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
-6. Double-click the **Extension Exclusions** setting and add the exclusions:
+6. Double-click the **Extension Exclusions** setting and add the exclusions.
- 1. Set the option to **Enabled**.
- 2. Under the **Options** section, click **Show...**.
- 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
+ - Set the option to **Enabled**.
+ - Under the **Options** section, click **Show...**.
+ - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**.
@@ -116,13 +116,13 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
-The format for the cmdlets is:
+The format for the cmdlets is as follows:
```PowerShell
- "- "
```
-The following are allowed as the \:
+The following are allowed as the ``:
Configuration action | PowerShell cmdlet
---|---
@@ -130,7 +130,7 @@ Create or overwrite the list | `Set-MpPreference`
Add to the list | `Add-MpPreference`
Remove item from the list | `Remove-MpPreference`
-The following are allowed as the \:
+The following are allowed as the ``:
Exclusion type | PowerShell parameter
---|---
@@ -168,6 +168,7 @@ For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.c
See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
+
## Use wildcards in the file name and folder path or extension exclusion lists
You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations.
@@ -180,91 +181,21 @@ You can use the asterisk `*`, question mark `?`, or environment variables (such
>- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
-
-
- | Wildcard |
- Use in file name and file extension exclusions |
- Use in folder exclusions |
- Example use |
- Example matches |
-
-
- | * (asterisk) |
- Replaces any number of characters.
Only applies to files in the last folder defined in the argument. |
- Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders will also be included. |
-
-
- - C:\MyData\*.txt
- - C:\somepath\*\Data
- - C:\Serv\*\*\Backup
-
- |
-
-
- - C:\MyData\notes.txt
- - Any file in:
-
- - C:\somepath\Archives\Data and its subfolders
- - C:\somepath\Authorized\Data and its subfolders
-
- - Any file in:
-
- - C:\Serv\Primary\Denied\Backup and its subfolders
- - C:\Serv\Secondary\Allowed\Backup and its subfolders
-
-
- |
-
-
- |
- ? (question mark)
- |
-
- Replaces a single character.
- Only applies to files in the last folder defined in the argument.
- |
-
- Replaces a single character in a folder name.
- After matching the number of wild carded and named folders, all subfolders will also be included.
- |
-
-
- - C:\MyData\my?.zip
- - C:\somepath\?\Data
- - C:\somepath\test0?\Data
-
- |
-
-
- - C:\MyData\my1.zip
- - Any file in C:\somepath\P\Data and its subfolders
- - Any file in C:\somepath\test01\Data and its subfolders
-
- |
-
-
- | Environment variables |
- The defined variable will be populated as a path when the exclusion is evaluated. |
- Same as file and extension use. |
-
-
- - %ALLUSERSPROFILE%\CustomLogFiles
-
- |
-
-
- - C:\ProgramData\CustomLogFiles\Folder1\file1.txt
-
- |
-
-
+
+
+|Wildcard |Examples |
+|---------|---------|
+|`*` (asterisk)
In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`
`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`
`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
+|`?` (question mark)
In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip`
`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders
`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
+|Environment variables
The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
+
>[!IMPORTANT]
>If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
>
->For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument c:\data\\\*\marked\date*.\*.
+>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
>
->This argument, however, will not match any files in **subfolders** under `c:\data\final\marked` or `c:\data\review\marked`.
+>This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
@@ -362,6 +293,3 @@ You can also copy the string into a blank text file and attempt to save it with
- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
-- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Handling false positives/negatives](antivirus-false-positives-negatives.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
index fa061b9284..59f19f11c9 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 02/13/2020
ms.reviewer:
manager: dansimp
---
@@ -47,7 +47,7 @@ To configure these settings:
5. Deploy the Group Policy Object as usual.
-Location | Setting | Configuration topic
+Location | Setting | Article
---|---|---|---
MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
@@ -67,13 +67,13 @@ Scan | Configure local setting override for the scan type to use for a scheduled
## Configure how locally and globally defined threat remediation and exclusions lists are merged
-You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md).
+You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md), [specified remediation lists](configure-remediation-windows-defender-antivirus.md), and [attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction).
By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence.
You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used.
-**Use Group Policy to disable local list merging:**
+### Use Group Policy to disable local list merging
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index 94b115e1e2..1b19f98ccd 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -12,7 +12,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 12/10/2018
ms.reviewer:
manager: dansimp
---
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index 6c817499da..97a45e8794 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -1,8 +1,8 @@
---
-title: Configure Windows Defender Antivirus exclusions on Windows Server 2016
+title: Configure Windows Defender Antivirus exclusions on Windows Server 2016 or 2019
ms.reviewer:
manager: dansimp
-description: Windows Server 2016 includes automatic exclusions, based on server role. You can also add custom exclusions.
+description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions.
keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Windows Defender Antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -22,48 +22,47 @@ ms.custom: nextgen
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions, as defined by your specified server role. See [the end of this topic](#list-of-automatic-exclusions) for a list of these exclusions.
+Windows Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
-These exclusions will not appear in the standard exclusion lists shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
-
-You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as described in these exclusion-related topics:
+> [!NOTE]
+> Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
+In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that, refer to these articles:
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-Custom exclusions take precedence over automatic exclusions.
+## A few points to keep in mind
-> [!TIP]
-> Custom and duplicate exclusions do not conflict with automatic exclusions.
+- Custom exclusions take precedence over automatic exclusions.
-Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
+- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
+
+- Custom and duplicate exclusions do not conflict with automatic exclusions.
+
+- Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
## Opt out of automatic exclusions
-In Windows Server 2016, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt out of the automatic exclusions delivered in Security intelligence updates.
+In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles.
> [!WARNING]
-> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles.
+> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles.
-> [!NOTE]
-> This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on exclusions.
-
-> [!TIP]
-> Since the predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path *different than the original one*, you would have to manually add the exclusions using the information [here](configure-extension-file-exclusions-windows-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
+Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-windows-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
-### Use Group Policy to disable the auto-exclusions list on Windows Server 2016
+### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and 2019
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). Right-click the Group Policy Object you want to configure, and then click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Exclusions**.
-4. Double-click **Turn off Auto Exclusions** and set the option to **Enabled**. Click **OK**.
+4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**.
-**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:**
+### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019
Use the following cmdlets:
@@ -71,11 +70,13 @@ Use the following cmdlets:
Set-MpPreference -DisableAutoExclusions $true
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+[Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md).
-### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016
+[Use PowerShell with Windows Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
-Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
+### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019
+
+Use the **Set** method of the [MSFT_MpPreference](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
DisableAutoExclusions
@@ -85,212 +86,221 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
## List of automatic exclusions
+
The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
### Default exclusions for all roles
-This section lists the default exclusions for all Windows Server 2016 roles.
-- Windows "temp.edb" files:
+This section lists the default exclusions for all Windows Server 2016 and 2019 roles.
- - *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
+#### Windows "temp.edb" files
- - *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
+- *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
-- Windows Update files or Automatic Update files:
+- *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
- - *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
+#### Windows Update files or Automatic Update files
- - *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
+- *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
- - *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
+- *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
- - *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
+- *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
- - *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
+- *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
-- Windows Security files:
+- *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
- - *%windir%*\Security\database\\*.chk
+#### Windows Security files
- - *%windir%*\Security\database\\*.edb
+- *%windir%*\Security\database\\*.chk
- - *%windir%*\Security\database\\*.jrs
+- *%windir%*\Security\database\\*.edb
- - *%windir%*\Security\database\\*.log
+- *%windir%*\Security\database\\*.jrs
- - *%windir%*\Security\database\\*.sdb
+- *%windir%*\Security\database\\*.log
-- Group Policy files:
+- *%windir%*\Security\database\\*.sdb
- - *%allusersprofile%*\NTUser.pol
+#### Group Policy files
- - *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
+- *%allusersprofile%*\NTUser.pol
- - *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
+- *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
-- WINS files:
+- *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
- - *%systemroot%*\System32\Wins\\*\\\*.chk
+#### WINS files
- - *%systemroot%*\System32\Wins\\*\\\*.log
+- *%systemroot%*\System32\Wins\\*\\\*.chk
- - *%systemroot%*\System32\Wins\\*\\\*.mdb
+- *%systemroot%*\System32\Wins\\*\\\*.log
- - *%systemroot%*\System32\LogFiles\
+- *%systemroot%*\System32\Wins\\*\\\*.mdb
- - *%systemroot%*\SysWow64\LogFiles\
+- *%systemroot%*\System32\LogFiles\
-- File Replication Service (FRS) exclusions:
+- *%systemroot%*\SysWow64\LogFiles\
- - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
+#### File Replication Service (FRS) exclusions
- - *%windir%*\Ntfrs\jet\sys\\*\edb.chk
+- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
- - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
+ - *%windir%*\Ntfrs\jet\sys\\*\edb.chk
- - *%windir%*\Ntfrs\jet\log\\*\\\*.log
+ - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
- - FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
+ - *%windir%*\Ntfrs\jet\log\\*\\\*.log
- -*%windir%*\Ntfrs\\*\Edb\*.log
+- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
- - The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
+ - *%windir%*\Ntfrs\\*\Edb\*.log
- - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
+- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
- - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
+ - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
- - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
+- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
- - The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
+ - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
- > [!NOTE]
- > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions).
+- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
- - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
+ > [!NOTE]
+ > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions).
- - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
+ - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
- - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
+ - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
- - *%systemdrive%*\System Volume Information\DFSR\\*.XML
+ - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
- - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
+ - *%systemdrive%*\System Volume Information\DFSR\\*.XML
- - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
+ - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
- - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
+ - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
- - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
+ - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
- - *%systemdrive%*\System Volume Information\DFSR\\*.frx
+ - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
- - *%systemdrive%*\System Volume Information\DFSR\\*.log
+ - *%systemdrive%*\System Volume Information\DFSR\\*.frx
- - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
+ - *%systemdrive%*\System Volume Information\DFSR\\*.log
- - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
+ - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
-- Process exclusions
+ - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
- - *%systemroot%*\System32\dfsr.exe
+#### Process exclusions
- - *%systemroot%*\System32\dfsrs.exe
+- *%systemroot%*\System32\dfsr.exe
-- Hyper-V exclusions:
+- *%systemroot%*\System32\dfsrs.exe
- - This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
+#### Hyper-V exclusions
- - File type exclusions:
+This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
- - *.vhd
+- File type exclusions:
- - *.vhdx
+ - *.vhd
- - *.avhd
+ - *.vhdx
- - *.avhdx
+ - *.avhd
- - *.vsv
+ - *.avhdx
- - *.iso
+ - *.vsv
- - *.rct
+ - *.iso
- - *.vmcx
+ - *.rct
- - *.vmrs
+ - *.vmcx
- - Folder exclusions:
+ - *.vmrs
- - *%ProgramData%*\Microsoft\Windows\Hyper-V
+- Folder exclusions:
- - *%ProgramFiles%*\Hyper-V
+ - *%ProgramData%*\Microsoft\Windows\Hyper-V
- - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
+ - *%ProgramFiles%*\Hyper-V
- - *%Public%*\Documents\Hyper-V\Virtual Hard Disks
+ - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
- - Process exclusions:
+ - *%Public%*\Documents\Hyper-V\Virtual Hard Disks
- - *%systemroot%*\System32\Vmms.exe
+- Process exclusions:
- - *%systemroot%*\System32\Vmwp.exe
+ - *%systemroot%*\System32\Vmms.exe
-- SYSVOL files:
+ - *%systemroot%*\System32\Vmwp.exe
- - *%systemroot%*\Sysvol\Domain\\*.adm
+#### SYSVOL files
- - *%systemroot%*\Sysvol\Domain\\*.admx
+- *%systemroot%*\Sysvol\Domain\\*.adm
- - *%systemroot%*\Sysvol\Domain\\*.adml
+- *%systemroot%*\Sysvol\Domain\\*.admx
- - *%systemroot%*\Sysvol\Domain\Registry.pol
+- *%systemroot%*\Sysvol\Domain\\*.adml
- - *%systemroot%*\Sysvol\Domain\\*.aas
+- *%systemroot%*\Sysvol\Domain\Registry.pol
- - *%systemroot%*\Sysvol\Domain\\*.inf
+- *%systemroot%*\Sysvol\Domain\\*.aas
- - *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
+- *%systemroot%*\Sysvol\Domain\\*.inf
- - *%systemroot%*\Sysvol\Domain\\*.ins
+- *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
- - *%systemroot%*\Sysvol\Domain\Oscfilter.ini
+- *%systemroot%*\Sysvol\Domain\\*.ins
+
+- *%systemroot%*\Sysvol\Domain\Oscfilter.ini
### Active Directory exclusions
+
This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
-- NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
+#### NTDS database files
- - %windir%\Ntds\ntds.dit
+The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
- - %windir%\Ntds\ntds.pat
+- %windir%\Ntds\ntds.dit
-- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
+- %windir%\Ntds\ntds.pat
- - %windir%\Ntds\EDB*.log
+#### The AD DS transaction log files
- - %windir%\Ntds\Res*.log
+The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
- - %windir%\Ntds\Edb*.jrs
+- %windir%\Ntds\EDB*.log
- - %windir%\Ntds\Ntds*.pat
+- %windir%\Ntds\Res*.log
- - %windir%\Ntds\EDB*.log
+- %windir%\Ntds\Edb*.jrs
- - %windir%\Ntds\TEMP.edb
+- %windir%\Ntds\Ntds*.pat
-- The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
+- %windir%\Ntds\EDB*.log
- - %windir%\Ntds\Temp.edb
+- %windir%\Ntds\TEMP.edb
- - %windir%\Ntds\Edb.chk
+#### The NTDS working folder
-- Process exclusions for AD DS and AD DS-related support files:
+This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
- - %systemroot%\System32\ntfrs.exe
+- %windir%\Ntds\Temp.edb
- - %systemroot%\System32\lsass.exe
+- %windir%\Ntds\Edb.chk
+
+#### Process exclusions for AD DS and AD DS-related support files
+
+- %systemroot%\System32\ntfrs.exe
+
+- %systemroot%\System32\lsass.exe
### DHCP Server exclusions
@@ -310,19 +320,19 @@ This section lists the exclusions that are delivered automatically when you inst
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
-- File and folder exclusions for the DNS Server role:
+#### File and folder exclusions for the DNS Server role
- - *%systemroot%*\System32\Dns\\*\\\*.log
+- *%systemroot%*\System32\Dns\\*\\\*.log
- - *%systemroot%*\System32\Dns\\*\\\*.dns
+- *%systemroot%*\System32\Dns\\*\\\*.dns
- - *%systemroot%*\System32\Dns\\*\\\*.scc
+- *%systemroot%*\System32\Dns\\*\\\*.scc
- - *%systemroot%*\System32\Dns\\*\BOOT
+- *%systemroot%*\System32\Dns\\*\BOOT
-- Process exclusions for the DNS Server role:
+#### Process exclusions for the DNS Server role
- - *%systemroot%*\System32\dns.exe
+- *%systemroot%*\System32\dns.exe
### File and Storage Services exclusions
@@ -338,43 +348,45 @@ This section lists the file and folder exclusions that are delivered automatical
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
-- File type exclusions:
+#### File type exclusions
- - *.shd
+- *.shd
- - *.spl
+- *.spl
-- Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
+#### Folder exclusions
- - *%system32%*\spool\printers\\*
+This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
-- Process exclusions:
+- *%system32%*\spool\printers\\*
- - spoolsv.exe
+#### Process exclusions
+
+- spoolsv.exe
### Web Server exclusions
This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
-- Folder exclusions:
+#### Folder exclusions
- - *%SystemRoot%*\IIS Temporary Compressed Files
+- *%SystemRoot%*\IIS Temporary Compressed Files
- - *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
+- *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
- - *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
+- *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
- - *%systemDrive%*\inetpub\logs
+- *%systemDrive%*\inetpub\logs
- - *%systemDrive%*\inetpub\wwwroot
+- *%systemDrive%*\inetpub\wwwroot
-- Process exclusions:
+#### Process exclusions
- - *%SystemRoot%*\system32\inetsrv\w3wp.exe
+- *%SystemRoot%*\system32\inetsrv\w3wp.exe
- - *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
+- *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
- - *%SystemDrive%*\PHP5433\php-cgi.exe
+- *%SystemDrive%*\PHP5433\php-cgi.exe
### Windows Server Update Services exclusions
@@ -391,7 +403,11 @@ This section lists the folder exclusions that are delivered automatically when y
## Related articles
- [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
+
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+
- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index fc883cd71d..7c0db7f78f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -13,7 +13,7 @@ author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
audience: ITPro
-ms.date: 01/06/2020
+ms.date: 02/12/2020
ms.reviewer:
manager: dansimp
---
@@ -41,15 +41,15 @@ Potentially unwanted applications can increase the risk of your network being in
### Microsoft Edge
-The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
+The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md).
#### Enable PUA protection in Chromium-based Microsoft Edge
-Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is turned off by default, it can easily be turned on from within the browser.
+Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser.
-1. From the tool bar, select **Settings and more** > **Settings**.
+1. Select the ellipses, and then choose **Settings**.
2. Select **Privacy and services**.
-3. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off.
+3. Under the **Services** section, turn on **Block potentially unwanted apps**.
> [!TIP]
> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/).
@@ -62,7 +62,7 @@ Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft
Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can
[configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off.
-Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md#create-indicators-for-ips-and-urlsdomains-preview) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings.
+Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings.
### Windows Defender Antivirus
diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index 985b6f0b7c..8c14c01d58 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -22,8 +22,8 @@ ms.custom: nextgen
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->[!NOTE]
->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
+> [!NOTE]
+> The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
@@ -34,88 +34,92 @@ See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protectio
There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details.
->[!NOTE]
->In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
+> [!NOTE]
+> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
-**Use Intune to enable cloud-delivered protection**
+## Use Intune to enable cloud-delivered protection
1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **All services > Intune**.
3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
5. On the **Cloud-delivered protection** switch, select **Enable**.
-6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**.
+6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**.
7. In the **Submit samples consent** dropdown, select one of the following:
- **Send safe samples automatically**
- **Send all samples automatically**
>[!NOTE]
- >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
+ > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
> [!WARNING]
- > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+ > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
-**Use Configuration Manager to enable cloud-delivered protection:**
+## Use Configuration Manager to enable cloud-delivered protection
See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
-**Use Group Policy to enable cloud-delivered protection:**
+## Use Group Policy to enable cloud-delivered protection
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
-3. Click **Administrative templates**.
+3. Select **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
-5. Double-click **Join Microsoft MAPS** and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**.
+5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**.
-6. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following:
+6. Double-click **Send file samples when further analysis is required**. Ensure that the option is set to **Enabled** and that the other options are either of the following:
1. **Send safe samples** (1)
2. **Send all samples** (3)
>[!NOTE]
- >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
+ > The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
> [!WARNING]
- > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+ > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
7. Click **OK**.
-**Use PowerShell cmdlets to enable cloud-delivered protection:**
+## Use PowerShell cmdlets to enable cloud-delivered protection
Use the following cmdlets to enable cloud-delivered protection:
```PowerShell
Set-MpPreference -MAPSReporting Advanced
-Set-MpPreference -SubmitSamplesConsent AlwaysPrompt
+Set-MpPreference -SubmitSamplesConsent SendAllSamples
```
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent).
+
>[!NOTE]
->You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+> You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+>[!WARNING]
+> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
-**Use Windows Management Instruction (WMI) to enable cloud-delivered protection:**
+## Use Windows Management Instruction (WMI) to enable cloud-delivered protection
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties:
```WMI
-MAPSReporting
+MAPSReporting
SubmitSamplesConsent
```
See the following for more information and allowed parameters:
+
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-**Enable cloud-delivered protection on individual clients with the Windows Security app**
+## Enable cloud-delivered protection on individual clients with the Windows Security app
> [!NOTE]
> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg b/windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg
new file mode 100644
index 0000000000..9376fba47e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png b/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png
new file mode 100644
index 0000000000..cea5e255f5
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png b/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png
index f9ef1da5f7..d9664338fe 100644
Binary files a/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png and b/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index be5477b03f..a487d96a32 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 01/09/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
@@ -40,7 +39,7 @@ This article describes how to specify from where updates should be downloaded (t
## Fallback order
-Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used.
+Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used immediately.
When updates are published, some logic is applied to minimize the size of the update. In most cases, only the differences between the latest update and the update that is currently installed (this is referred to as the delta) on the device is downloaded and applied. However, the size of the delta depends on two main factors:
- The age of the last update on the device; and
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index 7ebc368cbc..5fdfa55aa4 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -12,7 +12,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
@@ -24,27 +23,187 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
There are two types of updates related to keeping Windows Defender Antivirus up to date:
-1. Protection updates
-2. Product updates
+ - Security intelligence updates
+ - Product updates
-You can also apply [Windows security baselines](https://technet.microsoft.com/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection.
+> [!IMPORTANT]
+> Keeping Windows Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
+> This also applies to devices where Windows Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility).
-## Protection updates
+## Security intelligence updates
-Windows Defender Antivirus uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as Security intelligence updates.
+Windows Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
-The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
+The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
+
+Engine updates are included with the security intelligence updates and are released on a monthly cadence.
## Product updates
-Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
+Windows Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases.
+
+You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
+For more information, see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
+
+> [!NOTE]
+> We release these monthly updates in phases. This results in multiple packages showing up in your WSUS server.
+
+## Monthly platform and engine versions
+
+For information how to update or how to install the platform update, please see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
+
+All our updates contain:
+* performance improvements
+* serviceability improvements
+* integration improvements (Cloud, MTP)
+
+
+
+ April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)
+
+ Security intelligence update version: **TBD**
+ Released: **April 30, 2020**
+ Platform: **4.18.2004.6**
+ Engine: **1.1.17000.2**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+* WDfilter improvements
+* Add more actionable event data to ASR detection events
+* Fixed version information in diagnostic data and WMI
+* Fixed incorrect platform version in UI after platform update
+* Dynamic URL intel for Fileless threat protection
+* UEFI scan capability
+* Extend logging for updates
+
+### Known Issues
+No known issues
+
+
+
+
+ March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2)
+
+ Security intelligence update version: **1.313.8.0**
+ Released: **March 24, 2020**
+ Platform: **4.18.2003.8**
+ Engine: **1.1.16900.4**
+ Support phase: **Technical upgrade Support (Only)**
+
+### What's new
+
+* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus)
+* Improve diagnostic capability
+* reduce Security intelligence timeout (5min)
+* Extend AMSI engine internal log capability
+* Improve notification for process blocking
+
+### Known Issues
+[**Fixed**] Windows Defender Antivirus is skipping files when running a scan.
+
+
+
+
+
+
+ February-2020 (Platform: - | Engine: 1.1.16800.2)
+
+
+ Security intelligence update version: **1.311.4.0**
+ Released: **February 25, 2020**
+ Platform/Client: **-**
+ Engine: **1.1.16800.2**
+ Support phase: **N/A**
+
+### What's new
+
+
+### Known Issues
+No known issues
+
+
+
+
+ January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2)
+
+
+Security intelligence update version: **1.309.32.0**
+Released: **January 30, 2020**
+Platform/Client: **4.18.2001.10**
+Engine: **1.1.16700.2**
+Support phase: **Technical upgrade Support (Only)**
+
+### What's new
+
+* Fixed BSOD on WS2016 with Exchange
+* Support platform updates when TMP is redirected to network path
+* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
+* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
+* Fix 4.18.1911.10 hang
+
+### Known Issues
+[**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
+
+> [!IMPORTANT]
+> This updates is needed by RS1 devices running lower version of the platform to support SHA2.
This update has reboot flag for systems that are experiencing the hang issue.
the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
+
+
+
+
+ November-2019 (Platform: 4.18.1911.2 | Engine: 1.1.16600.7)
+
+Security intelligence update version: **1.307.13.0**
+Released: **December 7, 2019**
+Platform: **4.18.1911.2**
+Engine: **1.1.17000.7**
+Support phase: **No support**
+
+### What's new
+
+* Fixed MpCmdRun tracing level
+* Fixed WDFilter version info
+* Improve notifications (PUA)
+* add MRT logs to support files
+
+### Known Issues
+No known issues
+
+
+
+## Windows Defender Antivirus platform support
+As stated above, platform and engine updates are provided on a monthly cadence.
+Customers must stay current with the latest platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version:
+
+
+* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
+
+
+* **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*
+
+\* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version.
+
+During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft’s managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*).
+
+### Platform version included with Windows 10 releases
+The below table provides the Windows Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
+
+|Windows 10 release |Platform version |Engine version |Support phase |
+|-|-|-|-|
+|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) |
+|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) |
+|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) |
+|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) |
+|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) |
+|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) |
+|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) |
+
+Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
-You can manage the distribution of updates through Windows Server Update Service (WSUS), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
## In this section
-Topic | Description
+Article | Description
---|---
[Manage how protection updates are downloaded and applied](manage-protection-updates-windows-defender-antivirus.md) | Protection updates can be delivered through a number of sources.
[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) | You can schedule when protection updates should be downloaded.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md
new file mode 100644
index 0000000000..77a5c15cf1
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md
@@ -0,0 +1,87 @@
+---
+title: "Better together - Windows Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats"
+description: "Office 365, which includes OneDrive, goes together wonderfully with Windows Defender Antivirus. Read this article to learn more."
+keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.topic: article
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.date: 03/04/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Better together: Windows Defender Antivirus and Office 365
+
+**Applies to:**
+
+- Windows Defender Antivirus
+- Office 365
+
+You might already know that:
+
+- **Windows Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Windows Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Windows Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
+
+- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Office 365 Advanced Threat Protection. [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats).
+
+- **OneDrive, included in Office 365, enables you to store your files and folders online, and share them as you see fit**. You can work together with people (for work or fun), and coauthor files that are stored in OneDrive. You can also access your files across all your devices (your PC, phone, and tablet). [Manage sharing in OneDrive](https://docs.microsoft.com/OneDrive/manage-sharing).
+
+**But did you know there are good security reasons to use Windows Defender Antivirus together with Office 365**? Here are two:
+
+ 1. [You get ransomware protection and recovery](#ransomware-protection-and-recovery).
+
+ 2. [Integration means better protection](#integration-means-better-protection).
+
+Read the following sections to learn more.
+
+## Ransomware protection and recovery
+
+When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur:
+
+1. **You are told about the threat**. (If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (ATP), your security operations team is notified, too.)
+
+2. **Windows Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.)
+
+3. **You get the option to recover your files in OneDrive**. With the OneDrive Files Restore feature, you can recover your files in OneDrive to the state they were in before the ransomware attack occurred. See [Ransomware detection and recovering your files](https://support.office.com/article/0d90ec50-6bfd-40f4-acc7-b8c12c73637f).
+
+Think of the time and hassle this can save.
+
+## Integration means better protection
+
+Office 365 Advanced Threat Protection integrated with Microsoft Defender Advanced Threat Protection means better protection for your organization. Here's how:
+
+- [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) safeguards your organization against malicious threats posed in email messages, email attachments, and links (URLs) in Office documents.
+
+ AND
+
+- [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) protects your devices from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves your security posture.
+
+ SO
+
+- Once integration is enabled, your security operations team can see a list of devices that are used by the recipients of any detected URLs or email messages, along with recent alerts for those devices, in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+
+If you haven't already done so, [integrate Office 365 Advanced Threat Protection with Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp).
+
+## More good reasons to use OneDrive
+
+Protection from ransomware is one great reason to put your files in OneDrive. And there are several more good reasons, summarized in this video:
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/70b4d256-46fb-481f-ad9b-921ef5fd7bed]
+
+## Want to learn more?
+
+[OneDrive](https://docs.microsoft.com/onedrive)
+
+[Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide)
+
+[Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/)
+
+
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index b5d731b602..52966241d0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -87,11 +87,11 @@ If you are part of your organization's security team, and your subscription incl
You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
-1. Make sure your organization meets all of the following requirements:
+1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
- - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
+ - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.)
- - Your Windows machines must be running Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
+ - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
- Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).)
@@ -119,7 +119,7 @@ Here's what you see in the Windows Security app:
### Are you using Windows OS 1709, 1803, or 1809?
-If you are using Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled.
+If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled.
#### Use PowerShell to determine whether tamper protection is turned on
@@ -155,7 +155,7 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili
### To which Windows OS versions is configuring tamper protection is applicable?
-Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
### Is configuring tamper protection in Intune supported on servers?
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
index d123f26a35..2efa65178d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
@@ -22,6 +22,9 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+> [!IMPORTANT]
+> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
+
You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx).
When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you might encounter problems or issues.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index 80c59d0658..76de6faff6 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 02/24/2020
ms.reviewer:
manager: dansimp
---
@@ -23,36 +23,36 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/powershell/mt173057.aspx).
+You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)).
-For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) topic.
+For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) topic.
-PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
+PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
> [!NOTE]
-> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/kb/927367).
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), or [Windows Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/100591).
-Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
+Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
-PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
-
+PowerShell is typically installed under the folder `%SystemRoot%\system32\WindowsPowerShell`.
## Use Windows Defender Antivirus PowerShell cmdlets
-1. Click **Start**, type **powershell**, and press **Enter**.
-2. Click **Windows PowerShell** to open the interface.
-3. Enter the command and parameters.
+1. In the Windows search bar, type **powershell**.
+2. Select **Windows PowerShell** from the results to open the interface.
+3. Enter the PowerShell command and any parameters.
> [!NOTE]
-> You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+> You may need to open PowerShell in administrator mode. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
To open online help for any of the cmdlets type the following:
```PowerShell
Get-Help -Online
```
+
Omit the `-online` parameter to get locally cached help.
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
index 57b00a8aa0..bfca4b0430 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Why you should use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection
-description: For best results, use Windows Defender Antivirus together with your other Microsoft offerings.
+title: "Why you should use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection"
+description: "For best results, use Windows Defender Antivirus together with your other Microsoft offerings."
keywords: windows defender, antivirus, third party av
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -14,7 +14,6 @@ ms.topic: article
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 01/07/2020
ms.reviewer:
manager: dansimp
---
@@ -29,20 +28,21 @@ Windows Defender Antivirus is the next-generation protection component of [Micro
Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is Windows Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services.
-## 10 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP
+## 11 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP
| |Advantage |Why it matters |
|--|--|--|
|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). |
-|2|Threat analytics and your secure score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
+|2|Threat analytics and your configuration score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [configuration score](../microsoft-defender-atp/configuration-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
|3|Performance |Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).|
|4|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).|
|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).|
|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).|
-|7|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) |
-|8|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). |
-|9|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).|
-|10|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). |
+|7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction).|
+|8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) |
+|9|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). |
+|10|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).|
+|11|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). |
## Learn more
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 64efaa5752..c758cea607 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -1,6 +1,6 @@
---
title: Windows Defender Antivirus compatibility with other security products
-description: Windows Defender AV operates in different ways depending on what other security products you have installed, and the operating system you are using.
+description: Windows Defender Antivirus operates in different ways depending on what other security products you have installed, and the operating system you are using.
keywords: windows defender, atp, advanced threat protection, compatibility, passive mode
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -12,8 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
+ms.reviewer:
manager: dansimp
---
@@ -23,70 +22,77 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.
+## Overview
-However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender Antivirus will automatically disable itself.
+Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
+- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Windows Defender Antivirus automatically goes into disabled mode.
+- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Windows Defender Antivirus.)
+- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection) (currently in private preview) enabled, then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
-If you are also using Microsoft Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode. Important: Real time protection and and threats will not be remediated by Windows Defender AV.
+## Antivirus and Microsoft Defender ATP
-The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus products or Microsoft Defender ATP are also used.
+The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP.
-| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender AV state |
-|---------------------|---------------------------------------------------------------------|-------------------------------------------------|-----------------------------------|
-| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode |
-| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode |
-| Windows 10 | Windows Defender AV | Yes | Active mode |
-| Windows 10 | Windows Defender AV | No | Active mode |
-| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] |
-| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] |
-| Windows Server 2016 | Windows Defender AV | Yes | Active mode |
-| Windows Server 2016 | Windows Defender AV | No | Active mode |
+| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state |
+|------|------|-------|-------|
+| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode |
+| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode |
+| Windows 10 | Windows Defender Antivirus | Yes | Active mode |
+| Windows 10 | Windows Defender Antivirus | No | Active mode |
+| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] |
+| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] |
+| Windows Server 2016 or 2019 | Windows Defender Antivirus | Yes | Active mode |
+| Windows Server 2016 or 2019 | Windows Defender Antivirus | No | Active mode |
-(1) On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [uninstall Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) to prevent problems caused by having multiple antivirus products installed on a machine.
-If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
-- Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
-- Name: ForceDefenderPassiveMode
+(1) On Windows Server 2016 or 2019, Windows Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Windows Defender Antivirus on Windows Server 2016 or 2019](windows-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-windows-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine.
+
+If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
+- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
+- Name: ForceDefenderPassiveMode
- Value: 1
-See the [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md#install-or-uninstall-windows-defender-av-on-windows-server-2016) topic for key differences and management options for Windows Server installations.
+See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.
-
-
-
->[!IMPORTANT]
->Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016.
->
->In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager.
->
->Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
-
-
-This table indicates the functionality and features that are available in each state:
-
-State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Security intelligence updates](manage-updates-baselines-windows-defender-antivirus.md)
-:-|:-|:-:|:-:|:-:|:-:|:-:
-Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Microsoft Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-
-If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender AV service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
-
-Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.
-
-In passive and automatic disabled mode, you can still [manage updates for Windows Defender AV](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
-
- If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
-
->[!WARNING]
->You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Microsoft Defender ATP, or the Windows Security app.
->
->This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.
+> [!IMPORTANT]
+> Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.
>
->It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
-
+> In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager.
+>
+> Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
+
+## Functionality and features available in each state
+
+The following table summarizes the functionality and features that are available in each state:
+
+|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) |
+|--|--|--|--|--|--|
+|Active mode
|Yes |No |Yes |Yes |Yes |
+|Passive mode |No |No |Yes |No |Yes |
+|[EDR in block mode enabled](shadow-protection.md) |No |No |Yes |Yes |Yes |
+|Automatic disabled mode |No |Yes |No |No |No |
+
+- In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself).
+- In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service.
+- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
+- In Automatic disabled mode, Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
+
+## Keep the following points in mind
+
+If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
+
+When Windows Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
+
+In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md); however, you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+
+If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode.
+
+> [!WARNING]
+> You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
+
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)
+- [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md)
+- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index 539f6e5844..79ba16ef12 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -1,5 +1,5 @@
---
-title: Next-generation protection in Windows 10 and Windows Server 2016
+title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016
keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
search.product: eADQiWindows 10XVcnh
@@ -11,33 +11,36 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 12/17/2019
+ms.date: 02/25/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
---
-# Next-generation protection in Windows 10 and Windows Server 2016
+# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include:
+## Windows Defender Antivirus: Your next-generation protection
+
+Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following:
- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-windows-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware.
- [Cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats.
- [Dedicated protection and product updates](manage-updates-baselines-windows-defender-antivirus.md). This includes updates related to keeping Windows Defender Antivirus up to date.
->[!TIP]
->Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios:
-> - Cloud-delivered protection
-> - Block at first sight (BAFS) protection
-> - Potentially unwanted applications (PUA) protection
+## Try a demo!
+
+Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios:
+- Cloud-delivered protection
+- Block at first sight (BAFS) protection
+- Potentially unwanted applications (PUA) protection
## Minimum system requirements
-Windows Defender Antivirus is your main vehicle for next-generation protection, and it has the same hardware requirements as of Windows 10. For more information, see:
+Windows Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see:
- [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
- [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components)
@@ -47,15 +50,10 @@ Windows Defender Antivirus is your main vehicle for next-generation protection,
For information on how to configure next-generation protection services, see [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md).
> [!Note]
-> Configuration and management is largely the same in Windows Server 2016, while running Windows Defender Antivirus; however, there are some differences. To learn more, see [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md).
+> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Windows Defender Antivirus; however, there are some differences. To learn more, see [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md).
-## Related topics
+## Related articles
-- [Full version history for Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
- [Windows Defender Antivirus management and configuration](configuration-management-reference-windows-defender-antivirus.md)
+
- [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
-- [Enable cloud protection](enable-cloud-protection-windows-defender-antivirus.md)
-- [Configure real-time protection](configure-real-time-protection-windows-defender-antivirus.md)
-- [Enable block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)
-- [Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-- [Create and deploy cloud-protected antimalware policies](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index 5af8d81560..6ff0b08f83 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender Antivirus on Windows Server 2016
-description: Enable and configure Windows Defender AV on Windows Server 2016
+title: Windows Defender Antivirus on Windows Server 2016 and 2019
+description: Enable and configure Windows Defender AV on Windows Server 2016 and 2019
keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -11,177 +11,206 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 09/10/2019
+ms.date: 02/25/2020
ms.reviewer:
manager: dansimp
---
-# Windows Defender Antivirus on Windows Server 2016
+# Windows Defender Antivirus on Windows Server 2016 and 2019
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
+Windows Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Windows Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same.
-While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
+While the functionality, configuration, and management are largely the same for Windows Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019:
-- In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
-- In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.
+- In Windows Server, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
+- In Windows Server, Windows Defender Antivirus does not automatically disable itself if you are running another antivirus product.
-This topic includes the following instructions for setting up and running Windows Defender AV on a server platform:
+## The process at a glance
-- [Enable the interface](#enable-or-disable-the-interface-on-windows-server-2016)
+The process of setting up and running Windows Defender Antivirus on a server platform includes several steps:
-- [Verify Windows Defender AV is running](#verify-windows-defender-is-running)
+1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019)
-- [Update antimalware Security intelligence](#update-antimalware-security-intelligence)
+2. [Install Windows Defender Antivirus](#install-windows-defender-antivirus-on-windows-server-2016-or-2019)
-- [Submit Samples](#submit-samples)
+2. [Verify Windows Defender Antivirus is running](#verify-windows-defender-antivirus-is-running)
-- [Configure automatic exclusions](#configure-automatic-exclusions)
+3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence)
-## Enable or disable the interface on Windows Server 2016
-By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs, but is not required.
+4. (As needed) [Submit samples](#submit-samples)
->[!NOTE]
->You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
+5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions)
-If the interface is not installed, you can add it in the **Add Roles and Features Wizard** at the **Features** step, under **Windows Defender Features** by selecting the **GUI for Windows Defender** option.
+6. (Only if necessary) [Uninstall Windows Defender Antivirus](#need-to-uninstall-windows-defender-antivirus)
+
+## Enable the user interface on Windows Server 2016 or 2019
+
+By default, Windows Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Windows Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell.
+
+### Turn on the GUI using the Add Roles and Features Wizard
+
+1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**.
+
+2. When you get to the **Features** step of the wizard, under **Windows Defender Features**, select the **GUI for Windows Defender** option.
+
+In Windows Server 2016, the **Add Roles and Features Wizard** looks like this:
-See the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic for information on using the wizard.
+In Windows Server 2019, the **Add Roles and Feature Wizard** looks like this:
-The following PowerShell cmdlet will also enable the interface:
+
+
+### Turn on the GUI using PowerShell
+
+The following PowerShell cmdlet will enable the interface:
```PowerShell
Install-WindowsFeature -Name Windows-Defender-GUI
```
-To hide the interface, use the **Remove Roles and Features Wizard** and deselect the **GUI for Windows Defender** option at the **Features** step, or use the following PowerShell cmdlet:
+## Install Windows Defender Antivirus on Windows Server 2016 or 2019
+You can use either the **Add Roles and Features Wizard** or PowerShell to install Windows Defender Antivirus.
-```PowerShell
-Uninstall-WindowsFeature -Name Windows-Defender-GUI
-```
+### Use the Add Roles and Features Wizard
+1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**.
->[!IMPORTANT]
-> Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
+2. When you get to the **Features** step of the wizard, select the Windows Defender Antivirus option. Also select the **GUI for Windows Defender** option.
-## Install or uninstall Windows Defender AV on Windows Server 2016
+### Use PowerShell
-
-You can also uninstall Windows Defender AV completely with the **Remove Roles and Features Wizard** by deselecting the **Windows Defender Features** option at the **Features** step in the wizard.
-
-This is useful if you have a third-party antivirus product installed on the machine already. Multiple AV products can cause problems when installed and actively running on the same machine. See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products).
-
->[!NOTE]
->Deselecting **Windows Defender** on its own under the **Windows Defender Features** section will automatically prompt you to remove the interface option **GUI for Windows Defender**.
-
-
-
-
-The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016:
-
-
-```PowerShell
-Uninstall-WindowsFeature -Name Windows-Defender
-```
-
-To install Windows Defender AV again, use the **Add Roles and Features Wizard** and ensure the **Windows Defender** feature is selected. You can also enable the interface by selecting the **GUID for Windows Defender** option.
-
-You can also use the following PowerShell cmdlet to install Windows Defender AV:
+To use PowerShell to install Windows Defender Antivirus, run the following cmdlet:
```PowerShell
Install-WindowsFeature -Name Windows-Defender
```
-> [!TIP]
-> Event messages for the antimalware engine included with Windows Defender AV can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md).
+Event messages for the antimalware engine included with Windows Defender Antivirus can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md).
-## Verify Windows Defender is running
+## Verify Windows Defender Antivirus is running
-To verify that Windows Defender AV is running on the server, run the following PowerShell cmdlet:
+To verify that Windows Defender Antivirus is running on your server, run the following PowerShell cmdlet:
```PowerShell
Get-Service -Name windefend
```
-To verify that firewall protection through Windows Defender is turned on, run the following PowerShell cmdlet:
+To verify that firewall protection is turned on, run the following PowerShell cmdlet:
-```PowerShell
+```PowerShell
Get-Service -Name mpssvc
```
-As an alternative to PowerShell, you can use Command Prompt to verify that Windows Defender AV is running. To do that, run the following command from a command prompt:
+As an alternative to PowerShell, you can use Command Prompt to verify that Windows Defender Antivirus is running. To do that, run the following command from a command prompt:
```DOS
sc query Windefend
```
-The `sc query` command returns information about the Windows Defender service. If Windows Defender is running, the `STATE` value displays `RUNNING`.
+The `sc query` command returns information about the Windows Defender Antivirus service. When Windows Defender Antivirus is running, the `STATE` value displays `RUNNING`.
## Update antimalware Security intelligence
-In order to get updated antimalware Security intelligence , you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender Antivirus Security intelligence are approved for the computers you manage.
+In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender Antivirus Security intelligence are approved for the computers you manage.
-By default, Windows Update does not download and install updates automatically on Windows Server 2016. You can change this configuration by using one of the following methods:
+By default, Windows Update does not download and install updates automatically on Windows Server 2016 or 2019. You can change this configuration by using one of the following methods:
-- **Windows Update** in Control Panel.
- - **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates.
-
- - **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed.
-
-- **Group Policy**. You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates**
-
-- The **AUOptions** registry key. The following two values allow Windows Update to automatically download and install Security intelligence updates.
-
- - **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates.
-
- - **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed.
+|Method |Description |
+|---------|---------|
+|**Windows Update** in Control Panel |- **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates.
- **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
+|**Group Policy** | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** |
+|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates:
- **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates.
- **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
To ensure that protection from malware is maintained, we recommend that you enable the following services:
-- Windows Error Reporting service
+- Windows Error Reporting service
-- Windows Update service
+- Windows Update service
-The following table lists the services for Windows Defender and the dependent services.
+The following table lists the services for Windows Defender Antivirus and the dependent services.
|Service Name|File Location|Description|
|--------|---------|--------|
-|Windows Defender Service (Windefend)|C:\Program Files\Windows Defender\MsMpEng.exe|This is the main Windows Defender Antivirus service that needs to be running at all times.|
-|Windows Error Reporting Service (Wersvc)|C:\WINDOWS\System32\svchost.exe -k WerSvcGroup|This service sends error reports back to Microsoft.|
-|Windows Defender Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Defender Firewall service enabled.|
-|Windows Update (Wuauserv)|C:\WINDOWS\system32\svchost.exe -k netsvcs|Windows Update is needed to get Security intelligence updates and antimalware engine updates|
+|Windows Defender Service (WinDefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Windows Defender Antivirus service that needs to be running at all times.|
+|Windows Error Reporting Service (Wersvc)|`C:\WINDOWS\System32\svchost.exe -k WerSvcGroup`|This service sends error reports back to Microsoft.|
+|Windows Defender Firewall (MpsSvc)|`C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork`|We recommend leaving the Windows Defender Firewall service enabled.|
+|Windows Update (Wuauserv)|`C:\WINDOWS\system32\svchost.exe -k netsvcs`|Windows Update is needed to get Security intelligence updates and antimalware engine updates|
-## Submit Samples
+## Submit samples
-Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence.
+Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence. We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.
+
+### Submit a file
+
+1. Review the [submission guide](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
+
+2. Visit the [sample submission portal](https://www.microsoft.com/wdsi/filesubmission), and submit your file.
-We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.
### Enable automatic sample submission
To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the **SubmitSamplesConsent** value data according to one of the following settings:
-- **0** Always prompt. The Windows Defender service prompts you to confirm submission of all required files. This is the default setting for Windows Defender, but is not recommended for Windows Server 2016 installations without a GUI.
-
-- **1** Send safe samples automatically. The Windows Defender service sends all files marked as "safe" and prompts for the remainder of the files.
-
-- **2** Never send. The Windows Defender service does not prompt and does not send any files.
-
-- **3** Send all samples automatically. The Windows Defender service sends all files without a prompt for confirmation.
+|Setting |Description |
+|---------|---------|
+|**0** Always prompt |The Windows Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Windows Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
+|**1** Send safe samples automatically |The Windows Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
+|**2** Never send |The Windows Defender Antivirus service does not prompt and does not send any files. |
+|**3** Send all samples automatically |The Windows Defender Antivirus service sends all files without a prompt for confirmation. |
## Configure automatic exclusions
-To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender AV on Server 2016.
+To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender Antivirus on Windows Server 2016 or 2019.
+
+See [Configure exclusions in Windows Defender Antivirus on Windows Server](configure-server-exclusions-windows-defender-antivirus.md).
+
+## Need to uninstall Windows Defender Antivirus?
+
+If you are using a third-party antivirus solution and you're running into issues with that solution and Windows Defender Antivirus, you can consider uninstalling Windows Defender Antivirus. Before you do that, review the following resources:
+
+- See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products).
+
+- See [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection.
+
+If you determine you do want to uninstall Windows Defender Antivirus, follow the steps in the following sections.
+
+### Uninstall Windows Defender Antivirus using the Remove Roles and Features wizard
+
+1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
+
+2. When you get to the **Features** step of the wizard, unselect the **Windows Defender Features** option.
+
+ If you unselect **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**.
+
+ Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
+
+### Uninstall Windows Defender Antivirus using PowerShell
+
+>[!NOTE]
+>You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
+
+The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016 or 2019:
+
+```PowerShell
+Uninstall-WindowsFeature -Name Windows-Defender
+```
+
+### Turn off the GUI using PowerShell
+
+To turn off the Windows Defender Antivirus GUI, use the following PowerShell cmdlet:
+
+```PowerShell
+Uninstall-WindowsFeature -Name Windows-Defender-GUI
+```
-See the [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) topic for more information.
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index 7275492629..5ade5917e6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -21,23 +21,24 @@
### [Audit WDAC policies](audit-windows-defender-application-control-policies.md)
### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
-### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md)
### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
+### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md)
### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
-### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
+### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md)
+### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)
### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
#### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
#### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)
#### [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md)
-### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md)
-### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)
### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md)
-#### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md)
### [Disable WDAC policies](disable-windows-defender-application-control-policies.md)
### [LOB Win32 Apps on S Mode](LOB-win32-apps-on-s.md)
+## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md)
+### [Understanding Application Control events](event-id-explanations.md)
+### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
## [AppLocker](applocker\applocker-overview.md)
### [Administer AppLocker](applocker\administer-applocker.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index 320db86050..b7d7885b7f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -23,7 +23,10 @@ ms.date: 10/16/2017
- Windows 10
- Windows Server
-This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
+This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
+
+> [!NOTE]
+> AppLocker is unable to control processes running under the system account on any operating system.
AppLocker can help you:
@@ -78,6 +81,9 @@ The following are examples of scenarios in which AppLocker can be used:
- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
- In addition to other measures, you need to control the access to sensitive data through app usage.
+> [!NOTE]
+> AppLocker is a defense-in-depth security feature and **not** a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
+
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
## Installing AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
index acfdd8e57d..9f6e032b66 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
@@ -1,6 +1,6 @@
---
title: Document your AppLocker rules (Windows 10)
-description: Learn how to document your Applocker rules with this planning guide. Associate rule conditions with files, permissions, rule source, and implementation.
+description: Learn how to document your AppLocker rules and associate rule conditions with files, permissions, rule source, and implementation.
ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd
ms.reviewer:
ms.author: dansimp
@@ -23,7 +23,7 @@ ms.date: 09/21/2017
- Windows 10
- Windows Server
-This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded.
+This topic describes what AppLocker rule conditions to associate with each file, how to associate these rule conditions, the source of the rule, and whether the file should be included or excluded.
## Record your findings
@@ -119,9 +119,10 @@ The following table details sample data for documenting rule type and rule condi
+
## Next steps
-For each rule, determine whether to use the allow or deny option. Then, three tasks remain:
+For each rule, determine whether to use the allow or deny option, and then complete the following tasks:
- [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index 9e6f941382..e07be3cc57 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -27,7 +27,7 @@ ms.date: 02/28/2018
- Windows 10
- Windows Server 2016
-As you deploy Windows Defender Application Control (WDAC) (also part of Windows Defender Device Guard), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
+As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
If you have an internal CA, complete these steps to create a code signing certificate.
Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded.
@@ -98,7 +98,7 @@ Now that the template is available to be issued, you must request one from the c
>[!NOTE]
>If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client.
-This certificate must be installed in the user’s personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
+This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
1. Right-click the certificate, point to **All Tasks**, and then click **Export**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 6fc44116aa..d25131d06d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -43,8 +43,8 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo
- All clients are running Windows 10 version 1903 or above;
- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
-> [!NOTE]
-> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM)
+ > [!NOTE]
+ > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM).
- Some, but not all, apps are deployed using MEMCM;
- Most users are local administrators on their devices;
@@ -117,7 +117,7 @@ Alice follows these steps to complete this task:
$PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
$PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
$PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
- Merge-CIPolicy -OutputFilePath = $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
+ Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
```
7. If appropriate, add additional signer or file rules to further customize the policy for your organization.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 1accae5758..1ea8df15e9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -81,7 +81,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
`PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
>[!NOTE]
->Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries’ hash values.
+>Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values.
When finished, the files will be saved to your desktop. You can double-click the \*.cat file to see its contents, and you can view the \*.cdf file with a text editor.
@@ -95,16 +95,16 @@ Packages can fail for the following reasons:
- To diagnose whether USN journal size is the issue, after running through Package Inspector, click Start > install app > PackageInspector stop
- Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this was the most recent USN when you ran PackageInspector start)
- `fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt`
- - ReadJournal command should throw an error if the older USNs don’t exist anymore due to overflow
+ - ReadJournal command should throw an error if the older USNs don't exist anymore due to overflow
- For USN Journal, log size can be expanded using: `fsutil usn createjournal` command with a new size and alloc delta. `Fsutil usn queryjournal` will give the current size and allocation delta, so using a multiple of that may help
- To diagnose whether Eventlog size is the issue, look at the Microsoft/Windows/CodeIntegrity/Operational log under Applications and Services logs in Event Viewer and ensure that there are entries present from when you began Package Inspector (You can use write time as a justification; if you started the install 2 hours ago and there are only entries from 30 minutes prior, the log is definitely too small)
- To increase Eventlog size, in Event Viewer you can right click the operational log, click properties, and then set new values (some multiple of what it was previously)
- Package files that change hash each time the package is installed
- Package Inspector is completely incompatible if files in the package (temporary or otherwise) change hash each time the package is installed. You can diagnose this by looking at the hash field in the 3077 block events when the package is failing in enforcement. If each time you attempt to run the package you get a new block event with a different hash, the package will not work with Package Inspector
-- Files with an invalid signature blob or otherwise “unhashable” files
+- Files with an invalid signature blob or otherwise "unhashable" files
- This issue arises when a file that has been signed is modified post signing in a way that invalidates the PE header and renders the file unable to be hashed by the Authenticode Spec.
- - WDAC uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can’t be allowed by hash due to authenticode hashing algorithm rejecting it)
- - Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this “unhashable” state and renders the file unable to be allowed by Device Guard (regardless of if you try to allow directly by policy or resign with Package Inspector)
+ - WDAC uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can't be allowed by hash due to authenticode hashing algorithm rejecting it)
+ - Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state and renders the file unable to be allowed by Windows Defender (regardless of if you try to allow directly by policy or resign with Package Inspector)
## Catalog signing with SignTool.exe
@@ -124,7 +124,7 @@ To sign the existing catalog file, copy each of the following commands into an e
`$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
-2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store.
+2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user's personal store.
3. Sign the catalog file with Signtool.exe:
@@ -219,7 +219,7 @@ Before you begin testing the deployed catalog file, make sure that the catalog s
## Deploy catalog files with Microsoft Endpoint Configuration Manager
-As an alternative to Group Policy, you can use Microsoft Endpoint Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Microsoft Endpoint Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
+As an alternative to Group Policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
>[!NOTE]
>The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
@@ -294,7 +294,7 @@ Before you begin testing the deployed catalog file, make sure that the catalog s
## Inventory catalog files with Microsoft Endpoint Configuration Manager
-When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Microsoft Endpoint Configuration Manager, you can inventory them with the software inventory feature of Microsoft Endpoint Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
+When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Configuration Manager, you can inventory them with the software inventory feature of Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
>[!NOTE]
>A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names.
@@ -332,7 +332,7 @@ When catalog files have been deployed to the computers within your environment,
9. Now that you have created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files.
-At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in Microsoft Endpoint Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
+At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
1. Open the Configuration Manager console, and select the Assets and Compliance workspace.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
index 5c089e58ac..1700437f22 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
@@ -24,7 +24,7 @@ ms.date: 02/28/2018
- Windows 10
- Windows Server 2016
-WDAC policies can easily be deployed and managed with Group Policy. A Windows Defender Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Windows Defender Device Guard hardware-based security features and Windows Defender Application Control policies. The following procedure walks you through how to deploy a WDAC policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
+WDAC policies can easily be deployed and managed with Group Policy. Windows Defender allows you to simplify deployment Windows Defender hardware-based security features and Windows Defender Application Control policies. The following procedure walks you through how to deploy a WDAC policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
> [!NOTE]
> This walkthrough requires that you have previously created a WDAC policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a WDAC policy, see [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md), earlier in this topic.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 128fb4d3a3..48ce449ecd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -14,12 +14,9 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 05/17/2018
+ms.date: 02/28/2020
---
-> [!NOTE]
-> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/).
-
# Deploy Windows Defender Application Control policies by using Microsoft Intune
**Applies to:**
@@ -33,6 +30,10 @@ In order to deploy a custom policy through Intune and define your own circle of
## Using Intune's Built-In Policies
+Intune's built-in WDAC support enables you to deploy a policy which only allows Windows components and Microsoft Store apps to run. This policy is the non-Multiple Policy Format version of the DefaultWindows policy; the Multiple Policy Format version can be found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies.
+
+Setting "Trust apps with good reputation" to enabled is equivalent to adding [Option 14 (Enabled: Intelligent Security Graph Authorization)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-policy-rules) to the DefaultWindows policy.
+
1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
2. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
new file mode 100644
index 0000000000..182c28dedc
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -0,0 +1,80 @@
+---
+title: Understanding Application Control events (Windows 10)
+description: Learn what different Windows Defender Application Control events signify.
+keywords: whitelisting, security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 3/17/2020
+---
+
+# Understanding Application Control events
+
+A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
+
+1. Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+2. Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+
+## Microsoft Windows CodeIntegrity Operational log event IDs
+
+| Event ID | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 3076 | Audit executable/dll file |
+| 3077 | Block executable/dll file |
+| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. |
+| 3099 | Indicates that a policy has been loaded |
+
+## Microsoft Windows Applocker MSI and Script log event IDs
+
+| Event ID | Explanation |
+|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. |
+| 8029 | Block script/MSI file |
+| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. | |
+
+## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
+
+If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
+
+| Event ID | Explanation |
+|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 3090 | Allow executable/dll file |
+| 3091 | Audit executable/dll file |
+| 3092 | Block executable/dll file |
+
+3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated.
+
+### SmartLocker template
+
+Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.
+
+| Name | Explanation |
+|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
+| ManagedInstallerEnabled | Policy trusts a MI |
+| PassesManagedInstaller | File originated from a trusted MI |
+| SmartlockerEnabled | Policy trusts the ISG |
+| PassesSmartlocker | File had positive reputation |
+| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode |
+
+### Enabling ISG and MI diagnostic events
+
+In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command:
+
+ ```powershell
+ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
+ ```
+In order to enable 3090 allow events, you must create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
+
+ ```powershell
+ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
+ ```
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 67a0e29bf9..ab45f10ade 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 04/20/2018
+ms.date: 03/04/2020
---
# Understand WDAC policy rules and file rules
@@ -28,7 +28,7 @@ Windows Defender Application Control (WDAC) provides control over a computer run
## Windows Defender Application Control policy rules
-To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). Note the following examples of how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
+To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). The following examples show how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
- To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command:
@@ -65,10 +65,10 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.|
-| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
-| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. |
-| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
-| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. |
+| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. NOTE: This option is only supported on Windows 10, version 1709, and above.|
+| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. |
+| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. NOTE: This option is only supported on Windows 10, version 1903, and above. |
+| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. |
## Windows Defender Application Control file rule levels
@@ -120,9 +120,25 @@ There is a defined list of SIDs which WDAC recognizes as admins. If a filepath a
WDAC's list of well-known admin SIDs are:
S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550; S-1-5-32-551; S-1-5-32-577; S-1-5-32-559; S-1-5-32-568; S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394; S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523.
-When generating filepath rules using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy), a unique, fully-qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](https://docs.microsoft.com/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards and include them in your [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) scan using the -Rules switch.
+When generating filepath rules using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy), a unique, fully-qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](https://docs.microsoft.com/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards using the [-FilePathRules](https://docs.microsoft.com/powershell/module/configci/new-cipolicyrule#parameters) switch.
-Wildcards can be used at the beginning or end of a path rule: only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. C:\\* would include C:\foo\\* ). Wildcards placed at the beginning of a path will allow the exact specified filename under any path (ex. \*\bar.exe would allow C:\bar.exe and C:\foo\bar.exe). Wildcards in the middle of a path are not supported (ex. C:\\*\foo.exe). Without a wildcard, the rule will allow only a specific file (ex. C:\foo\bar.exe).
Supported macros: %WINDIR%, %SYSTEM32%, %OSDRIVE%.
+Wildcards can be used at the beginning or end of a path rule; only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. `C:\\*` would include `C:\foo\\*` ). Wildcards placed at the beginning of a path will allow the exact specified filename under any path (ex. `*\bar.exe` would allow `C:\bar.exe` and `C:\foo\bar.exe`). Wildcards in the middle of a path are not supported (ex. `C:\\*\foo.exe`). Without a wildcard, the rule will allow only a specific file (ex. `C:\foo\bar.exe`).
The use of macros is also supported and useful in scenarios where the system drive is different from the `C:\` drive. Supported macros: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
> [!NOTE]
> Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md)
+
+## Windows Defender Application Control filename rules
+
+File name rule levels provide administrators to specify the file attributes off which to base a file name rule. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules. In addition, to combine file name levels found in multiple policies, you can merge multiple policies.
+
+Use Table 3 to select the appropriate file name level for your available administrative resources and Windows Defender Application Control deployment scenario. For instance, an LOB or production application and its binaries (eg. DLLs) may all share the same product name. This allows users to easily create targeted policies based on the Product Name filename rule level.
+
+**Table 3. Windows Defender Application Control policy - filename levels**
+
+| Rule level | Description |
+|----------- | ----------- |
+| **File Description** | Specifies the file description provided by the developer of the binary. |
+| **Internal Name** | Specifies the internal name of the binary. |
+| **Original File Name** | Specifies the original file name, or the name with which the file was first created, of the binary. |
+| **Package Family Name** | Specifies the package family name of the binary. The package family name consists of two parts: the name of the file and the publisher ID. |
+| **Product Name** | Specifies the name of the product with which the binary ships. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
deleted file mode 100644
index 4d6bb94c8f..0000000000
--- a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Signing Windows Defender Application Control policies with SignTool.exe (Windows 10)
-description: SSigned WDAC policies give organizations the highest level of malware protection available in Windows 10.
-keywords: whitelisting, security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-ms.collection: M365-security-compliance
-author: jsuther1974
-ms.reviewer: isbrahm
-ms.author: dansimp
-manager: dansimp
-ms.date: 02/21/2018
----
-
-# Signing Windows Defender Application Control policies with SignTool.exe
-
-**Applies to:**
-
-- Windows 10
-- Windows Server 2016
-
-Signed WDAC policies give organizations the highest level of malware protection available in Windows 10.
-In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer.
-These policies are designed to prevent administrative tampering and kernel mode exploit access.
-With this in mind, it is much more difficult to remove signed WDAC policies.
-Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
-
-Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
-If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA.
-
-Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
-
-To sign a WDAC policy with SignTool.exe, you need the following components:
-
-- SignTool.exe, found in the Windows SDK (Windows 7 or later)
-
-- The binary format of the WDAC policy that you generated in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section or another WDAC policy that you have created
-
-- An internal CA code signing certificate or a purchased code signing certificate
-
-If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
-
-1. Initialize the variables that will be used:
-
- `$CIPolicyPath=$env:userprofile+"\Desktop\"`
-
- `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
-
- `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
-
- > [!NOTE]
- > This example uses the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
-
-2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
-
-3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
-
-4. Navigate to your desktop as the working directory:
-
- `cd $env:USERPROFILE\Desktop`
-
-5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy:
-
- `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update`
-
- > [!NOTE]
- > \ should be the full path to the certificate that you exported in step 3.
- Also, adding update signers is crucial to being able to modify or disable this policy in the future.
-
-6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
-
- `Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
-
-7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format:
-
- `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
-
-8. Sign the WDAC policy by using SignTool.exe:
-
- ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
-
- > [!NOTE]
- > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
-
-9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 04a21aa98f..1fe1a3c6b0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -35,7 +35,7 @@ You should consider using WDAC as part of your organization's application contro
- You have deployed or plan to deploy the supported versions of Windows in your organization.
- You need improved control over the access to your organization's applications and the data your users access.
-- Your organization has a well-defined process for application management and deployed.
+- Your organization has a well-defined process for application management and deployment.
- You have resources to test policies against the organization's requirements.
- You have resources to involve Help Desk or to build a self-help process for end-user application access issues.
- The group's requirements for productivity, manageability, and security can be controlled by restrictive policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
index 76cec7912f..da33a878fe 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
@@ -31,7 +31,7 @@ This topic covers guidelines for using code signing control classic Windows apps
## Reviewing your applications: application signing and catalog files
-Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a “catalog file” from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
+Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your WDAC policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing).
@@ -45,7 +45,7 @@ To obtain signed applications or embed signatures in your in-house applications,
To use catalog signing, you can choose from the following options:
-- Use the Windows Defender Device Guard signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
+- Use the Windows Defender signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications.
- Create your own catalog files, which are described in the next section.
@@ -53,12 +53,12 @@ To use catalog signing, you can choose from the following options:
Catalog files (which you can create in Windows 10 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by WDAC in the same way as any other signed application.
-Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated each time an application is updated, which requires the catalog file to be updated also.
+Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also.
After you have created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files.
> [!NOTE]
-> Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
+> Package Inspector only works on operating systems that support Windows Defender, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index edbac5d2b9..7386316a87 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -28,10 +28,8 @@ ms.date: 05/03/2018
- Windows Server 2016
-Signed WDAC policies give organizations the highest level of malware protection available in Windows 10.
-In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer.
-These policies are designed to prevent administrative tampering and kernel mode exploit access.
-With this in mind, it is much more difficult to remove signed WDAC policies.
+Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
+
Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index d516a6f73a..7c9d0b4790 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 06/14/2018
+ms.date: 03/10/2020
---
# Authorize reputable apps with the Intelligent Security Graph (ISG)
@@ -24,34 +24,33 @@ ms.date: 06/14/2018
- Windows 10
- Windows Server 2016 and above
-Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system.
-In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task.
+Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task.
-Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as Intelligent Security Graph (ISG) authorization, that allows IT administrators to automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. The ISG option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software.
+Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as the Microsoft Intelligent Security Graph authorization, that allows IT administrators to automatically authorize applications that the Microsoft Intelligent Security Graph recognizes as having known good reputation. The Microsoft Intelligent Security Graph option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software. To learn more about the Microsoft Intelligent Security Graph, see the Security section in [Major services and features in Microsoft Graph](https://docs.microsoft.com/graph/overview-major-services).
## How does the integration between WDAC and the Intelligent Security Graph work?
-The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed, the reputation data is used to help make the right policy authorization decision.
+The Microsoft Intelligent Security Graph relies on the same vast security intelligence and machine learning analytics which power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having known good, known bad, or unknown reputation. When an unevaluated file is run on a system with WDAC enabled with the Microsoft Intelligent Security Graph authorization option specified, WDAC queries the file's reputation by sending its hash and signing information to the cloud. If the Microsoft Intelligent Security Graph determines that the file has a known good reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. Every time the file tries to execute, if there are no explicit deny rules present for the file, it will be allowed to run based on its positive reputation. Conversely, a file that has unknown or known bad reputation will still be allowed to run in the presence of a rule that explicitly allows the file.
-After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification.
+Additionally, an application installer which is determined to have known good reputation will pass along that positive reputation to any files that it writes. This way, all the files needed to install and run an app are granted positive reputation data.
-The reputation data on the client is rechecked periodically and enterprises can also specify that any cached reputation results are flushed on reboot.
+WDAC periodically re-queries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option.
>[!NOTE]
->Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, for example custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Configuration Manager and Microsoft Intune can be used to create and push a WDAC policy to your client machines.
+>Admins should make sure there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Manager Configuration Manager (MEMCM) and Microsoft Endpoint Manager Intune (MEM Intune) can be used to create and push a WDAC policy to your client machines.
-Other examples of WDAC policies are available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy).
+Other examples of WDAC policies are available in `C:\Windows\schemas\CodeIntegrity\ExamplePolicies` and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy).
## Configuring Intelligent Security Graph authorization for Windows Defender Application Control
-Setting up the ISG authorization is easy regardless of what management solution you use. Configuring the ISG option involves these basic steps:
+Setting up the Microsoft Intelligent Security Graph authorization is easy regardless of what management solution you use. Configuring the Microsoft Intelligent Security Graph option involves these basic steps:
-- [Ensure that the ISG option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml)
-- [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client)
+- [Ensure that the Microsoft Intelligent Security Graph option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml)
+- [Enable the necessary services to allow WDAC to use the Microsoft Intelligent Security Graph correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client)
### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML
-In order to enable trust for executables based on classifications in the ISG, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the **Enabled:Invalidate EAs on Reboot** option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. The following example shows both options being set.
+In order to enable trust for executables based on classifications in the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the **Enabled:Invalidate EAs on Reboot** option to invalidate the cached Intelligent Security Graph results on reboot to force rechecking of applications against the Microsoft Intelligent Security Graph. Caution is advised if devices will regularly transition to and from environments that may not be able to access the Microsoft Intelligent Security Graph. The following example shows both options being set.
```code
@@ -81,29 +80,29 @@ In order to enable trust for executables based on classifications in the ISG, th
### Enable the necessary services to allow WDAC to use the ISG correctly on the client
-In order for the heuristics used by the ISG to function properly, a number of component in Windows need to be enabled. The easiest way to do this is to run the appidtel executable in c:\windows\system32.
+In order for the heuristics used by the Microsoft Intelligent Security Graph to function properly, a number of component in Windows must be enabled. The easiest way to do this is to run the appidtel executable in `c:\windows\system32`.
```
appidtel start
```
-For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the Configuration Manager WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through Configuration Manager then this step is required.
+This step is not required for WDAC policies deployed over MDM using the AppLocker CSP, as the CSP will enable the necessary components. This step is also not required when enabling the Microsoft Intelligent Security Graph through the MEMCM WDAC UX. However, if custom policies are being deployed outside of the WDAC UX through MEMCM, then this step is required.
## Security considerations with the Intelligent Security Graph
-Since the ISG is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Windows Defender Advanced Threat Protection to help provide optics into what users are doing.
+Since the Microsoft Intelligent Security Graph is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Microsoft Defender Advanced Threat Protection to help provide optics into what users are doing.
-Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of WDAC when the ISG option is allowed by circumventing or corrupting the heuristics used to assign reputation to application executables. The ISG option uses the same heuristic tracking as managed installer and so for application installers that include an option to automatically run the application at the end of the installation process the heuristic may over-authorize.
+Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of WDAC when the Microsoft Intelligent Security Graph option is allowed by circumventing or corrupting the heuristics used to assign reputation to application executables. The Microsoft Intelligent Security Graph option uses the same heuristic tracking as managed installer and so for application installers that include an option to automatically run the application at the end of the installation process the heuristic may over-authorize.
## Known limitations with using the Intelligent Security Graph
-Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.
+Since the Microsoft Intelligent Security Graph relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.
-Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business, it is straightforward to authorize modern apps with signer rules in the WDAC policy.
+Modern apps are not supported with the Microsoft Intelligent Security Graph heuristics and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business, it is straightforward to authorize modern apps with signer rules in the WDAC policy.
-The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
+The Microsoft Intelligent Security Graph heuristics do not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. Review for functionality and performance for the related applications using the native images maybe necessary in some cases.
>[!NOTE]
-> A rule that explicitly allows an application will take precedence over the ISG rule that does not allow it. In this scenario, this policy is not compatible with Intune, where there is no option to add rules to the template that enables ISG. In most circumstances you would need to build a custom WDAC policy, including ISG if desired.
+> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. MEM Intune's built-in WDAC support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune#using-a-custom-oma-uri-profile).
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
index 232b40eec6..9e0b0651d1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
@@ -29,20 +29,20 @@ This topic provides a roadmap for planning and getting started on the Windows De
1. Review requirements, especially hardware requirements for VBS.
-2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
+2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
Deployment is simpler if everything is locked down in the same way, but meeting individual departments' needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
3. Review how much variety in software and hardware is needed by roles or departments. The following questions can help you clarify how many WDAC policies to create:
- How standardized is the hardware?
This can be relevant because of drivers. You could create a WDAC policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several WDAC policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
- - What software does each department or role need? Should they be able to install and run other departments’ software?
If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management.
+ - What software does each department or role need? Should they be able to install and run other departments' software?
If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management.
- Are there departments or roles where unique, restricted software is used?
If one department needs to run an application that no other department is allowed, it might require a separate WDAC policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate WDAC policy.
- Is there already a list of accepted applications?
A list of accepted applications can be used to help create a baseline WDAC policy.
As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
- As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts?
- In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies.
+ In day-to-day operations, your organization's security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies.
Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC.
@@ -70,7 +70,7 @@ This topic provides a roadmap for planning and getting started on the Windows De
## Known issues
-This section covers known issues with WDAC and Device Guard. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error).
+This section covers known issues with WDAC. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error).
Test this configuration in your lab before enabling it in production.
### MSI Installations are blocked by WDAC
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
new file mode 100644
index 0000000000..a34e52ab58
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
@@ -0,0 +1,42 @@
+---
+title: Managing and troubleshooting Windows Defender Application Control policies (Windows 10)
+description: Gather information about how your deployed Windows Defender Application Control policies are behaving.
+keywords: whitelisting, security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 03/16/2020
+---
+
+# Windows Defender Application Control operational guide
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature.
+
+## WDAC Events Overview
+
+WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable allow events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.
+
+WDAC events are generated under two locations:
+
+1. Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+2. Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+
+## In this section
+
+| Topic | Description |
+| - | - |
+| [Understanding Application Control events](event-id-explanations.md) | This topic explains the meaning of different WDAC events. |
+| [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index ba4929c2f6..827bc6fab0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -14,7 +14,7 @@ author: denisebmsft
ms.reviewer: isbrahm
ms.author: deniseb
manager: dansimp
-ms.date: 01/08/2019
+ms.date: 01/31/2020
ms.custom: asr
---
@@ -46,7 +46,7 @@ Windows 10 includes two technologies that can be used for application control de
Windows Defender Application Control (WDAC) was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
> [!NOTE]
-> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies.
+> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies.
WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
@@ -58,9 +58,8 @@ WDAC policies apply to the managed computer as a whole and affects all users of
### WDAC System Requirements
-WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above.
-They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune.
-Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above.
+WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
+WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
## AppLocker
@@ -98,6 +97,23 @@ Although either AppLocker or WDAC can be used to control application execution o
AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps.
As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
+## WDAC and AppLocker Feature Availability
+| Capability | WDAC | AppLocker |
+|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Platform support | Available on Windows 10 | Available on Windows 8+ |
+| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. |
+| Management solutions | - [Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) (limited built-in policies or custom policy deployment via OMA-URI)
- [Microsoft Endpoint Manager Configuration Manager (MEMCM)](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy)
- PowerShell
| - [Intune](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
- MEMCM (custom policy deployment via Software Distribution only)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement)
- PowerShell
|
+| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
+| Kernel mode policies | Available on all Windows 10 versions | Not available |
+| Per-app rules | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) | Not available |
+| Managed Installer (MI) | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) | Not available |
+| Reputation-Based intelligence | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) | Not available |
+| Multiple policy support | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Not available |
+| Path-based rules | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
+| COM object configurability | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Not available |
+| Packaged app rules | [Available on RS5+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 8+ |
+| Enforceable file types | - Driver files: .sys
- Executable files: .exe and .com
- DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .vbs, and .js
- Packaged apps and packaged app installers: .appx
| - Executable files: .exe and .com
- [Optional] DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .bat, .cmd, .vbs, and .js
- Packaged apps and packaged app installers: .appx
|
+
## See also
- [WDAC design guide](windows-defender-application-control-design-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
index 0684b674b2..1e8839b354 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
@@ -83,7 +83,7 @@ To trust a subdomain, you must precede your domain with two dots, for example: `
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-When using Windows Pro and Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard).
+When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard).
### Is there a size limit to the domain lists that I need to configure?
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg b/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg
new file mode 100644
index 0000000000..428f96e9b5
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
index 11045f435f..cdf47d7a4a 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
@@ -28,7 +28,7 @@ See [System requirements for Windows Defender Application Guard](https://docs.mi
## Prepare for Windows Defender Application Guard
Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
-**Standalone mode**
+### Standalone mode
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
@@ -36,7 +36,7 @@ Applies to:
Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario.
-**Enterprise-managed mode**
+## Enterprise-managed mode
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
@@ -47,9 +47,11 @@ The following diagram shows the flow between the host PC and the isolated contai
## Install Application Guard
-Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution.
-**To install by using the Control Panel**
+Application Guard functionality is turned off by default. However, you can quickly install it on your employee's devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution.
+
+### To install by using the Control Panel
+
1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**.
@@ -58,12 +60,11 @@ Application Guard functionality is turned off by default. However, you can quick
Application Guard and its underlying dependencies are all installed.
-**To install by using PowerShell**
+### To install by using PowerShell
>[!NOTE]
>Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only.
-
1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**.
2. Right-click **Windows PowerShell**, and then click **Run as administrator**.
@@ -79,3 +80,46 @@ Application Guard functionality is turned off by default. However, you can quick
Application Guard and its underlying dependencies are all installed.
+### To install by using Intune
+
+> [!IMPORTANT]
+> Make sure your organization's devices meet [requirements](reqs-wd-app-guard.md) and are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment).
+
+:::image type="complex" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Endpoint protection profile":::
+
+:::image-end:::
+
+1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in.
+
+2. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
+
+ a. In the **Platform** list, select **Windows 10 and later**.
+
+ b. In the **Profile** list, select **Endpoint protection**.
+
+ c. Choose **Create**.
+
+4. Specify the following settings for the profile:
+
+ - **Name** and **Description**
+
+ - In the **Select a category to configure settings** section, choose **Microsoft Defender Application Guard**.
+
+ - In the **Application Guard** list, choose **Enabled for Edge**.
+
+ - Choose your preferences for **Clipboard behavior**, **External content**, and the remaining settings.
+
+5. Choose **OK**, and then choose **OK** again.
+
+6. Review your settings, and then choose **Create**.
+
+7. Choose **Assignments**, and then do the following:
+
+ a. On the **Include** tab, in the **Assign to** list, choose an option.
+
+ b. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab.
+
+ c. Click **Save**.
+
+After the profile is created, any devices to which the policy should apply will have Windows Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
+
diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
index c8d5d6ec1c..ca449ea92c 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 11/09/2017
+ms.date: 02/11/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
index 6f9c6ff4ff..a5eebdf2a2 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
@@ -8,7 +8,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 03/15/2019
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -28,9 +27,9 @@ We've come up with a list of scenarios that you can use to test hardware-based i
You can see how an employee would use standalone mode with Application Guard.
-**To test Application Guard in Standalone mode**
+### To test Application Guard in Standalone mode
-1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard).
+1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard).
2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
@@ -84,11 +83,11 @@ Before you can use Application Guard in enterprise mode, you must install Window
6. Start Microsoft Edge and type www.microsoft.com.
- After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard.
+ After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard.
-7. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists.
+7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists.
After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
@@ -109,7 +108,7 @@ Application Guard provides the following default behavior for your employees:
You have the option to change each of these settings to work with your enterprise from within Group Policy.
**Applies to:**
-- Windows 10 Enterpise edition, version 1709 or higher
+- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
#### Copy and paste options
@@ -169,10 +168,10 @@ You have the option to change each of these settings to work with your enterpris
The previously added site should still appear in your **Favorites** list.
>[!NOTE]
- >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
+ >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
**Applies to:**
-- Windows 10 Enterpise edition, version 1803
+- Windows 10 Enterprise edition, version 1803
- Windows 10 Professional edition, version 1803
#### Download options
@@ -202,7 +201,7 @@ You have the option to change each of these settings to work with your enterpris
4. Assess the visual experience and battery performance.
**Applies to:**
-- Windows 10 Enterpise edition, version 1809
+- Windows 10 Enterprise edition, version 1809
- Windows 10 Professional edition, version 1809
#### File trust options
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index 2ce382c919..d02b829376 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -24,7 +24,7 @@ manager: dansimp
- Windows 10, version 1703 and later
-The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
+The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
The [Windows 10 IT pro troubleshooting topic](https://docs.microsoft.com/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](https://docs.microsoft.com/windows/windows-10/) can also be helpful for resolving issues.
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
deleted file mode 100644
index d22f241c9b..0000000000
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-title: Windows Defender SmartScreen overview (Windows 10)
-description: Conceptual info about Windows Defender SmartScreen.
-keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-ms.author: macapara
-audience: ITPro
-ms.localizationpriority: medium
-ms.date: 11/27/2019
-ms.reviewer:
-manager: dansimp
----
-
-# Windows Defender SmartScreen
-
-**Applies to:**
-
-- Windows 10
-- Windows 10 Mobile
-
-Windows Defender SmartScreen protects against phishing or malware websites, and the downloading of potentially malicious files.
-
-**Windows Defender SmartScreen determines whether a site is potentially malicious by:**
-
-- Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender Smartscreen determines that a page is suspicious, it will show a warning page to advise caution.
-
-- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious.
-
-**Windows Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:**
-
-- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious.
-
-- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Windows Defender SmartScreen shows a warning, advising caution.
-
- >[!NOTE]
- >Before Windows 10, version 1703, this feature was called _the SmartScreen filter_ when used within the browser and _Windows SmartScreen_ when used outside of the browser.
-
-## Benefits of Windows Defender SmartScreen
-
-Windows Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are:
-
-- **Anti-phishing and anti-malware support.** Windows Defender SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Windows Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
-
-- **Reputation-based URL and app protection.** Windows Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee.
-
-- **Operating system integration.** Windows Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
-
-- **Improved heuristics and diagnostic data.** Windows Defender SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
-
-- **Management through Group Policy and Microsoft Intune.** Windows Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md).
-
-- **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md).
-
-## Viewing Windows Defender SmartScreen anti-phishing events
-
-When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx).
-
-## Viewing Windows event logs for Windows Defender SmartScreen
-Windows Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer.
-
-Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it:
-
-```
-wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true
-```
-
-> [!NOTE]
-> For information on how to use the Event Viewer, see [Windows Event Viewer](https://docs.microsoft.com/host-integration-server/core/windows-event-viewer1).
-
-
-EventID | Description
--|-
-1000 | Application Windows Defender SmartScreen Event
-1001 | Uri Windows Defender SmartScreen Event
-1002 | User Decision Windows Defender SmartScreen Event
-
-## Related topics
-- [Windows Defender SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx)
-
-- [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx)
-- [Threat protection](../index.md)
-- [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings)
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
deleted file mode 100644
index bdbd3df95e..0000000000
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10)
-description: Learn how employees can use Windows Security to set up Windows Defender SmartScreen. Windows Defender SmartScreen protects users from running malicious apps.
-keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 10/13/2017
-ms.reviewer:
-manager: dansimp
-ms.author: macapara
----
-
-# Set up and use Windows Defender SmartScreen on individual devices
-
-**Applies to:**
-- Windows 10, version 1703
-- Windows 10 Mobile
-
-Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files.
-
-## How employees can use Windows Security to set up Windows Defender SmartScreen
-Starting with Windows 10, version 1703 your employees can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it.
-
->[!NOTE]
->If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee.
-
-**To use Windows Security to set up Windows Defender SmartScreen on a device**
-1. Open the Windows Security app, and then click **App & browser control**.
-
-2. In the **App & browser control** screen, choose from the following options:
-
- - In the **Check apps and files** area:
-
- - **Block.** Stops employees from downloading and running unrecognized apps and files from the web.
-
- - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue.
-
- - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files.
-
- - In the **Windows Defender SmartScreen for Microsoft Edge** area:
-
- - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge.
-
- - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge.
-
- - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files.
-
- - In the **Windows Defender SmartScreen from Microsoft Store apps** area:
-
- - **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue.
-
- - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
-
- 
-
-## How Windows Defender SmartScreen works when an employee tries to run an app
-Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization.
-
-By default, your employees can bypass Windows Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended).
-
-## How employees can report websites as safe or unsafe
-You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site. Employees can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11.
-
-**To report a website as safe from the warning message**
-- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions.
-
-**To report a website as unsafe from Microsoft Edge**
-- If a site seems potentially dangerous, employees can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**.
-
-**To report a website as unsafe from Internet Explorer 11**
-- If a site seems potentially dangerous, employees can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**.
-
-## Related topics
-- [Threat protection](../index.md)
-
-- [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index 05dc390aef..c141b00025 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -34,28 +34,30 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
### Group Policy
1. Click **Start** > type and then click **Edit group policy**.
+
2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
-
+ 
### Windows Security Center
Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
-
-
+ 
+
### Registry
1. Open Registry editor.
+
2. Click **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Control** > **DeviceGuard** > **Scenarios**.
+
3. Right-click **Scenarios** > **New** > **Key** and name the new key **SystemGuard**.
+
4. Right-click **SystemGuard** > **New** > **DWORD (32-bit) Value** and name the new DWORD **Enabled**.
+
5. Double-click **Enabled**, change the value to **1**, and click **OK**.
-
-
-> [!IMPORTANT]
-> If System Guard is enabled with a registry key, standard hardware security is not available for the Intel i5 7200U processor.
+ 
## How to verify System Guard Secure Launch is configured and running
@@ -63,8 +65,8 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
->[!NOTE]
->To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity).
+> [!NOTE]
+> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs).
## System requirements for System Guard
diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
index 04739b0f9c..2ddbd8ddd4 100644
--- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
@@ -14,14 +14,13 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
---
# Basic Firewall Policy Design
**Applies to**
-- Windows 10
-- Windows Server 2016
+- Windows 10
+- Windows Server 2016
Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization.
@@ -31,19 +30,20 @@ Traffic can be blocked or permitted based on the characteristics of each network
Many network administrators do not want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs do not require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy:
-- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device.
+- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device.
-- When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you.
+- When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you.
- For example, when you install a server role, the appropriate firewall rules are created and enabled automatically.
+ For example, when you install a server role, the appropriate firewall rules are created and enabled automatically.
-- For other standard network behavior, the predefined rules that are built into Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista can easily be configured in a GPO and deployed to the devices in your organization.
+- For other standard network behavior, the predefined rules that are built into Windows 10, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, and Windows 7 can easily be configured in a GPO and deployed to the devices in your organization.
- For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
+ For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network.
->**Caution:** Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft.
+> [!CAUTION]
+> Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft.
By default, in new installations, Windows Defender Firewall with Advanced Security is turned on in Windows Server 2012, Windows 8, and later.
@@ -55,20 +55,22 @@ An organization typically uses this design as a first step toward a more compreh
After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization.
->**Important:** If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.
+> [!IMPORTANT]
+> If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.
The basic firewall design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules.
For more information about this design:
-- This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md).
+- This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md).
-- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md).
+- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md).
-- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
-- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md).
+- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md).
-- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
+- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
-**Next:** [Domain Isolation Policy Design](domain-isolation-policy-design.md)
+> [!div class="nextstepaction"]
+> [Domain Isolation Policy Design](domain-isolation-policy-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
index 0798ba72d5..2183c3f911 100644
--- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
@@ -1,6 +1,6 @@
---
title: Planning Isolation Groups for the Zones (Windows 10)
-description: Planning Isolation Groups for the Zones
+description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs
ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695
ms.reviewer:
ms.author: dansimp
@@ -25,7 +25,8 @@ ms.date: 04/19/2017
Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone.
->**Caution:** Do not add devices to your groups yet. If a device is in a group when the GPO is activated then that GPO is applied to the device. If the GPO is one that requires authentication, and the other devices have not yet received their GPOs, the device that uses the new GPO might not be able to communicate with the others.
+> [!CAUTION]
+> Do not add devices to your groups yet. If a device is in a group when the GPO is activated then that GPO is applied to the device. If the GPO is one that requires authentication, and the other devices have not yet received their GPOs, the device that uses the new GPO might not be able to communicate with the others.
Universal groups are the best option to use for GPO assignment because they apply to the whole forest and reduce the number of groups that must be managed. However, if universal groups are unavailable, you can use domain global groups instead.
diff --git a/windows/security/threat-protection/windows-sandbox/images/1-dynamic-host.png b/windows/security/threat-protection/windows-sandbox/images/1-dynamic-host.png
new file mode 100644
index 0000000000..ef004facab
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/1-dynamic-host.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png b/windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png
new file mode 100644
index 0000000000..8f94ffe396
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png b/windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png
new file mode 100644
index 0000000000..bad3e1c0b3
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png b/windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png
new file mode 100644
index 0000000000..fe3245e60a
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png b/windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png
new file mode 100644
index 0000000000..ee8aa78bbc
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png b/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png
new file mode 100644
index 0000000000..94be89b74f
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
new file mode 100644
index 0000000000..db22ee475a
--- /dev/null
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
@@ -0,0 +1,62 @@
+---
+title: Windows Sandbox architecture
+description:
+ms.prod: w10
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection:
+ms.topic: article
+ms.localizationpriority:
+ms.date:
+ms.reviewer:
+---
+
+# Windows Sandbox architecture
+
+Windows Sandbox benefits from new container technology in Windows to achieve a combination of security, density, and performance that isn't available in traditional VMs.
+
+## Dynamically generated image
+
+Rather than requiring a separate copy of Windows to boot the sandbox, Dynamic Base Image technology leverages the copy of Windows already installed on the host.
+
+Most OS files are immutable and can be freely shared with Windows Sandbox. A small subset of operating system files are mutable and cannot be shared, so the sandbox base image contains pristine copies of them. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of the mutable files. By using this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an additional copy of Windows.
+
+Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once it's installed, the dynamic base image occupies about 500 MB of disk space.
+
+
+
+## Memory management
+
+Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host to dynamically determine how host resources are allocated. This is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like it would with a process.
+
+
+
+## Memory sharing
+
+Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
+
+
+
+## Integrated kernel scheduler
+
+With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
+
+
+
+Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This means that the most important work will be prioritized, whether it's on the host or in the container.
+
+## WDDM GPU virtualization
+
+Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows.
+
+This allows programs running inside the sandbox to compete for GPU resources with applications that are running on the host.
+
+
+
+To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems will render apps in Windows Sandbox with Microsoft's CPU-based rendering technology, Windows Advanced Rasterization Platform (WARP).
+
+## Battery pass-through
+
+Windows Sandbox is also aware of the host's battery state, which allows it to optimize its power consumption. This functionality is critical for technology that is used on laptops, where battery life is often critical.
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
new file mode 100644
index 0000000000..2ac125c33b
--- /dev/null
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -0,0 +1,216 @@
+---
+title: Windows Sandbox configuration
+description:
+ms.prod: w10
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection:
+ms.topic: article
+ms.localizationpriority:
+ms.date:
+ms.reviewer:
+---
+
+# Windows Sandbox configuration
+
+Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or later.
+
+Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension. To use a configuration file, double-click it to open it in the sandbox. You can also invoke it via the command line as shown here:
+
+**C:\Temp> MyConfigFile.wsb**
+
+ A configuration file enables the user to control the following aspects of Windows Sandbox:
+- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
+- **Networking**: Enable or disable network access within the sandbox.
+- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Note that exposing host directories may allow malicious software to affect the system or steal data.
+- **Logon command**: A command that's executed when Windows Sandbox starts.
+- **Audio input**: Shares the host's microphone input into the sandbox.
+- **Video input**: Shares the host's webcam input into the sandbox.
+- **Protected client**: Places increased security settings on the RDP session to the sandbox.
+- **Printer redirection**: Shares printers from the host into the sandbox.
+- **Clipboard redirection**: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
+- **Memory in MB**: The amount of memory, in megabytes, to assign to the sandbox.
+
+**Keywords, values, and limits**
+
+**vGPU**: Enables or disables GPU sharing.
+
+`value`
+
+Supported values:
+- *Enable*: Enables vGPU support in the sandbox.
+- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU.
+- *Default* This is the default value for vGPU support. Currently this means vGPU is disabled.
+
+> [!NOTE]
+> Enabling virtualized GPU can potentially increase the attack surface of the sandbox.
+
+**Networking**: Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox.
+
+`value`
+
+Supported values:
+- *Disable*: Disables networking in the sandbox.
+- *Default*: This is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
+
+> [!NOTE]
+> Enabling networking can expose untrusted applications to the internal network.
+
+**Mapped folders**: An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths are not supported. If no path is specified, the folder will be mapped to the container user's desktop.
+
+```xml
+
+
+ absolute path to the host folder
+ absolute path to the sandbox folder
+ value
+
+
+ ...
+
+
+```
+
+*HostFolder*: Specifies the folder on the host machine to share into the sandbox. Note that the folder must already exist on the host, or the container will fail to start.
+
+*SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it will be created. If no sandbox folder is specified, the folder will be mapped to the container desktop.
+
+*ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
+
+
+> [!NOTE]
+> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
+
+**Logon command**: Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account.
+
+```xml
+
+ command to be invoked
+
+```
+
+*Command*: A path to an executable or script inside the container that will be executed after login.
+
+> [!NOTE]
+> Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive.
+
+**Audio input**: Enables or disables audio input to the sandbox.
+
+`value`
+
+Supported values:
+- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability.
+- *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
+- *Default*: This is the default value for audio input support. Currently this means audio input is enabled.
+
+> [!NOTE]
+> There may be security implications of exposing host audio input to the container.
+
+**Video input**: Enables or disables video input to the sandbox.
+
+`value`
+
+Supported values:
+- *Enable*: Enables video input in the sandbox.
+- *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox.
+- *Default*: This is the default value for video input support. Currently this means video input is disabled. Applications that use video input may not function properly in the sandbox.
+
+> [!NOTE]
+> There may be security implications of exposing host video input to the container.
+
+**Protected client**: Applies additional security settings to the sandbox Remote Desktop client, decreasing its attack surface.
+
+`value`
+
+Supported values:
+- *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled.
+- *Disable*: Runs the sandbox in standard mode without extra security mitigations.
+- *Default*: This is the default value for Protected Client mode. Currently, this means the sandbox doesn't run in Protected Client mode.
+
+> [!NOTE]
+> This setting may restrict the user's ability to copy/paste files in and out of the sandbox.
+
+**Printer redirection**: Enables or disables printer sharing from the host into the sandbox.
+
+`value`
+
+Supported values:
+- *Enable*: Enables sharing of host printers into the sandbox.
+- *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
+- *Default*: This is the default value for printer redirection support. Currently this means printer redirection is disabled.
+
+**Clipboard redirection**: Enables or disables sharing of the host clipboard with the sandbox.
+
+`value`
+
+Supported values:
+- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted.
+- *Default*: This is the default value for clipboard redirection. Currently copy/paste between the host and sandbox are permitted under *Default*.
+
+**Memory in MB**: Specifies the amount of memory that the sandbox can use in megabytes (MB).
+
+`value`
+
+If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount.
+
+***Example 1***
+The following config file can be used to easily test downloaded files inside the sandbox. To achieve this, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
+
+*Downloads.wsb*
+
+```xml
+
+ Disable
+ Disable
+
+
+ C:\Users\Public\Downloads
+ C:\Users\WDAGUtilityAccount\Downloads
+ true
+
+
+
+ explorer.exe C:\users\WDAGUtilityAccount\Downloads
+
+
+```
+
+***Example 2***
+
+The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.
+
+Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which will install and run Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code.
+
+With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it.
+
+*VSCodeInstall.cmd*
+
+```console
+REM Download Visual Studio Code
+curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe
+
+REM Install and run Visual Studio Code
+C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes
+```
+
+*VSCode.wsb*
+
+```xml
+
+
+
+ C:\SandboxScripts
+ true
+
+
+ C:\CodingProjects
+ false
+
+
+
+ C:\Users\WDAGUtilityAccount\Desktop\SandboxScripts\VSCodeInstall.cmd
+
+
+```
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
new file mode 100644
index 0000000000..fa85062872
--- /dev/null
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -0,0 +1,61 @@
+---
+title: Windows Sandbox
+description:
+ms.prod: w10
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection:
+ms.topic: article
+ms.localizationpriority:
+ms.date:
+ms.reviewer:
+---
+
+# Windows Sandbox
+
+Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.
+
+A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application.
+
+Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
+
+Windows Sandbox has the following properties:
+- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD.
+- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
+- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
+- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
+- **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
+
+The following video provides an overview of Windows Sandbox.
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4rFAo]
+
+
+## Prerequisites
+
+- Windows 10 Pro or Enterprise build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*)
+- AMD64 architecture
+- Virtualization capabilities enabled in BIOS
+- At least 4 GB of RAM (8 GB recommended)
+- At least 1 GB of free disk space (SSD recommended)
+- At least two CPU cores (four cores with hyperthreading recommended)
+
+## Installation
+
+1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or later.
+2. Enable virtualization on the machine.
+
+ - If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
+ - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
**Set -VMProcessor -VMName \ -ExposeVirtualizationExtensions $true**
+1. Use the search bar on the task bar and type **Turn Windows Features on and off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
+
+ - If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2.
+1. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
+
+## Usage
+1. Copy an executable file (and any other files needed to run the application) from the host into the Windows Sandbox window.
+2. Run the executable file or installer inside the sandbox.
+3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select **ok**.
+4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.
diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md
index 48bfb00d06..1c44d0d42f 100644
--- a/windows/security/threat-protection/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-baselines.md
@@ -1,6 +1,6 @@
---
title: Windows security baselines
-description: Learn how to use Windows security baselines in your organization. Specific to Windows 10, Windows Server, and Office 365 ProPlus.
+description: Learn how to use Windows security baselines in your organization. Specific to Windows 10, Windows Server, and Microsoft 365 Apps for enterprise.
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
@@ -21,7 +21,7 @@ ms.reviewer:
- Windows 10
- Windows Server
-- Office 365 ProPlus
+- Microsoft 365 Apps for enterprise
## Using security baselines in your organization
@@ -64,7 +64,7 @@ The security baselines are included in the [Security Compliance Toolkit (SCT)](s
## Community
-[](https://blogs.technet.microsoft.com/secguide/)
+[](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines)
## Related Videos
@@ -73,9 +73,9 @@ You may also be interested in this msdn channel 9 video:
## See Also
-- [Microsoft Endpoint Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager)
-- [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite)
-- [Configuration Management for Nano Server](https://blogs.technet.microsoft.com/grouppolicy/2016/05/09/configuration-management-on-servers/)
-- [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/)
-- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319)
-- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319)
+- [Microsoft Endpoint Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager)
+- [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite)
+- [Configuration Management for Nano Server](https://docs.microsoft.com/archive/blogs/grouppolicy/configuration-management-on-servers/)
+- [Microsoft Security Guidance Blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines)
+- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319)
+- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319)
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index 81d06744df..d4412fe665 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -55,8 +55,8 @@ No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new
**Client Versions**
| Name | Build | Baseline Release Date | Security Tools |
-|---|---|---|---|
-|Windows 10 | [1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/) [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/)
[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)
[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/)
[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2017
August 2017
October 2016
January 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| ---- | ----- | --------------------- | -------------- |
+| Windows 10 | [1809 (October 2018)](https://docs.microsoft.com/archive/blogs/secguide/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019)
[1803 (RS4)](https://docs.microsoft.com/archive/blogs/secguide/security-baseline-for-windows-10-v1803-redstone-4-draft)
[1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/)
[1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/)
[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)
[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/)
[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2018
March 2018
October 2017
August 2017
October 2016
January 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index d944485086..32282b709b 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -27,6 +27,8 @@ The SCT enables administrators to effectively manage their enterprise’s Group
The Security Compliance Toolkit consists of:
- Windows 10 security baselines
+ - Windows 10 Version 1909 (November 2019 Update)
+ - Windows 10 Version 1903 (April 2019 Update)
- Windows 10 Version 1809 (October 2018 Update)
- Windows 10 Version 1803 (April 2018 Update)
- Windows 10 Version 1709 (Fall Creators Update)
@@ -41,7 +43,11 @@ The Security Compliance Toolkit consists of:
- Windows Server 2012 R2
- Microsoft Office security baseline
+ - Office 365 Pro Plus
- Office 2016
+
+- Microsoft Edge security baseline
+ - Edge Browser Version 80
- Tools
- Policy Analyzer tool
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index f13c8d694c..ec640e3eea 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -53,7 +53,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update
## Servicing
-- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
+- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 89e6ad37a5..5d019f5d03 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -72,7 +72,7 @@ This update includes 5 fixes to allow the host to run down-level containers on u
[Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) (WVD) is now generally available globally!
-Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Office 365 ProPlus, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, as well as an Azure tenant.
+Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, as well as an Azure tenant.
## Deployment
+ 
+ 
+ 