Merge branch 'master' into mdm-gp-storage-policies

windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md

@@ -35,10 +35,10 @@ When replacing a user’s device, UE-V automatically restores settings if the us
 You can also use the Windows PowerShell cmdlet, Restore-UevBackup, to restore settings from a different device. To clone the settings packages for the new device, use the following cmdlet in Windows PowerShell:
 
 ``` syntax
-Restore-UevBackup -Machine <MachineName>
+Restore-UevBackup -ComputerName <Computer name>
 ```
 
-where &lt;MachineName&gt; is the computer name of the device.
+where &lt;ComputerName&gt; is the computer name of the device.
 
 Templates such as the Office 2013 template that include many applications can either all be included in the roamed (default) or backed up profile. Individual apps in a template suite follow the group. Office 2013 in-box templates include both roaming and backup-only settings. Backup-only settings cannot be included in a roaming profile.
 

windows/deployment/update/servicing-stack-updates.md

@@ -7,7 +7,7 @@ ms.sitesec: library
 author: Jaimeo
 ms.localizationpriority: medium
 ms.author: jaimeo
-ms.date: 11/13/2018
+ms.date: 11/29/2018
 ---
 
 # Servicing stack updates
@@ -15,38 +15,38 @@ ms.date: 11/13/2018
 
 **Applies to**
 
-- Windows 10
+- Windows 10, Windows 8.1, Windows 8, Windows 7
 
 ## What is a servicing stack update?
-The "servicing stack" is the code that installs other operating system updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
+Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
 
 ## Why should servicing stack updates be installed and kept up to date?
   
-Having the latest servicing stack update is a prerequisite to reliably installing the latest quality updates and feature updates. Servicing stack updates improve the reliability and performance of the update process.
+Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
 
 ## When are they released?
 
-Currently, the servicing stack update releases are aligned with the monthly quality update release date, though sometimes they are released on a separate date if required.
+Servicing stack update are scheduled to release simultaneously with the monthly quality updates. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."
 
 >[!NOTE]
 >You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
 
 ## What's the difference between a servicing stack update and a cumulative update?
 
-Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
+Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
 
-However, there are some operating system fixes that aren’t included in a cumulative update but are still pre-requisites for the cumulative update. That is, the component that performs the actual updates sometimes itself requires an update. Those fixes are available in a servicing stack update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
+Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
 
-If a given cumulative update required a servicing stack update, you'll see that information in the release notes for the update. **If you try to install the cumulative update without installing the servicing stack update, you'll get an error.**
 
 ## Is there any special guidance?
 
-Typically, the improvements are reliability, security, and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes.
+Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
+
+Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes.
 
 ## Installation notes
 
 * Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
 * Installing servicing stack update does not require restarting the device, so installation should not be disruptive. 
 * Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
-* Search to install latest available [Servicing stack update for Windows 10](https://support.microsoft.com/search?query=servicing%20stack%20update%20Windows%2010).
-
+* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).

windows/deployment/upgrade/upgrade-readiness-data-sharing.md

@@ -42,7 +42,7 @@ In order to set the WinHTTP proxy system-wide on your computers, you need to
 
 The WinHTTP scenario is most appropriate for customers who use a single proxy or f. If you have more advanced proxy requirements, refer to Scenario 3.
 
-If you want to learn more about Proxy considerations on Windows, please take a look at this post in the ieinternals blog
+If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/).
 
 ### Logged-in user’s Internet connection
 

windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md

@@ -37,12 +37,12 @@ To effectively build queries that span multiple tables, you need to understand t
 | ActionType | string | Type of activity that triggered the event |
 | AdditionalFields | string | Additional information about the event in JSON array format |
 | AlertId | string | Unique identifier for the alert |
+| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
 | ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. |
 | DefaultGateways | string | Default gateway addresses in JSON array format |
-| DnsServers | string | DNS server addresses in JSON array format |
+| DnsAddresses | string | DNS server addresses in JSON array format |
 | EventTime | datetime | Date and time when the event was recorded |
-| EventType | string | Table where the record is stored |
 | FileName | string | Name of the file that the recorded action was applied to |
 | FileOriginIp | string | IP address where the file was downloaded from |
 | FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
@@ -61,7 +61,7 @@ To effectively build queries that span multiple tables, you need to understand t
 | InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event |
 | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
 | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
 | InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event |
 | InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. |
 | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
@@ -71,6 +71,7 @@ To effectively build queries that span multiple tables, you need to understand t
 | IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
 | LocalIP | string | IP address assigned to the local machine used during communication |
 | LocalPort | int | TCP port on the local machine used during communication |
+| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
 | LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. |
 | LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
 | LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> 
@@ -81,7 +82,6 @@ To effectively build queries that span multiple tables, you need to understand t
 | NetworkAdapterName | string | Name of the network adapter |
 | NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). |
 | NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). |
-| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format |
 | OSArchitecture | string | Architecture of the operating system running on the machine |
 | OSBuild | string | Build version of the operating system running on the machine |
 | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
@@ -94,7 +94,7 @@ To effectively build queries that span multiple tables, you need to understand t
 | ProcessId | int | Process ID (PID) of the newly created process |
 | ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
 | ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
-| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log |
+| Protocol | string | IP protocol used, whether TCP or UDP |
 | PublicIP | string | Public IP address used by the onboarded machine to connect to the Windows Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. |
 | RegistryKey | string | Registry key that the recorded action was applied to |
 | RegistryValueData | string | Data of the registry value that the recorded action was applied to |
@@ -102,12 +102,14 @@ To effectively build queries that span multiple tables, you need to understand t
 | RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
 | RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |
 | RemoteIP | string | IP address that was being connected to |
+| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
 | RemotePort | int | TCP port on the remote device that was being connected to |
 | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
 | SHA1 | string | SHA-1 of the file that the recorded action was applied to |
 | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
-| TunnelingProtocol | string | Tunneling protocol, if the interface is used for this purpose, for example: <br> - Various IPv6 to IPv4 tunneling protocols (6to4, Teredo, ISATAP) <br> - VPN (PPTP, SSTP) <br> - SSH <br> **NOTE:** This field doesn’t provide full IP tunneling specifications. |
+| Table | string | Table that contains the details of the event |
+| TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)        
 

windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md

@@ -65,15 +65,16 @@ For more information on the query language and supported operators, see [Query L
 
 The following tables are exposed as part of Advanced hunting:
 
-- **AlertEvents** - Stores alerts related information 
-- **MachineInfo** - Stores machines properties
-- **ProcessCreationEvents** - Stores process creation events 
-- **NetworkCommunicationEvents** - Stores network communication events
-- **FileCreationEvents** - Stores file creation, modification, and rename events
-- **RegistryEvents** - Stores registry key creation, modification, rename and deletion events 
-- **LogonEvents** - Stores login events 
-- **ImageLoadEvents** - Stores load dll events  
-- **MiscEvents** - Stores several types of events, process injection events, access to LSASS processes, and others.
+- **AlertEvents** - Alerts on Windows Defender Security Center 
+- **MachineInfo** - Machine information, including OS information 
+- **MachineNetworkInfo** - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains
+- **ProcessCreationEvents** - Process creation and related events 
+- **NetworkCommunicationEvents** - Network connection and related events
+- **FileCreationEvents** - File creation, modification, and other file system events
+- **RegistryEvents** - Creation and modification of registry entries 
+- **LogonEvents** - Login and other authentication events 
+- **ImageLoadEvents** - DLL loading events  
+- **MiscEvents** - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access attempts
 
 These tables include data from the last 30 days.
 

windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md

@@ -22,7 +22,7 @@ ms.date: 11/26/2018
 
 [!include[Prerelease information](prerelease.md)]
 
->![TIP]
+>[!TIP]
 >Go to **Advanced features** in the **Settings** page to turn on the preview features.
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)