diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index c77fa4d405..aaf6321d69 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -8,7 +8,7 @@
{
"source_path": "devices/hololens/hololens-whats-new.md",
"redirect_url": "https://docs.microsoft.com/hololens/hololens-release-notes",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-upgrade-enterprise.md",
@@ -28,7 +28,7 @@
{
"source_path": "devices/hololens/hololens-setup.md",
"redirect_url": "https://docs.microsoft.com/hololens/hololens1-setup",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-use-apps.md",
@@ -38,17 +38,17 @@
{
"source_path": "devices/hololens/hololens-get-apps.md",
"redirect_url": "https://docs.microsoft.com/hololens/holographic-store-apps",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-spaces-on-hololens.md",
"redirect_url": "https://docs.microsoft.com/hololens/hololens-spaces",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-clicker.md",
"redirect_url": "https://docs.microsoft.com/hololens/hololens1-clicker",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-clicker-restart-recover.md",
@@ -108,7 +108,7 @@
{
"source_path": "windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-containers-help-protect-windows",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md",
@@ -173,12 +173,12 @@
{
"source_path": "windows/deployment/update/waas-windows-insider-for-business-aad.md",
"redirect_url": "https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-add",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "windows/deployment/update/waas-windows-insider-for-business-faq.md",
"redirect_url": "https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md",
@@ -860,6 +860,11 @@
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection",
"redirect_document_id": true
},
+ {
+ "source_path": "windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-exploit-guard",
+ "redirect_document_id": true
+ },
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction",
@@ -1435,6 +1440,11 @@
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection",
"redirect_document_id": true
},
+ {
+ "source_path": "windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices",
+ "redirect_document_id": true
+ },
{
"source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection",
@@ -6213,27 +6223,27 @@
{
"source_path": "devices/surface/surface-diagnostic-toolkit.md",
"redirect_url": "https://docs.microsoft.com/surface/index",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/surface/manage-surface-dock-firmware-updates.md",
"redirect_url": "https://docs.microsoft.com/surface/indexdevices/surface/update",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md",
"redirect_url": "https://docs.microsoft.com/surface-hub/finishing-your-surface-hub-meeting",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-microsoft-layout-app.md",
"redirect_url": "https://docs.microsoft.com/hololens/hololens-microsoft-dynamics-365-layout-app",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-microsoft-dynamics-365-layout-app.md",
"redirect_url": "https://docs.microsoft.com/dynamics365/mixed-reality/layout/",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-microsoft-remote-assist-app.md",
diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md
index e2453e5990..e0085148dd 100644
--- a/browsers/edge/about-microsoft-edge.md
+++ b/browsers/edge/about-microsoft-edge.md
@@ -11,7 +11,6 @@ ms.prod: edge
ms.mktglfcycl: general
ms.topic: reference
ms.sitesec: library
-title: Microsoft Edge for IT Pros
ms.localizationpriority: medium
ms.date: 10/02/2018
---
diff --git a/browsers/edge/index.yml b/browsers/edge/index.yml
index 5661ce3fba..0533a4dcb2 100644
--- a/browsers/edge/index.yml
+++ b/browsers/edge/index.yml
@@ -1,161 +1,93 @@
-### YamlMime:YamlDocument
+### YamlMime:Landing
-documentType: LandingData
-
-title: Microsoft Edge Legacy Group Policy configuration options
+title: Microsoft Edge Group Legacy Policy configuration options # < 60 chars
+summary: Learn how to deploy and configure group policies in Microsoft Edge Legacy on Windows 10. Some of the features coming to Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. # < 160 chars
metadata:
-
- title: Microsoft Edge Group Legacy Policy configuration options
-
- description:
-
- text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Learn how to deploy and configure group policies in Microsoft Edge Legacy on Windows 10. Some of the features coming to Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar.
-
+ title: Microsoft Edge Group Legacy Policy configuration options # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions. # Required; article description that is displayed in search results. < 160 chars.
+ ms.prod: microsoft-edge
keywords: Microsoft Edge Legacy, Windows 10
-
ms.localizationpriority: medium
-
- author: shortpatti
-
- ms.author: pashort
-
- ms.date: 08/09/2018
-
- ms.topic: article
-
- ms.devlang: na
-
-sections:
-
-- title:
-
-- items:
-
- - type: markdown
-
- text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions.
-
-- items:
-
- - type: list
-
- style: cards
-
- className: cardsE
-
- columns: 3
-
- items:
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/change-history-for-microsoft-edge
-
- html: Learn more about the latest group policies and features added to Microsoft Edge.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_whats-new.svg
-
- title: What's new
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/about-microsoft-edge
-
- html: Learn about the system requirements and language support for Microsoft Edge.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_overview.svg
-
- title: System requirements and supported languages
-
- - href: https://www.microsoft.com/en-us/WindowsForBusiness/Compare
-
- html: Learn about the supported features & functionality in each Windows edition.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_config-tools.svg
-
- title: Compare Windows 10 Editions
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/security-privacy-management-gp
-
- html: Learn how Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_security-management.svg
-
- title: Security & protection
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp
-
- html: Learn how you can use the Enterprise Mode site list for websites and apps that have compatibility problems in Microsoft Edge.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_management.svg
-
- title: Interoperability & enterprise guidance
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/index
-
- html: Learn about the advanced VPN features you can add to improve the security and availability of your VPN connection.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_policy.svg
-
- title: Group policies & configuration options
-
-- items:
-
- - type: list
-
- style: cards
-
- className: cardsL
-
- items:
-
- - title: Microsoft Edge resources
-
- html: Minimum system requirements
-
- Supported languages
-
- Document change history
-
- Compare Windows 10 Editions
-
- Microsoft Edge Dev blog
-
- Microsoft Edge Dev on Twitter
-
- Microsoft Edge changelog
-
- Measuring the impact of Microsoft Edge
-
- - title: IE11 resources
-
- html: Deploy Internet Explorer 11 (IE11) - IT Pros
-
- Internet Explorer Administration Kit 11 (IEAK 11)
-
- Download Internet Explorer 11
-
- - title: Additional resources
-
- html: Group Policy and the Group Policy Management Console (GPMC)
-
- Group Policy and the Local Group Policy Editor
-
- Group Policy and the Advanced Group Policy Management (AGPM)
-
- Group Policy and Windows PowerShell
-
-
-
-
-
-
+ ms.topic: landing-page # Required
+ ms.collection: collection # Optional; Remove if no collection is used.
+ author: shortpatti #Required; your GitHub user alias, with correct capitalization.
+ ms.author: pashort #Required; microsoft alias of author; optional team alias.
+ ms.date: 07/07/2020 #Required; mm/dd/yyyy format.
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: About Microsoft Edge
+ linkLists:
+ - linkListType: whats-new
+ links:
+ - text: Documentation for Microsoft Edge version 77 or later
+ url: /DeployEdge
+ - text: Microsoft 365 apps say farewell to Internet Explorer 11 and Windows 10 sunsets Microsoft Edge Legacy
+ url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666
+ - text: Latest group policies and features added to Microsoft Edge
+ url: /microsoft-edge/deploy/change-history-for-microsoft-edge
+ - linkListType: overview
+ links:
+ - text: System requirements and supported languages
+ url: /microsoft-edge/deploy/about-microsoft-edge
+ - text: Compare Windows 10 editions
+ url: https://www.microsoft.com/en-us/WindowsForBusiness/Compare
+ - text: Security & protection
+ url: /microsoft-edge/deploy/group-policies/security-privacy-management-gp
+ - text: Interoperability & enterprise guidance
+ url: /microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp
+ - text: Group policies & configuration options
+ url: /microsoft-edge/deploy/group-policies/
+
+ # Card (optional)
+ - title: Microsoft Edge resources
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Minimum system requirements
+ url: /microsoft-edge/deploy/about-microsoft-edge#minimum-system-requirements
+ - text: Supported languages
+ url: /microsoft-edge/deploy/about-microsoft-edge#supported-languages
+ - text: Document change history
+ url: /microsoft-edge/deploy/change-history-for-microsoft-edge
+ - text: Microsoft Edge Dev blog
+ url: https://blogs.windows.com/msedgedev
+ - text: Microsoft Edge Dev on Twitter
+ url: /microsoft-edge/deploy/about-microsoft-edge#supported-languages
+ - text: Microsoft Edge changelog
+ url: /microsoft-edge/deploy/change-history-for-microsoft-edge
+ - text: Measuring the impact of Microsoft Edge
+ url: https://blogs.windows.com/msedgedev
+
+ # Card (optional)
+ - title: IE11 resources
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Deploy Internet Explorer 11 (IE11) - IT Pros
+ url: https://go.microsoft.com/fwlink/p/?LinkId=760644
+ - text: Internet Explorer Administration Kit 11 (IEAK 11)
+ url: /internet-explorer/ie11-ieak
+ - linkListType: download
+ links:
+ - text: Download Internet Explorer 11
+ url: https://go.microsoft.com/fwlink/p/?linkid=290956
+
+ # Card (optional)
+ - title: Additional resources
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Group Policy and the Group Policy Management Console (GPMC)
+ url: https://go.microsoft.com/fwlink/p/?LinkId=617921
+ - text: Group Policy and the Local Group Policy Editor
+ url: https://go.microsoft.com/fwlink/p/?LinkId=617922
+ - text: Group Policy and the Advanced Group Policy Management (AGPM)
+ url: https://go.microsoft.com/fwlink/p/?LinkId=617923
+ - text: Group Policy and Windows PowerShell
+ url: https://go.microsoft.com/fwlink/p/?LinkId=617924
diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
index 8249262926..d906bfc6ce 100644
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@@ -15,6 +15,8 @@ ms.date: 01/17/2020
---
# Deploy Microsoft Edge Legacy kiosk mode
+> [!IMPORTANT]
+> Microsoft 365 apps and services will not support Internet Explorer 11 starting August 17, 2021 (Microsoft Teams will not support Internet Explorer 11 earlier, starting November 30, 2020). [Learn more](https://aka.ms/AA97tsw). Please note that Internet Explorer 11 will remain a supported browser. Internet Explorer 11 is a component of the Windows operating system and [follows the Lifecycle Policy](https://docs.microsoft.com/lifecycle/faq/internet-explorer-microsoft-edge) for the product on which it is installed.
> Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later
> Professional, Enterprise, and Education
diff --git a/browsers/edge/troubleshooting-microsoft-edge.md b/browsers/edge/troubleshooting-microsoft-edge.md
index 3c50d4d50e..5479f689f3 100644
--- a/browsers/edge/troubleshooting-microsoft-edge.md
+++ b/browsers/edge/troubleshooting-microsoft-edge.md
@@ -9,7 +9,6 @@ author: dansimp
ms.author: dansimp
ms.prod: edge
ms.sitesec: library
-title: Deploy Microsoft Edge kiosk mode
ms.localizationpriority: medium
ms.date: 10/15/2018
---
diff --git a/browsers/edge/use-powershell-to manage-group-policy.md b/browsers/edge/use-powershell-to manage-group-policy.md
index 58a6b06b27..1b6d2e9338 100644
--- a/browsers/edge/use-powershell-to manage-group-policy.md
+++ b/browsers/edge/use-powershell-to manage-group-policy.md
@@ -5,7 +5,6 @@ ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)
ms.localizationpriority: medium
ms.date: 10/02/2018
ms.reviewer:
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 50208546bb..576a1de28f 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -7,6 +7,7 @@
"**/*.yml"
],
"exclude": [
+ "**/includes/**",
"**/obj/**"
]
}
diff --git a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
index 8fe62f2f79..f09832c403 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
@@ -1,49 +1,53 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: How to use Group Policy to install ActiveX controls.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: ActiveX installation using group policy (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Group Policy and ActiveX installation
-
-ActiveX controls are installed and invoked using the HTML object tag with the CODEBASE attribute. This attribute, through a URL, makes Internet Explorer:
-
-- Get the ActiveX control if it's not already installed.
-
-- Download the installation package.
-
-- Perform trust verification on the object.
-
-- Prompt for installation permission, using the IE Information Bar.
-
-During installation, the rendering page registers and invokes the control, so that after installation, any standard user can invoke the control.
-
-**Important**
ActiveX control installation requires administrator-level permissions.
-
-## Group Policy for the ActiveX Installer Service
-
-You use the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. The AXIS-related settings can be changed using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor, and include:
-
-- **Approved Installation Sites for ActiveX Controls.** A list of approved installation sites used by AXIS to determine whether it can install a particular ActiveX control.
-
-- **ActiveX installation policy for sites in trusted zones.** Identifies how AXIS should behave when a website tries to install an ActiveX control. First, AXIS looks to see if the site appears in either the list of approved installation sites or in the **Trusted sites** zone. If the does, then AXIS checks to make sure the control meets your company's policy requirements. If the ActiveX control meets all of these requirements, the control is installed.
-
-For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=214503).
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: security
+description: How to use Group Policy to install ActiveX controls.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: ActiveX installation using group policy (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Group Policy and ActiveX installation
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+ActiveX controls are installed and invoked using the HTML object tag with the CODEBASE attribute. This attribute, through a URL, makes Internet Explorer:
+
+- Get the ActiveX control if it's not already installed.
+
+- Download the installation package.
+
+- Perform trust verification on the object.
+
+- Prompt for installation permission, using the IE Information Bar.
+
+During installation, the rendering page registers and invokes the control, so that after installation, any standard user can invoke the control.
+
+**Important**
ActiveX control installation requires administrator-level permissions.
+
+## Group Policy for the ActiveX Installer Service
+
+You use the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. The AXIS-related settings can be changed using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor, and include:
+
+- **Approved Installation Sites for ActiveX Controls.** A list of approved installation sites used by AXIS to determine whether it can install a particular ActiveX control.
+
+- **ActiveX installation policy for sites in trusted zones.** Identifies how AXIS should behave when a website tries to install an ActiveX control. First, AXIS looks to see if the site appears in either the list of approved installation sites or in the **Trusted sites** zone. If the does, then AXIS checks to make sure the control meets your company's policy requirements. If the ActiveX control meets all of these requirements, the control is installed.
+
+For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=214503).
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
index 664bc596e1..455bae28bd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
@@ -1,68 +1,72 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how to add employees to the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
----
-
-# Add employees to the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups.
-
-The available roles are:
-
-- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests.
-
-- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
-
-- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
-
-- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page.
-
-**To add an employee to the Enterprise Mode Site List Portal**
-1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page.
-
- The **Employee management** page appears.
-
-2. Click **Add a new employee**.
-
- The **Add a new employee** page appears.
-
-3. Fill out the fields for each employee, including:
-
- - **Email.** Add the employee's email address.
-
- - **Name.** This box autofills based on the email address.
-
- - **Role.** Pick a single role for the employee, based on the list above.
-
- - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers.
-
- - **Comments.** Add optional comments about the employee.
-
- - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box.
-
-4. Click **Save**.
-
-**To export all employees to an Excel spreadsheet**
-1. On the **Employee management** page, click **Export to Excel**.
-
-2. Save the EnterpriseModeUsersList.xlsx file.
-
- The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name.
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how to add employees to the Enterprise Mode Site List Portal.
+author: dansimp
+ms.prod: ie11
+title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+---
+
+# Add employees to the Enterprise Mode Site List Portal
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups.
+
+The available roles are:
+
+- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests.
+
+- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
+
+- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
+
+- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page.
+
+**To add an employee to the Enterprise Mode Site List Portal**
+1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page.
+
+ The **Employee management** page appears.
+
+2. Click **Add a new employee**.
+
+ The **Add a new employee** page appears.
+
+3. Fill out the fields for each employee, including:
+
+ - **Email.** Add the employee's email address.
+
+ - **Name.** This box autofills based on the email address.
+
+ - **Role.** Pick a single role for the employee, based on the list above.
+
+ - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers.
+
+ - **Comments.** Add optional comments about the employee.
+
+ - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box.
+
+4. Click **Save**.
+
+**To export all employees to an Excel spreadsheet**
+1. On the **Employee management** page, click **Export to Excel**.
+
+2. Save the EnterpriseModeUsersList.xlsx file.
+
+ The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
index 8ead60630e..57c8991c7d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
@@ -1,112 +1,116 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)
-
-**Applies to:**
-
-- Windows 8.1
-- Windows 7
-
-You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones.
-
-If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
-
-## Create an Enterprise Mode site list (TXT) file
-You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time. **Important**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
-
-You must separate each site using commas or carriage returns. For example:
-
-```
-microsoft.com, bing.com, bing.com/images
-```
-**-OR-**
-
-```
-microsoft.com
-bing.com
-bing.com/images
-```
-
-## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema
-You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-Each XML file must include:
-
-- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.
**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser.
-
-- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.
**Important**
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5.
-
-- <docMode> tag.This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-### Enterprise Mode v.1 XML schema example
-The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-```
-
-
- www.cpandl.com
- www.woodgrovebank.com
- adatum.com
- contoso.com
- relecloud.com
- /about
-
- fabrikam.com
- /products
-
-
-
- contoso.com
- /travel
-
- fabrikam.com
- /products
-
-
-
-```
-
-To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (.
-
-## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1)
-After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1).
-
- **To add multiple sites**
-
-1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**.
-
-2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-3. Click **OK** to close the **Bulk add sites to the list** menu.
-
-4. On the **File** menu, click **Save to XML**, and save your file.
-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-## Next steps
-After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Related topics
-- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 8.1
+- Windows 7
+
+You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones.
+
+If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
+
+## Create an Enterprise Mode site list (TXT) file
+You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.
**Important**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
+
+You must separate each site using commas or carriage returns. For example:
+
+```
+microsoft.com, bing.com, bing.com/images
+```
+**-OR-**
+
+```
+microsoft.com
+bing.com
+bing.com/images
+```
+
+## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema
+You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+Each XML file must include:
+
+- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.
**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser.
+
+- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.
**Important**
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5.
+
+- <docMode> tag.This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+### Enterprise Mode v.1 XML schema example
+The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+```
+
+
+ www.cpandl.com
+ www.woodgrovebank.com
+ adatum.com
+ contoso.com
+ relecloud.com
+ /about
+
+ fabrikam.com
+ /products
+
+
+
+ contoso.com
+ /travel
+
+ fabrikam.com
+ /products
+
+
+
+```
+
+To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (.
+
+## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1)
+After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1).
+
+ **To add multiple sites**
+
+1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**.
+
+2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+3. Click **OK** to close the **Bulk add sites to the list** menu.
+
+4. On the **File** menu, click **Save to XML**, and save your file.
+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
+
+## Next steps
+After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Related topics
+- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
index 78f0903d6f..37ef55dea6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
@@ -16,7 +16,10 @@ ms.date: 10/24/2017
---
-# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)
+# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
**Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
index 8b8435daff..8c5e4b4426 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
@@ -1,66 +1,70 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)
-
-**Applies to:**
-
-- Windows 8.1
-- Windows 7
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
**Important**
You can only add specific URLs, not Internet or Intranet Zones.
-
-
Note
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager.
-
-## Adding a site to your compatibility list
-You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
-
Note
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2).
-
- **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
-
-1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**.
-
-2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
-Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation.
-
-3. Type any comments about the website into the **Notes about URL** box.
-Administrators can only see comments while they’re in this tool.
-
-4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE.
-
-The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected.
-
-Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-5. Click **Save** to validate your website and to add it to the site list for your enterprise.
- If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
-
-6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
- You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Next steps
-After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 8.1
+- Windows 7
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
**Important**
You can only add specific URLs, not Internet or Intranet Zones.
+
+
Note
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager.
+
+## Adding a site to your compatibility list
+You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
+
Note
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2).
+
+ **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
+
+1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**.
+
+2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
+Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation.
+
+3. Type any comments about the website into the **Notes about URL** box.
+Administrators can only see comments while they’re in this tool.
+
+4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE.
+
+The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected.
+
+Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+5. Click **Save** to validate your website and to add it to the site list for your enterprise.
+ If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
+
+6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
+ You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Next steps
+After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Related topics
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index 0977b87b94..63f0d7bd6f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -16,7 +16,10 @@ ms.date: 07/27/2017
---
-# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
+# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
**Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
index f08c08fcdb..23bb9ee14a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
@@ -1,82 +1,86 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Administrative templates and Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Administrative templates and Internet Explorer 11
-
-Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including:
-
-- What registry locations correspond to each setting.
-
-- What value options or restrictions are associated with each setting.
-
-- The default value for many settings.
-
-- Text explanations about each setting and the supported version of Internet Explorer.
-
-For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519).
-
-## What are Administrative Templates?
-Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates:
-
-- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor.
-
-- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language.
-
-## How do I store Administrative Templates?
-As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs).
-
Important
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files.
-
-## Administrative Templates-related Group Policy settings
-When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder.
-
Note
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the PolicyDefinitions folder on this computer.
-
-IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths:
-
-- Computer Configuration\\Administrative Templates\\Windows Components\\
-
-- User Configuration\\Administrative Templates\\Windows Components\\
-
-
-|Catalog |Description |
-| ------------------------------------------------ | --------------------------------------------|
-|IE |Turns standard IE configuration on and off. |
-|Internet Explorer\Accelerators |Sets up and manages Accelerators. |
-|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. |
-|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. |
-|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.|
-|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. |
-|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. |
-|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. |
-|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. |
-|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. |
-|Internet Explorer\Privacy |Turns various privacy-related features on and off. |
-|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. |
-|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. |
-|RSS Feeds |Sets up and manages RSS feeds in the browser. |
-
-
-## Editing Group Policy settings
-Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions:
-
-- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates.
-
-- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment.
-
-## Related topics
-- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880)
-- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576)
-- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580)
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: security
+description: Administrative templates and Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Administrative templates and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including:
+
+- What registry locations correspond to each setting.
+
+- What value options or restrictions are associated with each setting.
+
+- The default value for many settings.
+
+- Text explanations about each setting and the supported version of Internet Explorer.
+
+For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519).
+
+## What are Administrative Templates?
+Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates:
+
+- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor.
+
+- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language.
+
+## How do I store Administrative Templates?
+As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs).
+
Important
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files.
+
+## Administrative Templates-related Group Policy settings
+When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder.
+
Note
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the PolicyDefinitions folder on this computer.
+
+IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths:
+
+- Computer Configuration\\Administrative Templates\\Windows Components\\
+
+- User Configuration\\Administrative Templates\\Windows Components\\
+
+
+|Catalog |Description |
+| ------------------------------------------------ | --------------------------------------------|
+|IE |Turns standard IE configuration on and off. |
+|Internet Explorer\Accelerators |Sets up and manages Accelerators. |
+|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. |
+|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. |
+|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.|
+|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. |
+|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. |
+|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. |
+|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. |
+|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. |
+|Internet Explorer\Privacy |Turns various privacy-related features on and off. |
+|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. |
+|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. |
+|RSS Feeds |Sets up and manages RSS feeds in the browser. |
+
+
+## Editing Group Policy settings
+Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions:
+
+- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates.
+
+- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment.
+
+## Related topics
+- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880)
+- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576)
+- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
index 977e17394e..07687792a3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
@@ -1,62 +1,66 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
----
-
-# Approve a change request using the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes.
-
-## Approve or reject a change request
-The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request.
-
-**To approve or reject a change request**
-1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page.
-
- The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane.
-
-2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons.
-
-3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**.
-
- An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request.
-
-
-## Send a reminder to the Approver(s) group
-If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group.
-
-- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**.
-
- An email is sent to the selected Approver(s).
-
-
-## View rejected change requests
-The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request.
-
-**To view the rejected change request**
-
-- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane.
-
- All rejected change requests appear, with role assignment determining which ones are visible.
-
-
-## Next steps
-After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic.
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
+author: dansimp
+ms.prod: ie11
+title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+---
+
+# Approve a change request using the Enterprise Mode Site List Portal
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes.
+
+## Approve or reject a change request
+The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request.
+
+**To approve or reject a change request**
+1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page.
+
+ The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane.
+
+2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons.
+
+3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**.
+
+ An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request.
+
+
+## Send a reminder to the Approver(s) group
+If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group.
+
+- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**.
+
+ An email is sent to the selected Approver(s).
+
+
+## View rejected change requests
+The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request.
+
+**To view the rejected change request**
+
+- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane.
+
+ All rejected change requests appear, with role assignment determining which ones are visible.
+
+
+## Next steps
+After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
index d45374e404..7dbfc19776 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
@@ -1,62 +1,66 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto configuration and auto proxy problems with Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto configuration and auto proxy problems with Internet Explorer 11
-You might experience some problems using automatic configuration and auto-proxy with Internet Explorer 11.
-
-## Branding changes aren't distributed using automatic configuration
-If you've turned on the **Disable external branding of Internet Explorer** Group Policy Object, you won't be able to use automatic configuration to distribute your branding changes to your users' computers. When this object is turned on, it prevents the branding of IE by a non-Microsoft company or entity, such as an Internet service provider or Internet content provider. For more information about automatic configuration, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) and [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). For more information about Group Policy settings, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md).
-
-## Proxy server setup issues
-If you experience issues while setting up your proxy server, you can try these troubleshooting steps:
-
-- Check to make sure the proxy server address is right.
-
-- Check that both **Automatically detect settings** and **Automatic configuration** are turned on in the browser.
-
-- Check that the browser is pointing to the right automatic configuration script location.
-
- **To check your proxy server address**
-
-1. On the **Tools** menu, click **Internet Options**, and then **Connections**.
-
-2. Click **Settings** or **LAN Settings**, and then look at your proxy server address.
-
-3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.
**Note**
If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652).
-
- **To check that you've turned on the correct settings**
-
-4. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
-
-5. Click **Settings** or **LAN Settings**.
-
-6. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.
**Note**
If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again.
-
- **To check that you're pointing to the correct automatic configuration script location**
-
-7. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
-
-8. Click **Settings** or **LAN Settings**.
-
-9. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL.
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto configuration and auto proxy problems with Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto configuration and auto proxy problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+You might experience some problems using automatic configuration and auto-proxy with Internet Explorer 11.
+
+## Branding changes aren't distributed using automatic configuration
+If you've turned on the **Disable external branding of Internet Explorer** Group Policy Object, you won't be able to use automatic configuration to distribute your branding changes to your users' computers. When this object is turned on, it prevents the branding of IE by a non-Microsoft company or entity, such as an Internet service provider or Internet content provider. For more information about automatic configuration, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) and [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). For more information about Group Policy settings, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md).
+
+## Proxy server setup issues
+If you experience issues while setting up your proxy server, you can try these troubleshooting steps:
+
+- Check to make sure the proxy server address is right.
+
+- Check that both **Automatically detect settings** and **Automatic configuration** are turned on in the browser.
+
+- Check that the browser is pointing to the right automatic configuration script location.
+
+ **To check your proxy server address**
+
+1. On the **Tools** menu, click **Internet Options**, and then **Connections**.
+
+2. Click **Settings** or **LAN Settings**, and then look at your proxy server address.
+
+3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.
**Note**
If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652).
+
+ **To check that you've turned on the correct settings**
+
+4. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
+
+5. Click **Settings** or **LAN Settings**.
+
+6. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.
**Note**
If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again.
+
+ **To check that you're pointing to the correct automatic configuration script location**
+
+7. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
+
+8. Click **Settings** or **LAN Settings**.
+
+9. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL.
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
index 1b9a0ba9c8..82857ac50e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
@@ -1,74 +1,78 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto configuration settings for Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto configuration settings for Internet Explorer 11
-Automatic configuration lets you apply custom branding and graphics to your internal Internet Explorer installations, running on Windows 8.1 or Windows Server 2012 R2. For more information about adding custom branding and graphics to your IE package, see [Customize the toolbar button and Favorites List icons using IEAK 11](../ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md).
**Important**
You'll only see and be able to use the **IE Customization Wizard 11 - Automatic Configuration** page if you're creating an internal IE installation package. For more information about the **IE Customization Wizard 11 - Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
-
-## Adding the automatic configuration registry key
-For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.
**Important**
Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs.
-
- **To add the registry key**
-
-1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**.
-
-2. Right-click the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl` subkey, point to **New**, and then click **Key**.
-
-3. Enter the new key name, `FEATURE\AUTOCONFIG\BRANDING`, and then press Enter.
-
-4. Right-click `FEATURE\AUTOCONFIG\BRANDING`, point to **New**, and then click **DWORD (32-bit) Value**.
-
-5. Enter the new DWORD value name, **iexplore.exe**, and then press Enter.
-
-6. Right-click **iexplore.exe**, and then click **Modify**.
-
-7. In the **Value data** box, enter **1**, and then click **OK**.
-
-8. Exit the registry editor.
-
-## Updating your automatic configuration settings
-After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding.
-
Important
Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter.
-
- **To update your settings**
-
-1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-2. Choose the **Automatically detect configuration settings** check box to allow automatic detection of browser settings.
-
-3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
-
- - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that automatic configuration only happens when the computer restarts.
-
- - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script.
-
- - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.
**Important**
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
-
-If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md).
-
-## Locking your automatic configuration settings
-You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
-
-- **Using Microsoft Active Directory.** Choose **Disable changing Automatic Configuration settings** from the Administrative Templates setting.
-
-- **Not Using Active Directory.** Choose the **Disable changing Automatic Configuration settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object.
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto configuration settings for Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto configuration settings for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Automatic configuration lets you apply custom branding and graphics to your internal Internet Explorer installations, running on Windows 8.1 or Windows Server 2012 R2. For more information about adding custom branding and graphics to your IE package, see [Customize the toolbar button and Favorites List icons using IEAK 11](../ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md).
**Important**
You'll only see and be able to use the **IE Customization Wizard 11 - Automatic Configuration** page if you're creating an internal IE installation package. For more information about the **IE Customization Wizard 11 - Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
+
+## Adding the automatic configuration registry key
+For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.
**Important**
Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs.
+
+ **To add the registry key**
+
+1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**.
+
+2. Right-click the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl` subkey, point to **New**, and then click **Key**.
+
+3. Enter the new key name, `FEATURE\AUTOCONFIG\BRANDING`, and then press Enter.
+
+4. Right-click `FEATURE\AUTOCONFIG\BRANDING`, point to **New**, and then click **DWORD (32-bit) Value**.
+
+5. Enter the new DWORD value name, **iexplore.exe**, and then press Enter.
+
+6. Right-click **iexplore.exe**, and then click **Modify**.
+
+7. In the **Value data** box, enter **1**, and then click **OK**.
+
+8. Exit the registry editor.
+
+## Updating your automatic configuration settings
+After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding.
+
Important
Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter.
+
+ **To update your settings**
+
+1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+2. Choose the **Automatically detect configuration settings** check box to allow automatic detection of browser settings.
+
+3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
+
+ - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that automatic configuration only happens when the computer restarts.
+
+ - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script.
+
+ - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.
**Important**
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
+
+If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md).
+
+## Locking your automatic configuration settings
+You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
+
+- **Using Microsoft Active Directory.** Choose **Disable changing Automatic Configuration settings** from the Administrative Templates setting.
+
+- **Not Using Active Directory.** Choose the **Disable changing Automatic Configuration settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object.
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
index 6d58aac85b..3e2c898988 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
@@ -1,55 +1,59 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto detect settings Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto detect settings Internet Explorer 11
-After you specify the specific settings related to automatic detection on your Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, you can set up your users' browser settings from a central location.
-
-Automatic detection works even if the browser wasn't originally set up or installed by the administrator.
-
-- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts.
-
-- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses.
**Note**
DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen.
-
-## Updating your automatic detection settings
-To use automatic detection, you have to set up your DHCP and DNS servers.
**Note**
Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options.
-
- **To turn on automatic detection for DHCP servers**
-
-1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
-
-3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
-
- **To turn on automatic detection for DNS servers**
-
-4. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings.
-
-6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.
**-OR-**
Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.
**Note**
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651).
-
-7. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.**Note**
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto detect settings Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto detect settings Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+After you specify the specific settings related to automatic detection on your Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, you can set up your users' browser settings from a central location.
+
+Automatic detection works even if the browser wasn't originally set up or installed by the administrator.
+
+- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts.
+
+- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses.**Note**
DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen.
+
+## Updating your automatic detection settings
+To use automatic detection, you have to set up your DHCP and DNS servers.
**Note**
Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options.
+
+ **To turn on automatic detection for DHCP servers**
+
+1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
+
+3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
+
+ **To turn on automatic detection for DNS servers**
+
+4. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings.
+
+6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.
**-OR-**
Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.
**Note**
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651).
+
+7. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.**Note**
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
index bd7bd5c030..f285933bcb 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
@@ -1,50 +1,54 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto proxy configuration settings for Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto proxy configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto proxy configuration settings for Internet Explorer 11
-Configure and maintain your proxy settings, like pointing your users' browsers to your automatic proxy script, through the Internet Explorer Customization Wizard 11 running on either Windows 8.1 or Windows Server 2012 R2.
-
-## Updating your auto-proxy settings
-You can use your Internet settings (.ins) files to set up your standard proxy settings. You can also specify script files (.js, .jvs, or .pac) to configure and maintain your advanced proxy settings. IE uses your auto-proxy script files to dynamically determine whether to connect to a host or use a proxy server. If a proxy server connection fails, Internet Explorer 11 automatically attempts to connect to another proxy server that you have specified.
-
- **To update your settings**
-
-1. Create a script file with your proxy information, copying it to a server location.
-
-2. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
-
- - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that updates only happen when the computer restarts.
-
- - **Automatic Configuration URL (.INS file) box:** Type the location of the .ins file you want to use for automatic configuration. For more information about setting up **Automatic Configuration**, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md).
-
- - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.**Important**
IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
-
-## Locking your auto-proxy settings
-You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
-
-- **Using Microsoft Active Directory.** Choose **Disable changing proxy settings** from the Administrative Templates setting.
-
-- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514).
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto proxy configuration settings for Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto proxy configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto proxy configuration settings for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Configure and maintain your proxy settings, like pointing your users' browsers to your automatic proxy script, through the Internet Explorer Customization Wizard 11 running on either Windows 8.1 or Windows Server 2012 R2.
+
+## Updating your auto-proxy settings
+You can use your Internet settings (.ins) files to set up your standard proxy settings. You can also specify script files (.js, .jvs, or .pac) to configure and maintain your advanced proxy settings. IE uses your auto-proxy script files to dynamically determine whether to connect to a host or use a proxy server. If a proxy server connection fails, Internet Explorer 11 automatically attempts to connect to another proxy server that you have specified.
+
+ **To update your settings**
+
+1. Create a script file with your proxy information, copying it to a server location.
+
+2. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
+
+ - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that updates only happen when the computer restarts.
+
+ - **Automatic Configuration URL (.INS file) box:** Type the location of the .ins file you want to use for automatic configuration. For more information about setting up **Automatic Configuration**, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md).
+
+ - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.
**Important**
IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
+
+## Locking your auto-proxy settings
+You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
+
+- **Using Microsoft Active Directory.** Choose **Disable changing proxy settings** from the Administrative Templates setting.
+
+- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514).
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
index 12bd5502e3..17f6488e0a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
@@ -1,43 +1,47 @@
----
-title: Blocked out-of-date ActiveX controls
-description: This page is periodically updated with new ActiveX controls blocked by this feature.
-author: dansimp
-ms.author: dansimp
-audience: itpro
manager: dansimp
-ms.date: 05/10/2018
-ms.topic: article
-ms.prod: ie11
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-ms.assetid: ''
-ms.reviewer:
-ms.sitesec: library
----
-
-# Blocked out-of-date ActiveX controls
-
-ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_.
-
-We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list.
-
-You will receive a notification if a webpage tries to load one of the following of ActiveX control versions:
-
-**Java**
-
-| Java 2 Platform, Standard Edition (J2SE) 1.4, everything below (but not including) update 43 |
-|----------------------------------------------------------------------------------------------|
-| J2SE 5.0, everything below (but not including) update 99 |
-| Java SE 6, everything below (but not including) update 181 |
-| Java SE 7, everything below (but not including) update 171 |
-| Java SE 8, everything below (but not including) update 161 |
-| Java SE 9, everything below (but not including) update 4 |
-
-**Silverlight**
-
-
-| Everything below (but not including) Silverlight 5.1.50907.0 |
-|--------------------------------------------------------------|
-| |
-
-For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864).
+---
+title: Blocked out-of-date ActiveX controls
+description: This page is periodically updated with new ActiveX controls blocked by this feature.
+author: dansimp
+ms.author: dansimp
+audience: itpro
+manager: dansimp
+ms.date: 05/10/2018
+ms.topic: article
+ms.prod: ie11
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: security
+ms.assetid: ''
+ms.reviewer:
+ms.sitesec: library
+---
+
+# Blocked out-of-date ActiveX controls
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_.
+
+We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list.
+
+You will receive a notification if a webpage tries to load one of the following of ActiveX control versions:
+
+**Java**
+
+| Java 2 Platform, Standard Edition (J2SE) 1.4, everything below (but not including) update 43 |
+|----------------------------------------------------------------------------------------------|
+| J2SE 5.0, everything below (but not including) update 99 |
+| Java SE 6, everything below (but not including) update 181 |
+| Java SE 7, everything below (but not including) update 171 |
+| Java SE 8, everything below (but not including) update 161 |
+| Java SE 9, everything below (but not including) update 4 |
+
+**Silverlight**
+
+
+| Everything below (but not including) Silverlight 5.1.50907.0 |
+|--------------------------------------------------------------|
+| |
+
+For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
index fe61c67cf5..9aca832f3e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
@@ -1,38 +1,42 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: performance
-description: Browser cache changes and roaming profiles
-author: dansimp
-ms.prod: ie11
-ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 10/16/2017
----
-
-
-# Browser cache changes and roaming profiles
-We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity.
-
-You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.
**Note**
Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
-
-To get the best results while using roaming profiles, we strongly recommend the following:
-
-- Create a separate roaming repository for each domain account that uses roaming.
-
-- Restrict roaming user profiles so they work on only one computer at a time. Using a single roaming profile on multiple computers isn’t supported (via console or Remote Desktop) and can cause unpredictable results, including cookie loss.
-
-- Allow all computers that let users sign-on with a roaming profile have identical IE cookie policies and settings.
-
-- Make sure to delete the user’s local roaming profile at sign off for any computer using user profile roaming. You can do this by turning on the **Delete cached copies of roaming profiles** Group Policy Object.
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: performance
+description: Browser cache changes and roaming profiles
+author: dansimp
+ms.prod: ie11
+ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 10/16/2017
+---
+
+
+# Browser cache changes and roaming profiles
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity.
+
+You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.
**Note**
Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
+
+To get the best results while using roaming profiles, we strongly recommend the following:
+
+- Create a separate roaming repository for each domain account that uses roaming.
+
+- Restrict roaming user profiles so they work on only one computer at a time. Using a single roaming profile on multiple computers isn’t supported (via console or Remote Desktop) and can cause unpredictable results, including cookie loss.
+
+- Allow all computers that let users sign-on with a roaming profile have identical IE cookie policies and settings.
+
+- Make sure to delete the user’s local roaming profile at sign off for any computer using user profile roaming. You can do this by turning on the **Delete cached copies of roaming profiles** Group Policy Object.
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index d3cae2a67a..f358312bbc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -1,56 +1,60 @@
----
-ms.localizationpriority: medium
-title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
-description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
-ms.mktglfcycl: deploy
-ms.prod: ie11
-ms.sitesec: library
-author: dansimp
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
----
-
-
-# Change history for Internet Explorer 11
-This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
-
-## April 2017
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. |
-
-## March 2017
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. |
-
-## November 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.|
-
-## August 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
-|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
-|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. |
-
-## July 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. |
-
-## June 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. |
-
-
-## May 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. |
-
+---
+ms.localizationpriority: medium
+title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
+description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
+ms.mktglfcycl: deploy
+ms.prod: ie11
+ms.sitesec: library
+author: dansimp
+ms.date: 07/27/2017
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+---
+
+
+# Change history for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
+
+## April 2017
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. |
+
+## March 2017
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. |
+
+## November 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.|
+
+## August 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
+|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
+|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. |
+
+## July 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. |
+
+## June 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. |
+
+
+## May 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. |
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
index 0b2d9ff141..9b4b3e6f1f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
@@ -1,51 +1,55 @@
----
-title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
-description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
-ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-ms.sitesec: library
-author: dansimp
-ms.author: dansimp
-ms.date: 08/14/2017
-ms.localizationpriority: medium
----
-
-
-# Check for a new Enterprise Mode site list xml file
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
-
-**How Internet Explorer 11 looks for an updated site list**
-
-1. Internet Explorer starts up and looks for an updated site list in the following places:
-
- 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list.
-
- 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list.
-
- 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry.
-
-2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
**Note**
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
-
-
-
-
-
-
-
-
-
+---
+title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
+description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
+ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.prod: ie11
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+ms.sitesec: library
+author: dansimp
+ms.author: dansimp
+ms.date: 08/14/2017
+ms.localizationpriority: medium
+---
+
+
+# Check for a new Enterprise Mode site list xml file
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
+
+The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
+
+**How Internet Explorer 11 looks for an updated site list**
+
+1. Internet Explorer starts up and looks for an updated site list in the following places:
+
+ 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list.
+
+ 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list.
+
+ 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry.
+
+2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
**Note**
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
index c35d115df7..810264c501 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
@@ -1,31 +1,35 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Choose how to deploy Internet Explorer 11 (IE11)
-author: dansimp
-ms.prod: ie11
-ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Choose how to deploy Internet Explorer 11 (IE11)
-In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools.
-
-## In this section
-
-| Topic | Description |
-|------------------------------------------------------------- | ------------------------------------------------------ |
-|[Deploy IE11 using Automatic Version Synchronization (AVS)](deploy-ie11-using-automatic-version-synchronization-avs.md) |Guidance about how to deploy your custom browser packages using Automatic Version Synchronization (AVS). |
-|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). |
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Choose how to deploy Internet Explorer 11 (IE11)
+author: dansimp
+ms.prod: ie11
+ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Choose how to deploy Internet Explorer 11 (IE11)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools.
+
+## In this section
+
+| Topic | Description |
+|------------------------------------------------------------- | ------------------------------------------------------ |
+|[Deploy IE11 using Automatic Version Synchronization (AVS)](deploy-ie11-using-automatic-version-synchronization-avs.md) |Guidance about how to deploy your custom browser packages using Automatic Version Synchronization (AVS). |
+|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). |
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index 563f38160c..72a5766494 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -1,37 +1,41 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Choose how to install Internet Explorer 11 (IE11)
-author: dansimp
-ms.prod: ie11
-ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Choose how to install Internet Explorer 11 (IE11)
-Before you install Internet Explorer 11, you should:
-
-- **Migrate Group Policy Objects.** Decide if your Group Policy Objects should migrate to the new version.
-
-- **Check vendor support for updated functionality.** Check whether third-party vendors have new versions or updates to necessary add-ons, apps, or code libraries.
-
-- **Choose the right version of Internet Explorer.** IE11 comes pre-installed on Windows 8.1 and Windows Server 2012 R2 or you can download it for Windows 7 SP1 or Windows Server 2008 R2 with Service Pack 1 (SP1) from the [Internet Explorer Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214251) site.
-
-- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
-
- - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
-
- - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669).
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Choose how to install Internet Explorer 11 (IE11)
+author: dansimp
+ms.prod: ie11
+ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Choose how to install Internet Explorer 11 (IE11)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Before you install Internet Explorer 11, you should:
+
+- **Migrate Group Policy Objects.** Decide if your Group Policy Objects should migrate to the new version.
+
+- **Check vendor support for updated functionality.** Check whether third-party vendors have new versions or updates to necessary add-ons, apps, or code libraries.
+
+- **Choose the right version of Internet Explorer.** IE11 comes pre-installed on Windows 8.1 and Windows Server 2012 R2 or you can download it for Windows 7 SP1 or Windows Server 2008 R2 with Service Pack 1 (SP1) from the [Internet Explorer Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214251) site.
+
+- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
+
+ - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
+
+ - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669).
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 12049fdcb9..0ffe059374 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Collect data using Enterprise Site Discovery
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
index d01fccf729..db62af6aab 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Use the Settings page to finish setting up the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
index 278408ab38..ad4441c9e3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Create a change request using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
index 6c260e93aa..395703b43d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Create packages for multiple operating systems or languages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You'll create multiple versions of your custom browser package if:
- You support more than 1 version of Windows®.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
index fc43585ae7..342b139714 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Customize Internet Explorer 11 installation packages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can customize Internet Explorer 11 to support various browser behaviors, multiple operating system versions and languages, and Setup information (.inf) files.
|Topic |Description |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index b2c4c0f80a..843d917596 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
index b9089ee16a..0f0c56de35 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
---
# Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS).
## What is Automatic Version Synchronization?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
index dc31c3230e..c3940fbefd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Deploy Internet Explorer 11 using software distribution tools
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
If you already manage software distribution and updates on your network through software distribution tools, you can also use these tools for ongoing deployments of Internet Explorer. Software distribution tools include:
- **System Center R2 2012 System Center 2012 R2 Configuration Manager.** Deploy and install Internet Explorer 11 on your user's computers through a software distribution package. For more information about using this tool, see [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
index 567b8fbeb8..0177418299 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
index f0f44c2897..e8d1ec3d7d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Deprecated document modes and Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
index 8ad5f3e6ad..29574ab860 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
index cb419efe7f..e21f3e41ed 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
@@ -17,6 +17,9 @@ ms.date: 4/12/2018
# Enable and disable add-ons using administrative templates and group policy
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Add-ons let your employees personalize Internet Explorer. You can manage IE add-ons using Group Policy and Group Policy templates.
There are four types of add-ons:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
index d0998607dc..7f00307378 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Enhanced Protected Mode problems with Internet Explorer
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Enhanced Protected Mode further restricts Protected Mode to deny potential attackers access to sensitive or personal information. If this feature is turned on, users might start to see errors asking them to turn it off, like **This webpage wants to run "npctrl.dll. If you trust this site, you can disable Enhanced Protected Mode for this site to run the control**. If your users click the **Disable** box, Enhanced Protected Mode is turned off for only the single visit to that specific site. After the user leaves the site, Enhanced Protected Mode is automatically turned back on.
You can use your company’s Group Policy to turn Enhanced Protected Mode on or off for all users. For more information, see the [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md) information in this guide.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
index 71104a8786..e5e3c31095 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Enterprise Mode for Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 09160baadd..6832c2797b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Enterprise Mode schema v.1 guidance
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index a321e5a744..299c6c093f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -18,6 +18,9 @@ ms.date: 12/04/2017
# Enterprise Mode schema v.2 guidance
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
index cf235b25aa..ce2f14b162 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index f1d72eb1a1..a5abdb8400 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Fix web compatibility issues using document modes and the Enterprise Mode site list
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site. This addition to the site list is a continuation of our commitment to help you upgrade and stay up-to-date on the latest version of Internet Explorer, while still preserving your investments in existing apps.
## What does this mean for me?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
index c3c7ead8ff..54da1d4ba1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Fix validation problems using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
index d2fadc609c..93486e7113 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Advanced Group Policy Management (AGPM) is an add-on license that available for the Microsoft Desktop Optimization Pack (MDOP). This license gives you change control and a role assignment-model that helps optimize Group Policy management and reduce the risk of widespread failures.
From AGPM you can:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
index df5754f0b6..e1e763af4c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
A Microsoft Management Console (MMC)-based tool that uses scriptable interfaces to manage Group Policy. The 32-bit and 64-bit versions are included with Windows Server R2 with Service Pack 1 (SP1) and Windows Server 2012 R2.
## Why use the GPMC?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
index d80c5af350..7e8c419582 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Group Policy and Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
index 4ca3868ed5..dce572d812 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, the Local Group Policy Editor, and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
A Microsoft Management Console (MMC)-based tool that manages both computer and user-related configurations for an individual computer policy. This tool is included with Windows® 7 Service Pack 1 (SP1) and Windows 8.1.
Here's a list of the policy settings you can use, based on the configuration type. For more info, see [Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=294912).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md
index 8a5b6d7859..12b360b126 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy and compatibility with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 has many Group Policy entries that can be configured for keeping your environment managed and safe. This table includes all of our recommendations around security, performance, and compatibility with the previous versions of Internet Explorer, regardless of which Zone the website is in.
|Activity |Location |Setting the policy object |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
index 403471f4c7..3eafec01ac 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy management tools
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Group Policy, based on Microsoft Active Directory Domain Services (AD DS), lets you manage your organization's computer and user settings as part of your Group Policy objects (GPOs), which are added and changed in the Group Policy Management Console (GPMC). GPOs can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. The most effective way to target a specific GPO is to use Windows Management Instrumentation (WMI) filters. Like, creating a WMI filter that applies a GPO only to computers with a specific make and model.
By using Group Policy, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple Internet Explorer 11 security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
index ae5c5f783e..938e3e036e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group policy preferences and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Group Policy preferences are less strict than Group Policy settings, based on:
| |Group Policy preferences |Group Policy settings |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
index d94601a9d5..26cf3ae659 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](https://go.microsoft.com/fwlink/p/?LinkId=279872).
## Group Policy Object-related Log Files
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
index 1f0caf9bc3..cd9e8a1740 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, Shortcut Extensions, and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Group Policy includes the Shortcuts preference extension, which lets you configure shortcuts to:
- **File system objects.** Traditional shortcuts that link to apps, files, folders, drives, shares, or computers. For example, linking a shortcut to an app from the **Start** screen.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
index 2de349942d..6f57e982ec 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, Windows Powershell, and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Your domain-joined Group Policy Objects (GPOs) can use any of Group Policy-related “cmdlets” that run within Windows PowerShell.
Each cmdlet is a single-function command-line tool that can:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
index 9fe7dca247..edcb50cb9e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
@@ -17,6 +17,9 @@ ms.date: 05/22/2018
---
# Internet Explorer 11 delivery through automatic updates
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates.
- [Automatic updates delivery process](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#automatic-updates-delivery-process)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
index 6b34fcc195..30de0a2c97 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
@@ -11,6 +11,9 @@ ms.author: dansimp
# Full-sized flowchart detailing how document modes are chosen in IE11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
index 5ab9dd5e58..f585e3210d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Import your Enterprise Mode site list to the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md
index 74f09e116d..c40ba230ff 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/index.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/index.md
@@ -14,6 +14,9 @@ manager: dansimp
# Internet Explorer 11 (IE11) - Deployment Guide for IT Pros
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
index e9fcf44f0e..47a4d07569 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Install and Deploy Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index 7dd92ecc08..027cf25129 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using Microsoft Intune
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805).
## Adding and deploying the IE11 package
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
index 5dade69199..c6bd4e15e8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
You can install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images.
You'll need to extract the .cab file for each supported operating system and platform combination and the .msu file for each prerequisite update. Download the IE11 update and prerequisites here:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
index 2b40174159..e08ca5dffe 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can install Internet Explorer 11 (IE11) by using [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?linkid=276664). Complete these steps for each operating system and platform combination.
**To install IE11**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
index 9da3cd91fa..d0d9d17be1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using your network
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can install Internet Explorer 11 (IE11) over your network by putting your custom IE11 installation package in a shared network folder and letting your employees run the Setup program on their own computers. You can create the network folder structure manually, or you can run Internet Explorer Administration Kit 11 (IEAK 11).
**Note**
If you support multiple architectures and operating systems, create a subfolder for each combination. If you support multiple languages, create a subfolder for each localized installation file.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
index 5d230773e3..d593de27c6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using third-party tools
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can install Internet Explorer 11 (IE11) using third-party electronic software distribution (ESD) systems and these command-line options:
## Setup Modes
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
index 62bfab42b9..662514e102 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790).
**To import from Windows Update to WSUS**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
index 3ebe727aeb..3e6ffbfad8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Most Internet Explorer 11 installations are straightforward and work the way they should. But it's possible that you might have problems.
If you do, you can:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
index 16331ab49c..803fc7fb83 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Fix intranet search problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
After upgrading to Internet Explorer 11, you might experience search issues while using your intranet site.
## Why is my intranet redirecting me to search results?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
index 2270749c81..66b29a20c4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Manage Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
index c0087953b7..e0dbd2bdab 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Missing Internet Explorer Maintenance settings for Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
index fbc40cbf73..faa927931e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Missing the Compatibility View Button
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
index 31261bbf7e..6c68a1ec01 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# .NET Framework problems with Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
## Summary
If you’re having problems launching your legacy apps while running Internet Explorer 11, it’s most likely because Internet Explorer no longer starts apps that use managed browser hosting controls, like in .NET Framework 1.1 and 2.0.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index 65e099eb37..9b8ab9eb33 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# New group policy settings for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 gives you some new Group Policy settings to help you manage your company's web browser configurations, including:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 5591606f32..a2f12352fd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -18,6 +18,9 @@ ms.date: 05/10/2018
# Out-of-date ActiveX control blocking
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
@@ -105,7 +108,10 @@ reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVe
```
Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk.
-## Out-of-date ActiveX control blocking on managed devices
+## Out-of-date ActiveX control blocking
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+ on managed devices
Out-of-date ActiveX control blocking includes four new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system.
### Group Policy settings
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index 80a59c9305..fbcbcbadb9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -16,6 +16,9 @@ ms.date: 10/16/2017
# Problems after installing Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
After you install Internet Explorer 11 in your organization, you might run into the following issues. By following these suggestions, you should be able to fix them.
## Internet Explorer is in an unusable state
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index df8a2b1707..4c973ffad6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
index 4995a12e9a..f30c495bb3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Remove sites from a local compatibility view list
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
index c9b859509b..93b323b78a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Remove sites from a local Enterprise Mode site list
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
index bb22b43b3f..acfe82d2a5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
@@ -17,6 +17,9 @@ ms.date: 04/02/2020
# Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
index 28b18117e1..7b80dd178d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Save your site list to XML in the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
index 4565b9f0c1..4d5e66ec80 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Schedule approved change requests for production using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 0f35b04d1c..f96a952626 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Search your Enterprise Mode site list in the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index b6c1af8258..6edccdda73 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Set the default browser using Group Policy
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can use the Group Policy setting, **Set a default associations configuration file**, to set the default browser for your company devices running Windows 10.
**To set the default browser as Internet Explorer 11**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index fd55a40ebd..94f9336c89 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Set up Enterprise Mode logging and data collection
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
index 7b0dd491aa..c022c08569 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Set up the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
index 7dd3e837c0..70d197c391 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Setup problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Installing Internet Explorer creates the following log files, which are stored in the Windows installation folder (typically, the C:\\Windows folder):
- `IE11_main.log`
diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
index a8953ad3f4..37b7bc16cf 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# System requirements and language support for Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
index 1f9a047156..14bd40e745 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
@@ -17,6 +17,9 @@ ms.date: 05/10/2018
# Tips and tricks to manage Internet Explorer compatibility
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List.
Jump to:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
index 39d999c947..bf8ceeb867 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Troubleshoot Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
index 1df0d6b95e..7e4561fa2a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Turn off Enterprise Mode
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
index 90442b3bbc..178085c2ad 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Fix font rendering problems by turning off natural metrics
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
By default, Internet Explorer 11 uses “natural metrics”. Natural metrics use inter-pixel spacing that creates more accurately rendered and readable text, avoiding many common font rendering problems with Windows Internet Explorer 9 or older sites.
However, you might find that many intranet sites need you to use Windows Graphics Device Interface (GDI) metrics. To avoid potential compatibility issues, you must turn off natural metrics for those sites.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index 744df8c766..8c84054dc3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -18,6 +18,9 @@ ms.localizationpriority: medium
# Turn on Enterprise Mode and use a site list
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index 1324c12963..b4db0fb7a4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Turn on local control and logging for Enterprise Mode
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
index 446375289c..750bca0e82 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# List of updated features and tools - Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
index c26e39ddcc..fe55abfdc6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ author: dansimp
# Use the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
index 3cbc140f4b..cbfcfecf93 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 12/04/2017
# Use the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
index 14fcd048fc..b7669cf1ca 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# User interface problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Some of the features in both Internet Explorer 11 and IEAK 11 have moved around. Here are some of the more common changes.
## Where did features go in the Internet Explorer Customization Wizard 11?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
index 6bff79cc82..677f1c974a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Using IE7 Enterprise Mode or IE8 Enterprise Mode
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
index 07e3ce2e2b..7015595563 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer Administration Kit 11 (IEAK 11) helps you set up, deploy, and maintain Internet Explorer 11.
**Note**
IEAK 11 works in network environments, with or without Microsoft Active Directory.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
index 1f7b62dfa5..afc27104af 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Using Setup Information (.inf) files to create install packages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
IEAK 11 uses Setup information (.inf) files to provide uninstallation instructions. Uninstallation instructions let your employees remove components, like files, registry entries, or shortcuts, through the **Uninstall or change a program** box. For details about .inf files, see [INF File Sections and Directives](https://go.microsoft.com/fwlink/p/?LinkId=327959).
**To add uninstallation instructions to the .inf files**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
index a3fce1731d..a31c831abd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Verify your changes using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
index 42db6c85c5..1ccd3e4d0c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Verify the change request update in the production environment using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
index 2be252275c..9aa736bacb 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
index 20ad5ac557..f2db72080d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# View the available Enterprise Mode reports from the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
index e5de6fffdd..771f7b3439 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Virtualization and compatibility with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
If your company is considering upgrading to the latest version of Internet Explorer, but is hesitant because of a large number of web apps that need to be tested and moved, we recommend that you consider virtualization. Virtualization lets you set up a virtual environment where you can run earlier versions of IE.
**Important**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index 1a2c6fc17a..b9fb67f961 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 10/25/2018
# Enterprise Mode and the Enterprise Mode Site List
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
@@ -61,7 +64,10 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
-## Enterprise Mode and the Enterprise Mode Site List XML file
+## Enterprise Mode and the Enterprise Mode Site List
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+ XML file
The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11.
Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
index 4f1c56a922..1fd67f656b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
@@ -19,6 +19,9 @@ ms.date: 05/10/2018
# What is the Internet Explorer 11 Blocker Toolkit?
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
index de71b3a8ff..dd8e3bcce6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
@@ -17,6 +17,9 @@ ms.author: dansimp
# Workflow-based processes for employees using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
index 8917b1de22..c27e670fd6 100644
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
@@ -16,6 +16,9 @@ ms.date: 10/16/2017
# Internet Explorer 11 - FAQ for IT Pros
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration.
## Frequently Asked Questions
diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
index e35b64b8a4..cf59b670d6 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
@@ -16,6 +16,9 @@ ms.date: 05/10/2018
# Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
> [!Important]
diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.md b/browsers/internet-explorer/ie11-faq/faq-ieak11.md
index 7405392094..929acbed39 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ieak11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ieak11.md
@@ -18,6 +18,9 @@ ms.date: 05/10/2018
# IEAK 11 - Frequently Asked Questions
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Get answers to commonly asked questions about the Internet Explorer Administration Kit 11 (IEAK 11), and find links to additional material you might find helpful.
**What is IEAK 11?**
diff --git a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
index b211933353..40a7886b0a 100644
--- a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Accelerators page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Accelerators** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add accelerators to your employee computers. Accelerators are contextual menu options that can quickly get to a web service from any webpage. For example, an accelerator can look up a highlighted word in the dictionary or a selected location on a map.
**Note**
diff --git a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
index 7e89dab65d..b4d0459c78 100644
--- a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Add and approve ActiveX controls using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
There are two main approaches to how you can control the use of ActiveX controls in your company. For more info about ActiveX controls, including how to manage the controls using Group Policy, see [Group Policy and ActiveX installation](../ie11-deploy-guide/activex-installation-using-group-policy.md) in the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
**Note**
diff --git a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
index eae4f678e5..c04501eea7 100644
--- a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Add a Root Certificate page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK.
Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
index 60be35bc0d..ebff04a24a 100644
--- a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Additional Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Additional Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you pick additional custom, corporate, and Internet settings that relate to your employee’s desktop, operating system, and security. If you don’t change a setting, it’ll be ignored.
The additional settings appear in administration (.adm) files that are stored in your `:\Program Files\Windows IEAK 11\policies` folder. You can also create your own .adm files with options that can be configured using the wizard. Any edits you make to your own .adm file are stored as .ins files, which are used to build the .inf files for your custom install package.
diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
index d3883b39ca..879c328e43 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Automatic Configuration page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Automatic Configuration** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you provide URLs to the files that’ll automatically configure Internet Explorer 11 for a group of employees or devices.
**Note**
diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
index 1a46247c5c..7d4f9344c9 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Set up auto detection for DHCP or DNS servers using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Set up your network to automatically detect and customize Internet Explorer 11 when it’s first started. Automatic detection is supported on both Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), letting your servers detect and set up your employee’s browser settings from a central location, using a configuration URL (.ins file) or a JavaScript proxy configuration file (.js, .jvs, or .pac).
Before you can set up your environment to use automatic detection, you need to turn the feature on.
diff --git a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
index c317a46e0e..b4565ed485 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Automatic Version Synchronization page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 runs the synchronization process every time you run the wizard, downloading the Internet Explorer 11 Setup file to your computer. The Setup file includes the required full and express packages.
**Important**
diff --git a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
index 3508c186af..7271837b2e 100644
--- a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
@@ -18,6 +18,9 @@ ms.date: 04/24/2018
# Before you start using IEAK 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Before you run IEAK 11 and the Customization Wizard, make sure you have met the following requirements:
- Have you determined which licensing version of the Internet Explorer Administration Kit 11 to install? For info, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md).
diff --git a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
index 5c9c189f24..351b1bbb76 100644
--- a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Branding .INS file to create custom branding and setup info
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about the custom branding and setup information in your browser package.
|Name |Value | Description |
diff --git a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
index c1f3999a3a..0116384f6d 100644
--- a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Browser User Interface page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Browser User Interface** page of the Internet Explorer Customization Wizard 11 lets you change the toolbar buttons and the title bar text in IE.
**Note**
The customizations you make on this page apply only to Internet Explorer for the desktop.
diff --git a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
index b2b123ff69..05fb2324f7 100644
--- a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to customize the Internet Explorer toolbar.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
index a39adaff3e..3214ea32c0 100644
--- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Browsing Options page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Browsing Options** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you decide how you want to manage items in the **Favorites, Favorites Bar, and Feeds** section, including the Microsoft-provided default items.
The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page.
diff --git a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
index e5bf7ebb40..321f45caf5 100644
--- a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the CabSigning .INS file to customize the digital signature info for your apps
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to customize the digital signature info for your apps.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
index cda9702eb4..b6138064be 100644
--- a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Use the Compatibility View page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
We’re sorry. We’ve changed the way Compatibility View works in Internet Explorer 11 and have removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11. For more info about the changes we’ve made to the Compatibility View functionality, see [Missing the Compatibility View Button](../ie11-deploy-guide/missing-the-compatibility-view-button.md).
Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
index aaec7b0fa2..e9051c955b 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Connection Manager page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
We're sorry. We've removed all of the functionality included on the Connection Manager page of the Internet Explorer Customization Wizard 11.
Click **Next** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page or **Back** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
index 66beabdbca..bc00c58bec 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Connection Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Connection Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you import the connection settings from your computer, to preset the connection settings on your employee’s computers.
**Note**
Using the options on the **Additional Settings** page of the wizard, you can let your employees change their connection settings. For more information see the [Additional Settings](additional-settings-ieak11-wizard.md) page. You can also customize additional connection settings using the **Automatic Configuration** page in the wizard. For more information see the [Automatic Configuration](auto-config-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
index 779e024e57..0e7777a64e 100644
--- a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the ConnectionSettings .INS file to review the network connections for install
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about the network connection settings used to install your custom package. This section creates a common configuration on all of your employee’s computers.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
index 91f26adf5b..0befbc922f 100644
--- a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Create the build computer folder structure using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Create your build environment on the computer that you’ll use to build your custom browser package. Your license agreement determines your folder structure and which version of Internet Explorer Administration Kit 11 (IEAK 11) you’ll use: **Internal** or **External**.
|Name |Version |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
index 3e8043c959..e2a0fb48a9 100644
--- a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Tasks and references to consider before creating and deploying custom packages using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Review this list of tasks and references to help you use the Internet Explorer Administration Kit 11 (IEAK 11) to set up, deploy, and manage Internet Explorer 11 in your company.
|Task |References |
diff --git a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
index 6196fabf79..5d88bfa81a 100644
--- a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Create multiple versions of your custom package using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You'll need to create multiple versions of your custom browser package if:
- You support more than 1 version of the Windows operating system.
diff --git a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
index 3cf498605c..ba3904ae39 100644
--- a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
+++ b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use uninstallation .INF files to uninstall custom components
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The Internet Explorer Administration Kit 11 (IEAK 11) uses Setup information (.inf) files to provide installation instructions for your custom browser packages. You can also use this file to uninstall your custom components by removing the files, registry entries, and shortcuts, and adding your custom component to the list of programs that can be uninstalled from **Uninstall or change a program**.
**To uninstall your custom components**
diff --git a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
index 571b73d327..1a981a5a16 100644
--- a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Custom Components page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Custom Components** page of the Internet Explorer Customization Wizard 11 lets you add up to 10 additional components that your employees can install at the same time they install IE. These components can be created by Microsoft or your organization as either compressed cabinet (.cab) or self-extracting executable (.exe) files. If you’re using Microsoft components, make sure you have the latest version and software patches from the [Microsoft Support](https://go.microsoft.com/fwlink/p/?LinkId=258658) site. To include Microsoft Update components, you must bundle the associated files into a custom component.
**Important**
You should sign any custom code that’s being downloaded over the Internet. The default settings of Internet Explorer 11 will automatically reject any unsigned code. For more info about digitally signing custom components, see [Security features and IEAK 11](security-and-ieak11.md).
diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
index e7469fa864..7a5556235d 100644
--- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the CustomBranding .INS file to create custom branding and setup info
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Provide the URL to your branding cabinet (.cab) file.
diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
index 3c0af97192..9ed59cf64e 100644
--- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
+++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Customize Automatic Search for Internet Explorer using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer lets websites advertise any search provider that uses the open search standard described at the A9 website ( [OpenSearch 1.1 Draft 5](https://go.microsoft.com/fwlink/p/?LinkId=208582)). When IE detects new search providers, the **Search** box becomes active and adds the new providers to the drop-down list of providers.
Using the **Administrative Templates** section of Group Policy, you can prevent the search box from appearing, you can add a list of acceptable search providers, or you can restrict your employee’s ability to add or remove search providers.
diff --git a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
index 06e8d6c3f3..7d0a2f9882 100644
--- a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the ExtRegInf .INS file to specify installation files and mode
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to specify your Setup information (.inf) files and the installation mode for your custom components.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
index 47bf04d6e2..030dc054d2 100644
--- a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Favorites, Favorites Bar, and Feeds** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add:
- **Links.** Used so your employees can quickly connect with your important websites. These links can appear in the **Links** folder or on the **Favorites Bar**.
diff --git a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
index 694b8d994d..ac736e20df 100644
--- a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the FavoritesEx .INS file for your Favorites icon and URLs
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about where you store your **Favorites** icon file, whether your **Favorites** are available offline, and the URLs for each **Favorites** site.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
index b27bc3273a..f72747f486 100644
--- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
@@ -15,6 +15,9 @@ ms.sitesec: library
# Use the Feature Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Feature Selection** page of the Internet Explorer Customization Wizard 11 lets you choose which parts of the setup processes and Internet Explorer 11 to change for your company, including:
- **Setup Customizations.** Lets you add custom components, decide which components to install, provide your download site information, and modify the Setup title bar and graphics.
diff --git a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
index f3224c2055..0aee908cd4 100644
--- a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the File Locations page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **File Locations** page of the Internet Explorer Customization Wizard 11 lets you change the location of your folders, including:
- Where you’ll create and store your custom installation package.
diff --git a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
index 38703f9131..616e3b9938 100644
--- a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# File types used or created by IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
A list of the file types used or created by tools in IEAK 11:
|File type |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
index 507450938d..9d6fe74f8a 100644
--- a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **First Run Wizard and Welcome Page Options** page of the Internet Explorer Customization Wizard 11 lets you decide what your employee’s see the first time they log on to IE, based on their operating system.
- **Windows 8.1 Update and newer.** No longer includes a **Welcome** page, so if you pick the **Use Internet Explorer 11 Welcome Page** or the **Use a custom Welcome page** option, IEAK creates an initial **Home** page that loads before all other **Home** pages, as the first tab. This only applies to the Internet Explorer for the desktop.
diff --git a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
index 0864538448..e3d95badec 100644
--- a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Customize the Toolbar button and Favorites List icons using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use these customization guidelines to change the browser toolbar button and the **Favorites List** icons, using your own branding and graphics.
**Important**
Check your license agreement to make sure this customization is available.
diff --git a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
index 0ba0f580a8..2da43b7f38 100644
--- a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Hardware and software requirements for Internet Explorer 11 and the IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Before you can use the Internet Explorer Administration Kit 11 and the Internet Explorer Customization Wizard 11, you must first install Internet Explorer 11. For more info about installing IE11, see the [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md) page.
## Hardware requirements
diff --git a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
index 7d50512355..6c46e306f3 100644
--- a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the HideCustom .INS file to hide the GUID for each custom component
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about whether to hide the globally unique identifier (GUID) for each of your custom components.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
index 51dc959759..c9d24160a9 100644
--- a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
+++ b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Internet Explorer Setup command-line options and return codes
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can use command-line options along with a tool like IExpress to package your custom version of Internet Explorer and to perform a batch installation across your organization.
## IE Setup command-line options
diff --git a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
index b8c3d25c24..1d8b34786a 100644
--- a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
+++ b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
@@ -18,6 +18,9 @@ ms.date: 05/10/2018
# Internet Explorer Administration Kit (IEAK) information and downloads
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
>Applies to: Windows 10
The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. To find more information on the IEAK, see [What IEAK can do for you](what-ieak-can-do-for-you.md).
diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
index f27ec8b5b9..0aa9964807 100644
--- a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
+++ b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use the Internet Explorer Administration Kit 11 (IEAK 11) and the Internet Explorer Customization Wizard 11 to customize your browser install packages for deployment to your employee's devices.
## IE Customization Wizard 11 options
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
index cd7c730569..57128dfefe 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# IExpress Wizard command-line options
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows Server 2008 R2 with SP1
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
index 35dc9f9cc5..fe4bb3a985 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# IExpress Wizard for Windows Server 2008 R2 with SP1
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use the IExpress Wizard and its associated command-line options to create self-extracting files that automatically run your custom Internet Explorer Setup (.inf or .exe file) program that’s contained inside.
## IExpress Wizard location
diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
index 022767b179..b32b5bacab 100644
--- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Important URLS – Home Page and Support** page of the Internet Explorer Customization Wizard 11 lets you choose one or more **Home** pages and an online support page for your customized version of IE.
**To use the Important URLS – Home Page and Support page**
diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md
index 29b8c0ceca..946a42e72a 100644
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ b/browsers/internet-explorer/ie11-ieak/index.md
@@ -14,6 +14,9 @@ manager: dansimp
# Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
diff --git a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
index 15db2bc20f..6936f198d0 100644
--- a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Internal Install page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Internal Install** page of the Internet Explorer Customization Wizard 11 lets you customize Setup for the default browser and the latest browser updates, based on your company’s guidelines.
**Note**
The customizations made on this page only apply to Internet Explorer for the desktop on Windows 7.
diff --git a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
index b625916fd1..666c5f8b17 100644
--- a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the ISP_Security .INS file to add your root certificate
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about where you store the root certificate you’re adding to your custom package.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
index b2f66781b7..a343a30e51 100644
--- a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Language Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Language Selection** page of the Internet Explorer Customization Wizard 11 lets you choose the language for your Internet Explorer Administration Kit 11 (IEAK 11) custom package. You can create custom Internet Explorer 11 packages in any of the languages your operating system version is available in.
**Important**
Make sure that the language of your IEAK 11 installation matches the language of your custom IE11 package. If the languages don’t match, IEAK 11 won’t work properly.
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index ea1f1cb9e1..4c14f5ec98 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 10/23/2018
# Determine the licensing version and features to use in IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11, referred to as the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (referred to as the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment.
During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
diff --git a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
index a441fe7be2..f628def610 100644
--- a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Media .INS file to specify your install media
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The types of media on which your custom install package is available.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
index ce2517bf60..ae7b3c6150 100644
--- a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Package Type Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Package Type Selection** page of the Internet Explorer Customization Wizard 11 lets you pick which type of media you’ll use to distribute your custom installation package. You can pick more than one type, if you need it.
**Important**
You can't create a full installation package for deployment to Windows 10 computers. That option only works for computers running Windows 7 or Windows 8.1.
diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
index 342ac46d58..67d9caac65 100644
--- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Use the Platform Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package.
**To use the Platform Selection page**
diff --git a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
index 809110fc8b..4720c446af 100644
--- a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Before you install your package over your network using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Employees can install the custom browser package using a network server. However, you must either lower the intranet security level or make the server a trusted site.
**To lower your intranet security**
diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
index 8b46cc1615..acfbbc74ae 100644
--- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Use the Programs page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer.
**Important**
The customizations you make on this page only apply to Internet Explorer for the desktop.
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
index 06213a78ae..56a0823f9a 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use proxy auto-configuration (.pac) files with IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
These are various ways you can use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. We've included some examples here to help guide you, but you'll need to change the proxy names, port numbers, and IP addresses to match your organization's info.
Included examples:
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
index 80e2e5d2c0..9def48f2d3 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Proxy .INS file to specify a proxy server
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about whether to use a proxy server. If yes, this also includes the host names for the proxy server.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
index a99dc70ae0..ba113af6cc 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Proxy Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Proxy Settings** page of the Internet Explorer Customization Wizard 11 lets you pick the proxy servers used by your employees to connect for services required by the custom install package.
Using a proxy server lets you limit access to the Internet. You can also use the **Additional Settings** page of the wizard to further restrict your employees from changing the proxy settings.
diff --git a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
index c6fb131002..f3b4414183 100644
--- a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Register an uninstall app for custom components using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Register the uninstall apps for any custom components you’ve included in your Internet Explorer 11 package. Registering these apps lets your employees remove the components later, using **Uninstall or change a program** in the Control Panel.
## Register your uninstallation program
diff --git a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
index 8bf7232c7c..340327e916 100644
--- a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Using the Resultant Set of Policy (RSoP) snap-in to review policy settings
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
After you’ve deployed your custom Internet Explorer package to your employees, you can use the Resultant Set of Policy (RSoP) snap-in to view your created policy settings. The RSoP snap-in is a two-step process. First, you run the RSoP wizard to determine what information should be viewed. Second, you open the specific items in the console window to view the settings. For complete instructions about how to use RSoP, see [Resultant Set of Policy](https://go.microsoft.com/fwlink/p/?LinkId=259479).
**To add the RSoP snap-in**
diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
index f66425a743..c092a2101b 100644
--- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Search Providers page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Search Providers** page of the Internet Explorer Customization Wizard 11 lets you add a default search provider (typically, Bing®) and additional providers to your custom version of IE.
**Note**
The Internet Explorer Customization Wizard 11 offers improved and extended search settings. However, you can still optionally include support for Search Suggestions and Favicons, as well as Accelerator previews by using an .ins file from a previous version of IEAK.
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
index 71d99f8b9f..336ad87ef1 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Security features and IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use Internet Explorer in conjunction with your new and existing security measures, to make sure the computers in your company aren’t compromised while on the Internet.
## Enhanced Protection Mode
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
index 16ffc69435..c78a131719 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Security and Privacy Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Security and Privacy Settings** page of the Internet Explorer Customization Wizard 11 lets you manage your security zones, privacy settings, and content ratings. These settings help restrict the types of content your employees can access from the Internet, including any content that might be considered offensive or otherwise inappropriate in a corporate setting.
**To use the Security and Privacy Settings page**
diff --git a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
index e65b0e2b77..b4fd0c45b2 100644
--- a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Security Imports .INS file to import security info
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to import security information from your local device to your custom package.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
index 9ae559b4b4..e4fcd7c739 100644
--- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Troubleshoot custom package and IEAK 11 problems
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
While the Internet Explorer Customization Wizard has been around for quite a while, there are still some known issues that you might encounter while deploying or managing your custom IE install package.
## I am unable to locate some of the wizard pages
diff --git a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
index 965fda174e..06a1d3c029 100644
--- a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
@@ -1,40 +1,44 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the URL .INS file to use an auto-configured proxy server
-Info about whether to use an auto-configured proxy server. If yes, this also includes the URLs to the pages that appear when your employees first connect to that server.
-
-|Name |Value |Description |
-|-----|------|------------|
-|AutoConfig |- **0.** Don’t automatically configure the browser.
- **1.** Automatically configure the browser.
|Determines whether to automatically configure the customized browser on your employee’s device. |
-|AutoConfigJSURL |`` |The URL for the proxy auto-config file (.js or .jvs) |
-|AutoConfigTime |*integer* |Automatically configures the browser on your employee’s device after its run for a specified length of time. |
-|AutoConfigURL |`` |The URL for the proxy auto-config (.pac) file. |
-|FirstHomePage |`` |The page (URL) that appears the first time the custom browser is opened on the employee’s device. |
-|Help_Page |`` |The URL to your internal technical support site. |
-|Home_Page |`` |The URL to your default **Home** page. |
-|NoWelcome |- **0.** Display the **Welcome** page.
- **1.** Don’t display the **Welcome** page.
|Determines whether to show the **Welcome** page the first time the browser’s used on an employee’s device. |
-|Quick_Link_1 |`` |The URL to your first Quick Link. |
-|Quick_Link_1_Name |`` |The name of the site associated with Quick_Link_1. |
-|Quick_Link_2 |`` |The URL to your second Quick Link. |
-|Quick_Link_2_Name |`` |The name of the site associated with Quick_Link_2. |
-|Quick_Link_X |`` |The URL to another Quick Link. |
-|Quick_Link_X_Icon |`` |A Quick Links icon (.ico) file. |
-|Quick_Link_X_Name |`` |The name of the site associated with another Quick Link. |
-|Quick_Link_X_Offline |- **0.** Don’t make the Quick Links available offline.
- **1.** Make the Quick Links available offline.
|Determines whether to make the Quick Links available for offline browsing. |
-|Search_Page |`` |The URL to the default search page. |
-|UseLocalIns |- **0.** Don’t use a local .ins file.
- **1.** Use a local .ins file.
|Determines whether to use a local Internet Settings (.ins) file |
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the URL .INS file to use an auto-configured proxy server
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Info about whether to use an auto-configured proxy server. If yes, this also includes the URLs to the pages that appear when your employees first connect to that server.
+
+|Name |Value |Description |
+|-----|------|------------|
+|AutoConfig |- **0.** Don’t automatically configure the browser.
- **1.** Automatically configure the browser.
|Determines whether to automatically configure the customized browser on your employee’s device. |
+|AutoConfigJSURL |`` |The URL for the proxy auto-config file (.js or .jvs) |
+|AutoConfigTime |*integer* |Automatically configures the browser on your employee’s device after its run for a specified length of time. |
+|AutoConfigURL |`` |The URL for the proxy auto-config (.pac) file. |
+|FirstHomePage |`` |The page (URL) that appears the first time the custom browser is opened on the employee’s device. |
+|Help_Page |`` |The URL to your internal technical support site. |
+|Home_Page |`` |The URL to your default **Home** page. |
+|NoWelcome |- **0.** Display the **Welcome** page.
- **1.** Don’t display the **Welcome** page.
|Determines whether to show the **Welcome** page the first time the browser’s used on an employee’s device. |
+|Quick_Link_1 |`` |The URL to your first Quick Link. |
+|Quick_Link_1_Name |`` |The name of the site associated with Quick_Link_1. |
+|Quick_Link_2 |`` |The URL to your second Quick Link. |
+|Quick_Link_2_Name |`` |The name of the site associated with Quick_Link_2. |
+|Quick_Link_X |`` |The URL to another Quick Link. |
+|Quick_Link_X_Icon |`` |A Quick Links icon (.ico) file. |
+|Quick_Link_X_Name |`` |The name of the site associated with another Quick Link. |
+|Quick_Link_X_Offline |- **0.** Don’t make the Quick Links available offline.
- **1.** Make the Quick Links available offline.
|Determines whether to make the Quick Links available for offline browsing. |
+|Search_Page |`` |The URL to the default search page. |
+|UseLocalIns |- **0.** Don’t use a local .ins file.
- **1.** Use a local .ins file.
|Determines whether to use a local Internet Settings (.ins) file |
+
diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
index ed8f2be8f1..364daedbbc 100644
--- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
@@ -1,60 +1,64 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process.
-author: dansimp
-ms.prod: ie11
-ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the User Experience page in the IEAK 11 Wizard
-The **User Experience** page of the Internet Explorer Customization Wizard 11 lets you decide how much you want your employees to interact with the custom package’s Setup process.
-
-**Note**
You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7.
-
-**To use the User Experience page**
-
-1. Choose how your employee should interact with Setup, including:
-
- - **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process.
-
- - **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process.
-
- - **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again.
-
Both the hands-free and completely silent installation options will:
-
- - Answer prompts so Setup can continue.
-
- - Accept the license agreement.
-
- - Determine that Internet Explorer 11 is installed and not just downloaded.
-
- - Perform your specific installation type.
-
- - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version.
-
-2. Choose if your employee’s device will restart at the end of Setup.
-
- - **Default**. Prompts your employees to restart after installing IE.
-
- - **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later.
-
- - **Force restart**. Automatically restarts the computer after installing IE.
-
-3. Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process.
+author: dansimp
+ms.prod: ie11
+ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the User Experience page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+The **User Experience** page of the Internet Explorer Customization Wizard 11 lets you decide how much you want your employees to interact with the custom package’s Setup process.
+
+**Note**
You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.
The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7.
+
+**To use the User Experience page**
+
+1. Choose how your employee should interact with Setup, including:
+
+ - **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process.
+
+ - **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process.
+
+ - **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again.
+
Both the hands-free and completely silent installation options will:
+
+ - Answer prompts so Setup can continue.
+
+ - Accept the license agreement.
+
+ - Determine that Internet Explorer 11 is installed and not just downloaded.
+
+ - Perform your specific installation type.
+
+ - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version.
+
+2. Choose if your employee’s device will restart at the end of Setup.
+
+ - **Default**. Prompts your employees to restart after installing IE.
+
+ - **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later.
+
+ - **Force restart**. Automatically restarts the computer after installing IE.
+
+3. Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
index 3efd12ffa8..c9bb888bed 100644
--- a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
+++ b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
@@ -1,37 +1,41 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Using Internet Settings (.INS) files with IEAK 11
-Use the Internet Settings (.ins) files and the Internet Explorer Administration Kit 11 (IEAK 11) to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file.
-
-Here's a list of the available .INS file settings:
-
-|Setting |Description |
-|-----------------------------------------|------------------------------------------------------------------------------|
-|[Branding](branding-ins-file-setting.md) |Customize the branding and setup information in your browser package. |
-|[BrowserToolbars](browsertoolbars-ins-file-setting.md) |Customize the appearance of the IE toolbar. |
-|[CabSigning](cabsigning-ins-file-setting.md) |Digital signature information for your programs. |
-|[ConnectionSettings](connectionsettings-ins-file-setting.md) |Info about the networking connection settings used to install your custom package. |
-|[CustomBranding](custombranding-ins-file-setting.md) |URL location to your branding cabinet (.cab) file. |
-|[ExtRegInf](extreginf-ins-file-setting.md) |Names of your Setup information (.inf) files and the installation mode for components. |
-|[FavoritesEx](favoritesex-ins-file-setting.md) |Add a path to your icon file for **Favorites**, decide whether **Favorites** are available offline, and add URLs to each**Favorites** site. |
-|[HideCustom](hidecustom-ins-file-setting.md) |Whether to hide the globally unique identifier (GUID) for each custom component. |
-|[ISP_Security](isp-security-ins-file-setting.md) |The root certificate you’re adding to your custom package. |
-|[Media](media-ins-file-setting.md) |Types of media in which your custom installation package is available. |
-|[Proxy](proxy-ins-file-setting.md) |Whether to use a proxy server. |
-|[Security Imports](security-imports-ins-file-setting.md) |Whether to import security information for your custom package. |
-|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. |
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package.
+author: dansimp
+ms.prod: ie11
+ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Using Internet Settings (.INS) files with IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Use the Internet Settings (.ins) files and the Internet Explorer Administration Kit 11 (IEAK 11) to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file.
+
+Here's a list of the available .INS file settings:
+
+|Setting |Description |
+|-----------------------------------------|------------------------------------------------------------------------------|
+|[Branding](branding-ins-file-setting.md) |Customize the branding and setup information in your browser package. |
+|[BrowserToolbars](browsertoolbars-ins-file-setting.md) |Customize the appearance of the IE toolbar. |
+|[CabSigning](cabsigning-ins-file-setting.md) |Digital signature information for your programs. |
+|[ConnectionSettings](connectionsettings-ins-file-setting.md) |Info about the networking connection settings used to install your custom package. |
+|[CustomBranding](custombranding-ins-file-setting.md) |URL location to your branding cabinet (.cab) file. |
+|[ExtRegInf](extreginf-ins-file-setting.md) |Names of your Setup information (.inf) files and the installation mode for components. |
+|[FavoritesEx](favoritesex-ins-file-setting.md) |Add a path to your icon file for **Favorites**, decide whether **Favorites** are available offline, and add URLs to each**Favorites** site. |
+|[HideCustom](hidecustom-ins-file-setting.md) |Whether to hide the globally unique identifier (GUID) for each custom component. |
+|[ISP_Security](isp-security-ins-file-setting.md) |The root certificate you’re adding to your custom package. |
+|[Media](media-ins-file-setting.md) |Types of media in which your custom installation package is available. |
+|[Proxy](proxy-ins-file-setting.md) |Whether to use a proxy server. |
+|[Security Imports](security-imports-ins-file-setting.md) |Whether to import security information for your custom package. |
+|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
index 06b86bce15..d62e11e507 100644
--- a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
+++ b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
@@ -1,68 +1,72 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: support
-ms.pagetype: security
-description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-author: dansimp
-ms.author: dansimp
-ms.manager: elizapo
-ms.prod: ie11
-ms.assetid:
-ms.reviewer:
-audience: itpro
manager: dansimp
-title: What IEAK can do for you
-ms.sitesec: library
-ms.date: 05/10/2018
----
-
-# What IEAK can do for you
-
-Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-
-IEAK 10 and newer includes the ability to install using one of the following installation modes:
-
-- Internal
-
-- External
-
-## IEAK 11 users
-Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-
-IEAK 10 and newer includes the ability to install using one of the following installation modes:
-- Internal
-- External
-
-> [!NOTE]
-> IEAK 11 works in network environments, with or without Microsoft Active Directory service.
-
-
-### Corporations
-IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality.
-
-Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older).
-
-### Internet service providers
-IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package.
-
-ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older).
-
-### Internet content providers
-IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use.
-
-ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older)
-
-### Independent software vendors
-IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar.
-
-ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older).
-
-## Additional resources
-
-- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
-- [Download IEAK 11](ieak-information-and-downloads.md)
-- [IEAK 11 overview](index.md)
-- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index)
-- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
-- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
-- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643)
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: support
+ms.pagetype: security
+description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
+author: dansimp
+ms.author: dansimp
+ms.manager: elizapo
+ms.prod: ie11
+ms.assetid:
+ms.reviewer:
+audience: itpro
+manager: dansimp
+title: What IEAK can do for you
+ms.sitesec: library
+ms.date: 05/10/2018
+---
+
+# What IEAK can do for you
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
+
+IEAK 10 and newer includes the ability to install using one of the following installation modes:
+
+- Internal
+
+- External
+
+## IEAK 11 users
+Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
+
+IEAK 10 and newer includes the ability to install using one of the following installation modes:
+- Internal
+- External
+
+> [!NOTE]
+> IEAK 11 works in network environments, with or without Microsoft Active Directory service.
+
+
+### Corporations
+IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality.
+
+Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older).
+
+### Internet service providers
+IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package.
+
+ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older).
+
+### Internet content providers
+IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use.
+
+ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older)
+
+### Independent software vendors
+IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar.
+
+ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older).
+
+## Additional resources
+
+- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
+- [Download IEAK 11](ieak-information-and-downloads.md)
+- [IEAK 11 overview](index.md)
+- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index)
+- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
+- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
+- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
+- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643)
diff --git a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
index e81b0eedea..03de7ed423 100644
--- a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
@@ -1,31 +1,35 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard
-The **Wizard Complete – Next Steps** page of the Internet Explorer Customization Wizard 11 lets you build your custom installation package, after you click **Finish**.
-
-In most cases, your next steps will be to prepare your files for installation from your network or from another distribution method. If you haven’t already done it, you’ll need to digitally sign any program or .cab files that are going to be distributed over the Internet or over an intranet that isn’t configured to allow downloads.
-
-After that, the steps you’ll use to distribute your customized browser will vary, depending on your version of IEAK (Internal or External) and the media you’re using to distribute the package. For more information, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package.
+author: dansimp
+ms.prod: ie11
+ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+The **Wizard Complete – Next Steps** page of the Internet Explorer Customization Wizard 11 lets you build your custom installation package, after you click **Finish**.
+
+In most cases, your next steps will be to prepare your files for installation from your network or from another distribution method. If you haven’t already done it, you’ll need to digitally sign any program or .cab files that are going to be distributed over the Internet or over an intranet that isn’t configured to allow downloads.
+
+After that, the steps you’ll use to distribute your customized browser will vary, depending on your version of IEAK (Internal or External) and the media you’re using to distribute the package. For more information, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
new file mode 100644
index 0000000000..96a04e5f70
--- /dev/null
+++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
@@ -0,0 +1,13 @@
+---
+author: pamgreen-msft
+ms.author: pamgreen
+ms.date: 10/02/2018
+ms.reviewer:
+audience: itpro
+manager: pamgreen
+ms.prod: ie11
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> Microsoft 365 apps and services will not support Internet Explorer 11 starting August 17, 2021 (Microsoft Teams will not support Internet Explorer 11 earlier, starting November 30, 2020). [Learn more](https://aka.ms/AA97tsw). Please note that Internet Explorer 11 will remain a supported browser. Internet Explorer 11 is a component of the Windows operating system and [follows the Lifecycle Policy](https://docs.microsoft.com/lifecycle/faq/internet-explorer-microsoft-edge) for the product on which it is installed.
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
index 1ef657304d..8e37f9eb2f 100644
--- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
@@ -1,6 +1,6 @@
---
title: How to Add or Remove an Administrator by Using the Management Console (Windows 10)
-description: How to add or remove an administrator by using the Management Console
+description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
index ce050e817b..c26f77e8e4 100644
--- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
@@ -1,6 +1,6 @@
---
title: How to Add or Upgrade Packages by Using the Management Console (Windows 10)
-description: How to add or upgrade packages by using the Management Console
+description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
index ea02c9ad1f..58a0c8b25d 100644
--- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md
+++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
@@ -1,6 +1,6 @@
---
title: Administering App-V by using Windows PowerShell (Windows 10)
-description: Administering App-V by Using Windows PowerShell
+description: Administer App-V by using Windows PowerShell and learn where to find more information about PowerShell for App-V.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index a913ce8a38..88430660e3 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -1,6 +1,6 @@
---
title: Application Publishing and Client Interaction (Windows 10)
-description: Application publishing and client interaction.
+description: Learn technical information about common App-V Client operations and their integration with the local operating system.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 6bb52f7eb3..8c4f4b2b2d 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -1,6 +1,6 @@
---
title: Available Mobile Device Management (MDM) settings for App-V (Windows 10)
-description: A list of the available MDM settings for App-V on Windows 10.
+description: Learn the available Mobile Device Management (MDM) settings you can use to configure App-V on Windows 10.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
index 099bcdf1c4..d3c80a88c9 100644
--- a/windows/application-management/app-v/appv-capacity-planning.md
+++ b/windows/application-management/app-v/appv-capacity-planning.md
@@ -1,6 +1,6 @@
---
title: App-V Capacity Planning (Windows 10)
-description: App-V Capacity Planning
+description: Use these recommendations as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md
index 693a058d7e..f641b232d6 100644
--- a/windows/application-management/app-v/appv-client-configuration-settings.md
+++ b/windows/application-management/app-v/appv-client-configuration-settings.md
@@ -1,6 +1,6 @@
---
title: About Client Configuration Settings (Windows 10)
-description: About Client Configuration Settings
+description: Learn about the App-V client configuration settings and how to use Windows PowerShell to modify the client configuration settings.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
index ae887fc389..52632f558e 100644
--- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
+++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
@@ -1,6 +1,6 @@
---
title: How to make a connection group ignore the package version (Windows 10)
-description: How to make a connection group ignore the package version.
+description: Learn how to make a connection group ignore the package version with the App-V Server Management Console.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md
index f878e5f7a4..009019e015 100644
--- a/windows/application-management/app-v/appv-connect-to-the-management-console.md
+++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md
@@ -1,6 +1,6 @@
---
title: How to connect to the Management Console (Windows 10)
-description: How to Connect to the App-V Management Console.
+description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
index ed2d425dc4..a16ae77ec8 100644
--- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md
+++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
@@ -1,6 +1,6 @@
---
title: About the connection group virtual environment (Windows 10)
-description: Overview of how the connection group virtual environment works.
+description: Learn how the connection group virtual environment works and how package priority is determined.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
index 794615f010..60c1c72c77 100644
--- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
+++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
@@ -1,6 +1,6 @@
---
title: How to convert a package created in a previous version of App-V (Windows 10)
-description: How to convert a package created in a previous version of App-V.
+description: Use the package converter utility to convert a virtual application package created in a previous version of App-V.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md
index 9f08b25b41..829708fe4f 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group.md
@@ -1,6 +1,6 @@
---
title: How to create a connection group (Windows 10)
-description: How to create a connection group with the App-V Management Console.
+description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
index fb72cbc762..600df5f713 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
@@ -1,6 +1,6 @@
---
title: How to create a package accelerator by using Windows PowerShell (Windows 10)
-description: How to create a package accelerator with Windows PowerShell.
+description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index 29d79221c5..b7ee707a61 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -1,6 +1,6 @@
---
title: Creating and managing App-V virtualized applications (Windows 10)
-description: Creating and managing App-V virtualized applications
+description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md
index 9747e3066d..20c62b4398 100644
--- a/windows/application-management/app-v/appv-delete-a-connection-group.md
+++ b/windows/application-management/app-v/appv-delete-a-connection-group.md
@@ -1,6 +1,6 @@
---
title: How to delete a connection group (Windows 10)
-description: How to delete a connection group.
+description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
index 3b5027c30b..16a77e0287 100644
--- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
@@ -1,6 +1,6 @@
---
title: How to delete a package in the Management Console (Windows 10)
-description: How to delete a package in the Management Console.
+description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
index e866c21b92..4717b5e4ef 100644
--- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
+++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
@@ -1,6 +1,6 @@
---
title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10)
-description: These instructions can be used to deploy App-V databases by using SQL scripts.
+description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
index 0c013faf96..3c47fd5076 100644
--- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
@@ -1,6 +1,6 @@
---
title: How to deploy App-V packages using electronic software distribution (Windows 10)
-description: How to deploy App-V packages using electronic software distribution.
+description: Learn how use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
index 728f4943a1..07407291fe 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
@@ -1,6 +1,6 @@
---
title: How to Deploy the App-V Server Using a Script (Windows 10)
-description: Information, lists, and tables that can help you deploy the App-V server using a script
+description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.'
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md
index 837d0e6a32..9284a9bfc6 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md
@@ -1,6 +1,6 @@
---
title: How to Deploy the App-V Server (Windows 10)
-description: Use these instructions to deploy the App-V Server in App-V for Windows 10.
+description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index b125e5282e..736d772dfc 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -1,6 +1,6 @@
---
title: Deploying Microsoft Office 2010 by Using App-V (Windows 10)
-description: See the methods for creating Microsoft Office 2010 packages by Using App-V.
+description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index 4379625ee0..fee5c296a1 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -1,6 +1,6 @@
---
title: Deploying Microsoft Office 2013 by Using App-V (Windows 10)
-description: Deploying Microsoft Office 2013 by Using App-V
+description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
index 4edf732dd1..8cb954168b 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
@@ -1,6 +1,6 @@
---
title: Deploying the App-V Sequencer and configuring the client (Windows 10)
-description: Deploying the App-V Sequencer and configuring the client
+description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md
index 576764fb91..97f97275be 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md
@@ -1,6 +1,6 @@
---
title: Deploying the App-V Server (Windows 10)
-description: Deploying the App-V Server in App-V for Windows 10
+description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10 by using different deployment configurations described in this article.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index bb97e27472..d09d0141d8 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -1,6 +1,6 @@
---
title: App-V Deployment Checklist (Windows 10)
-description: App-V Deployment Checklist
+description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md
index 13a82055b6..196cb62ece 100644
--- a/windows/application-management/app-v/appv-dynamic-configuration.md
+++ b/windows/application-management/app-v/appv-dynamic-configuration.md
@@ -1,6 +1,6 @@
---
title: About App-V Dynamic Configuration (Windows 10)
-description: About App-V Dynamic Configuration
+description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
index 656f0264ce..601bfd8297 100644
--- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
@@ -1,6 +1,6 @@
---
title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10)
-description: How to Enable Only Administrators to Publish Packages by Using an ESD
+description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
index d9644226fb..c7985565d4 100644
--- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
+++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
@@ -1,6 +1,6 @@
---
title: Enable the App-V in-box client (Windows 10)
-description: How to enable the App-V in-box client installed with Windows 10.
+description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index 2e1556cb8a..03f116312a 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -1,6 +1,6 @@
---
title: Getting Started with App-V (Windows 10)
-description: Get started with Microsoft Application Virtualization (App-V) for Windows 10.
+description: Get started with Microsoft Application Virtualization (App-V) for Windows 10. App-V for Windows 10 delivers Win32 applications to users as virtual applications.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md
index ab25607096..941e4f58e7 100644
--- a/windows/application-management/app-v/appv-high-level-architecture.md
+++ b/windows/application-management/app-v/appv-high-level-architecture.md
@@ -1,6 +1,6 @@
---
title: High-level architecture for App-V (Windows 10)
-description: High-level Architecture for App-V.
+description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index 93180520e7..7a13e789c6 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -1,6 +1,6 @@
---
title: Install the App-V Sequencer (Windows 10)
-description: Install the App-V Sequencer
+description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index 5a94cbc421..9b5aa14320 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -1,6 +1,6 @@
---
title: Managing Connection Groups (Windows 10)
-description: Managing Connection Groups
+description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index dff030f470..a3600bfa4c 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -1,6 +1,6 @@
---
title: Migrating to App-V from a Previous Version (Windows 10)
-description: Migrating to App-V for Windows 10 from a previous version
+description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10 from a previous version.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
index e2cb4eca48..c065c9a2a5 100644
--- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
@@ -1,6 +1,6 @@
---
title: How to Modify an Existing Virtual Application Package (Windows 10)
-description: How to Modify an Existing Virtual Application Package
+description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
index 7fe2f3896f..816015f740 100644
--- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
+++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
@@ -1,6 +1,6 @@
---
title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10)
-description: How to Modify Client Configuration by Using Windows PowerShell
+description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
index 5305207fe6..e34dd4f7dc 100644
--- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
+++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
@@ -1,6 +1,6 @@
---
title: How to Move the App-V Server to Another Computer (Windows 10)
-description: How to Move the App-V Server to Another Computer
+description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md
index c45c9ab9cf..b68da536ab 100644
--- a/windows/application-management/app-v/appv-operations.md
+++ b/windows/application-management/app-v/appv-operations.md
@@ -1,6 +1,6 @@
---
title: Operations for App-V (Windows 10)
-description: Operations for App-V
+description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index 65ccf02292..ea4f11a42b 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -1,6 +1,6 @@
---
title: Performance Guidance for Application Virtualization (Windows 10)
-description: Performance Guidance for Application Virtualization
+description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index edaf668a89..4c098ba090 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -1,6 +1,6 @@
---
title: App-V Planning Checklist (Windows 10)
-description: App-V Planning Checklist
+description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
index c9c570009a..2a6724419a 100644
--- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
@@ -1,6 +1,6 @@
---
title: Planning to Use Folder Redirection with App-V (Windows 10)
-description: Planning to Use Folder Redirection with App-V
+description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
index eaf7729f22..8aa07c226e 100644
--- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
@@ -1,6 +1,6 @@
---
title: Planning for the App-V Server Deployment (Windows 10)
-description: Planning for the App-V 5.1 Server Deployment
+description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md
index d54d848a2c..0ebf3ccaf3 100644
--- a/windows/application-management/app-v/appv-planning-for-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-appv.md
@@ -1,6 +1,6 @@
---
title: Planning for App-V (Windows 10)
-description: Planning for App-V
+description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index af66e545e4..29d772054e 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -1,6 +1,6 @@
---
title: Planning for High Availability with App-V Server
-description: Planning for High Availability with App-V Server
+description: Learn what you need to know so you can plan for high availability with Application Virtualization (App-V) server.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
@@ -18,7 +18,7 @@ ms.topic: article
Microsoft Application Virtualization (App-V) system configurations can take advantage of options that maintain a high available service level.
-The following sections will he following sections to help you understand the options to deploy App-V in a highly available configuration.
+The following sections will help you understand the options to deploy App-V in a highly available configuration.
## Support for Microsoft SQL Server clustering
diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
index 4fa3630f7f..0f797ad9d7 100644
--- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
@@ -1,6 +1,6 @@
---
title: Planning for the App-V Sequencer and Client Deployment (Windows 10)
-description: Planning for the App-V Sequencer and Client Deployment
+description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index da919b1dbf..91ade82d46 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -1,6 +1,6 @@
---
title: Planning for Deploying App-V with Office (Windows 10)
-description: Planning for Using App-V with Office
+description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
index ee9e0b73a9..be621c72e2 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
@@ -1,6 +1,6 @@
---
title: Planning to Deploy App-V (Windows 10)
-description: Planning to Deploy App-V
+description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md
index bc458a3f94..652eabd063 100644
--- a/windows/application-management/app-v/appv-prerequisites.md
+++ b/windows/application-management/app-v/appv-prerequisites.md
@@ -1,6 +1,6 @@
---
title: App-V Prerequisites (Windows 10)
-description: App-V Prerequisites
+description: Learn about the prerequisites you need before you begin installing Application Virtualization (App-V).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md
index 41d35e29a0..e48f4c43c6 100644
--- a/windows/application-management/app-v/appv-publish-a-connection-group.md
+++ b/windows/application-management/app-v/appv-publish-a-connection-group.md
@@ -1,6 +1,6 @@
---
title: How to Publish a Connection Group (Windows 10)
-description: How to Publish a Connection Group
+description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md
index 57a4526ecf..41c995543f 100644
--- a/windows/application-management/app-v/appv-reporting.md
+++ b/windows/application-management/app-v/appv-reporting.md
@@ -1,6 +1,6 @@
---
title: About App-V Reporting (Windows 10)
-description: About App-V Reporting
+description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md
index ab6c1c4c32..d2dd484a97 100644
--- a/windows/application-management/app-v/appv-security-considerations.md
+++ b/windows/application-management/app-v/appv-security-considerations.md
@@ -1,6 +1,6 @@
---
title: App-V Security Considerations (Windows 10)
-description: App-V Security Considerations
+description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md
index c3e16261db..2eb919d9b5 100644
--- a/windows/application-management/app-v/appv-sequence-a-new-application.md
+++ b/windows/application-management/app-v/appv-sequence-a-new-application.md
@@ -1,6 +1,6 @@
---
title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10)
-description: How to manually sequence a new app using the App-V Sequencer
+description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
index 349ead11a5..2a353b9121 100644
--- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
+++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
@@ -1,6 +1,6 @@
---
title: How to sequence a package by using Windows PowerShell (Windows 10)
-description: How to sequence a package by using Windows PowerShell
+description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md
index e0f6e0f48d..8cd6653c77 100644
--- a/windows/application-management/app-v/appv-technical-reference.md
+++ b/windows/application-management/app-v/appv-technical-reference.md
@@ -1,6 +1,6 @@
---
title: Technical Reference for App-V (Windows 10)
-description: Technical Reference for App-V
+description: Learn strategy and context for a number of performance optimization practices in this techincal reference for Application Virtualization (App-V).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md
index fd794d1044..29240949b5 100644
--- a/windows/application-management/app-v/appv-troubleshooting.md
+++ b/windows/application-management/app-v/appv-troubleshooting.md
@@ -1,6 +1,6 @@
---
title: Troubleshooting App-V (Windows 10)
-description: Troubleshooting App-V
+description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V topics.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
index 4aedf60d24..8660d86846 100644
--- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
+++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
@@ -1,6 +1,6 @@
---
title: Upgrading to App-V for Windows 10 from an existing installation (Windows 10)
-description: Upgrading to App-V for Windows 10 from an existing installation
+description: Learn about upgrading to Application Virtualization (App-V) for Windows 10 from an existing installation.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md
index b6691c2fc5..7dc0a15d0a 100644
--- a/windows/application-management/app-v/appv-using-the-client-management-console.md
+++ b/windows/application-management/app-v/appv-using-the-client-management-console.md
@@ -1,6 +1,6 @@
---
title: Using the App-V Client Management Console (Windows 10)
-description: Using the App-V Client Management Console
+description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
index eac57684c6..acbd96ca6e 100644
--- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
+++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
@@ -1,6 +1,6 @@
---
title: Viewing App-V Server Publishing Metadata (Windows 10)
-description: Viewing App-V Server Publishing Metadata
+description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index c27ad32063..9d150d9583 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -51,13 +51,13 @@ Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, a
| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | No |
| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes |
| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes |
| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | No |
| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | |
| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No |
@@ -77,10 +77,10 @@ Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, a
| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No |
| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | No |
diff --git a/windows/application-management/index.md b/windows/application-management/index.md
index fef303c216..f9a00fdc84 100644
--- a/windows/application-management/index.md
+++ b/windows/application-management/index.md
@@ -1,6 +1,6 @@
---
title: Windows 10 application management
-description: Windows 10 application management
+description: Learn about managing applications in Windows 10 and Windows 10 Mobile clients, including how to remove background task resource restrictions.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
index 082fa016f4..5a0366f643 100644
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -1,8 +1,8 @@
---
title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10)
+description: Learn how to enable Windows Mixed Reality apps in WSUS or block the Windows Mixed Reality portal in enterprises.
ms.reviewer:
manager: dansimp
-description: Learn how to enable or block Windows Mixed Reality apps.
keyboards: ["mr", "mr portal", "mixed reality portal", "mixed reality"]
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md
index 91ef9b0c48..b1c60124ea 100644
--- a/windows/application-management/msix-app-packaging-tool.md
+++ b/windows/application-management/msix-app-packaging-tool.md
@@ -1,6 +1,6 @@
---
title: Repackage your existing win32 applications to the MSIX format.
-description: Learn how to install and use the MSIX packaging tool.
+description: Learn how to install and use the MSIX packaging tool to repackage your existing win32 applications to the MSIX format.
keywords: ["MSIX", "application", "app", "win32", "packaging tool"]
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md
index 2dc4591d51..7305ea48e2 100644
--- a/windows/application-management/sideload-apps-in-windows-10.md
+++ b/windows/application-management/sideload-apps-in-windows-10.md
@@ -1,6 +1,6 @@
---
title: Sideload LOB apps in Windows 10 (Windows 10)
-description: Sideload line-of-business apps in Windows 10.
+description: Learn how to sideload line-of-business (LOB) apps in Windows 10. When you sideload an app, you deploy a signed app package to a device.
ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index 5986263a1e..d236ee54f8 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -1,6 +1,6 @@
---
title: Advanced troubleshooting for Windows boot problems
-description: Learn how to troubleshoot when Windows is unable to boot
+description: Learn to troubleshoot when Windows can't boot. This article includes advanced troubleshooting techniques intended for use by support agents and IT professionals.
ms.prod: w10
ms.sitesec: library
author: dansimp
diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
index c04dae805a..ce50bd2b54 100644
--- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
+++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
@@ -2,7 +2,7 @@
title: Advanced Troubleshooting Wireless Network Connectivity
ms.reviewer:
manager: dansimp
-description: Learn how troubleshooting of establishing Wi-Fi connections
+description: Learn how to troubleshoot Wi-Fi connections. Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine.
keywords: troubleshooting, wireless network connectivity, wireless, Wi-Fi
ms.prod: w10
ms.mktglfcycl:
diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md
index 5de58be176..ee8a044508 100644
--- a/windows/client-management/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/change-default-removal-policy-external-storage-media.md
@@ -5,7 +5,6 @@ ms.prod: w10
author: Teresa-Motiv
ms.author: v-tea
ms.date: 12/13/2019
-ms.prod: w10
ms.topic: article
ms.custom:
- CI 111493
diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md
index fa3febbd0f..3c7c213761 100644
--- a/windows/client-management/change-history-for-client-management.md
+++ b/windows/client-management/change-history-for-client-management.md
@@ -1,6 +1,6 @@
---
title: Change history for Client management (Windows 10)
-description: View changes to documentation for client management in Windows 10.
+description: Learn about new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile.
keywords:
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md
index 52a10357c5..835007dc33 100644
--- a/windows/client-management/generate-kernel-or-complete-crash-dump.md
+++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md
@@ -1,6 +1,6 @@
---
title: Generate a kernel or complete crash dump
-description: Learn how to generate a kernel or complete crash dump.
+description: Learn how to generate a kernel or complete crash dump, and then use the output to troubleshoot several issues.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md
index dbcd186131..b1077e5be6 100644
--- a/windows/client-management/img-boot-sequence.md
+++ b/windows/client-management/img-boot-sequence.md
@@ -1,6 +1,6 @@
---
title: Boot sequence flowchart
-description: A full-sized view of the boot sequence flowchart.
+description: View a full-sized view of the boot sequence flowchart. Use the link to return to the Advanced troubleshooting for Windows boot problems article.
ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md
index 2f12bd900f..b1964db01a 100644
--- a/windows/client-management/introduction-page-file.md
+++ b/windows/client-management/introduction-page-file.md
@@ -1,6 +1,6 @@
---
title: Introduction to the page file
-description: Learn about the page files in Windows.
+description: Learn about the page files in Windows. A page file is an optional, hidden system file on a hard disk.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index 97ea145013..dc31960057 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -1,6 +1,6 @@
---
title: Manage the Settings app with Group Policy (Windows 10)
-description: Find out how to manage the Settings app with Group Policy.
+description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 476d73c694..2d6a0b7bda 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -171,6 +171,11 @@
#### [AboveLock](policy-csp-abovelock.md)
#### [Accounts](policy-csp-accounts.md)
#### [ActiveXControls](policy-csp-activexcontrols.md)
+#### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md)
+#### [ADMX_AppCompat](policy-csp-admx-appcompat.md)
+#### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md)
+#### [ADMX_DnsClient](policy-csp-admx-dnsclient.md)
+#### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md)
#### [ApplicationDefaults](policy-csp-applicationdefaults.md)
#### [ApplicationManagement](policy-csp-applicationmanagement.md)
#### [AppRuntime](policy-csp-appruntime.md)
diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md
index c4a1538d53..c1b570d222 100644
--- a/windows/client-management/mdm/accounts-ddf-file.md
+++ b/windows/client-management/mdm/accounts-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Accounts DDF file
-description: XML file containing the device description framework for the Accounts configuration service provider.
+description: XML file containing the device description framework (DDF) for the Accounts configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index e2f9441b9c..37f6157570 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -1,6 +1,6 @@
---
title: ActiveSync CSP
-description: ActiveSync CSP
+description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync.
ms.assetid: c65093ef-bd36-4f32-9dab-edb7bcfb3188
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md
index 6e4c1c5000..1b1ae61c78 100644
--- a/windows/client-management/mdm/activesync-ddf-file.md
+++ b/windows/client-management/mdm/activesync-ddf-file.md
@@ -1,6 +1,6 @@
---
title: ActiveSync DDF file
-description: ActiveSync DDF file
+description: Learn about the OMA DM device description framework (DDF) for the ActiveSync configuration service provider.
ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md
index 2c8cfbc647..4ad36bbd99 100644
--- a/windows/client-management/mdm/alljoynmanagement-ddf.md
+++ b/windows/client-management/mdm/alljoynmanagement-ddf.md
@@ -1,6 +1,6 @@
---
title: AllJoynManagement DDF
-description: Learn the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider.
+description: Learn the OMA DM device description framework (DDF) for the AllJoynManagement configuration service provider.
ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md
index d4fe92e943..69a0b61ca3 100644
--- a/windows/client-management/mdm/application-csp.md
+++ b/windows/client-management/mdm/application-csp.md
@@ -1,6 +1,6 @@
---
title: APPLICATION configuration service provider
-description: APPLICATION configuration service provider
+description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 4fe03939a0..cfe9b24bd5 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -1,6 +1,6 @@
---
title: AppLocker CSP
-description: AppLocker CSP
+description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed.
ms.assetid: 32FEA2C9-3CAD-40C9-8E4F-E3C69637580F
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md
index ffd93b2784..4ea2ef6556 100644
--- a/windows/client-management/mdm/applocker-ddf-file.md
+++ b/windows/client-management/mdm/applocker-ddf-file.md
@@ -1,6 +1,6 @@
---
title: AppLocker DDF file
-description: See the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
+description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md
index d07e9eea71..3e03f501a8 100644
--- a/windows/client-management/mdm/applocker-xsd.md
+++ b/windows/client-management/mdm/applocker-xsd.md
@@ -1,6 +1,6 @@
---
title: AppLocker XSD
-description: Here's the XSD for the AppLocker CSP.
+description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized.
ms.assetid: 70CF48DD-AD7D-4BCF-854F-A41BFD95F876
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index c4844e943d..703958aa0e 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -1,6 +1,6 @@
---
title: AssignedAccess DDF
-description: AssignedAccess DDF
+description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider.
ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index b84c02e4e8..07f3aa7f0f 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -1,6 +1,6 @@
---
title: BitLocker CSP
-description: BitLocker CSP
+description: Learn how the BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md
index edf7ea7a4b..693a48b687 100644
--- a/windows/client-management/mdm/bitlocker-ddf-file.md
+++ b/windows/client-management/mdm/bitlocker-ddf-file.md
@@ -1,6 +1,6 @@
---
title: BitLocker DDF file
-description: BitLocker DDF file
+description: Learn about the OMA DM device description framework (DDF) for the BitLocker configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md
index 00e4fe59b5..2381889266 100644
--- a/windows/client-management/mdm/bootstrap-csp.md
+++ b/windows/client-management/mdm/bootstrap-csp.md
@@ -1,6 +1,6 @@
---
title: BOOTSTRAP CSP
-description: Use the BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device.
+description: Use the BOOTSTRAP configuration service provider to set the Trusted Provisioning Server (TPS) for the device.
ms.assetid: b8acbddc-347f-4543-a45b-ad2ffae3ffd0
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md
index 9e1c5633df..908672c4ef 100644
--- a/windows/client-management/mdm/browserfavorite-csp.md
+++ b/windows/client-management/mdm/browserfavorite-csp.md
@@ -1,6 +1,6 @@
---
title: BrowserFavorite CSP
-description: BrowserFavorite CSP
+description: Learn how the BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
ms.assetid: 5d2351ff-2d6a-4273-9b09-224623723cbf
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md
index edb5e3bdfa..953ddf78ae 100644
--- a/windows/client-management/mdm/cellularsettings-csp.md
+++ b/windows/client-management/mdm/cellularsettings-csp.md
@@ -1,6 +1,6 @@
---
title: CellularSettings CSP
-description: CellularSettings CSP
+description: Learn how the CellularSettings configuration service provider is used to configure cellular settings on a mobile device.
ms.assetid: ce8b6f16-37ca-4aaf-98b0-306d12e326df
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md
index f6b0b2998b..0db0669275 100644
--- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md
+++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md
@@ -1,6 +1,6 @@
---
title: Certificate Renewal
-description: Find all the resources needed to provide continuous access to client certificates.
+description: Learn how to find all the resources that you need to provide continuous access to client certificates.
MS-HAID:
- 'p\_phdevicemgmt.certificate\_renewal'
- 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'
diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md
index 6e878defd1..f709de39d0 100644
--- a/windows/client-management/mdm/certificatestore-csp.md
+++ b/windows/client-management/mdm/certificatestore-csp.md
@@ -17,7 +17,9 @@ ms.date: 02/28/2020
The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates.
-> **Note** The CertificateStore configuration service provider does not support installing client certificates.
+> [!Note]
+> The CertificateStore configuration service provider does not support installing client certificates.
+> The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive.
@@ -643,4 +645,3 @@ Configure the device to automatically renew an MDM client certificate with the s
-
diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
index 8601f82b20..ed787a3b0f 100644
--- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
+++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
@@ -1,6 +1,6 @@
---
title: ClientCertificateInstall DDF file
-description: ClientCertificateInstall DDF file
+description: Learn about the OMA DM device description framework (DDF) for the ClientCertificateInstall configuration service provider.
ms.assetid: 7F65D045-A750-4CDE-A1CE-7D152AA060CA
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 02f2910d16..5063181c3f 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -1,6 +1,6 @@
---
title: CM\_CellularEntries CSP
-description: Configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP.
+description: Learn how to configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP.
ms.assetid: f8dac9ef-b709-4b76-b6f5-34c2e6a3c847
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md
index 828700b85a..816b5c188b 100644
--- a/windows/client-management/mdm/cm-proxyentries-csp.md
+++ b/windows/client-management/mdm/cm-proxyentries-csp.md
@@ -1,6 +1,6 @@
---
title: CM\_ProxyEntries CSP
-description: Configure proxy connections on mobile devices using CM\_ProxyEntries CSP.
+description: Learn how the CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device.
ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md
index 08d0040594..df773dcb43 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-csp.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md
@@ -1,6 +1,6 @@
---
title: CMPolicyEnterprise CSP
-description: CMPolicyEnterprise CSP
+description: Learn how the CMPolicyEnterprise CSP is used to define rules that the Connection Manager uses to identify the correct connection for a connection request.
ms.assetid: A0BE3458-ABED-4F80-B467-F842157B94BF
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
index 1eb4a02627..5c1c136c23 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
@@ -1,6 +1,6 @@
---
title: CMPolicyEnterprise DDF file
-description: CMPolicyEnterprise DDF file
+description: Learn about the OMA DM device description framework (DDF) for the CMPolicyEnterprise configuration service provider.
ms.assetid: 065EF07A-0CF3-4EE5-B620-3464A75B7EED
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md
index 05add93e6a..17b165ed51 100644
--- a/windows/client-management/mdm/customdeviceui-csp.md
+++ b/windows/client-management/mdm/customdeviceui-csp.md
@@ -1,6 +1,6 @@
---
title: CustomDeviceUI CSP
-description: CustomDeviceUI CSP
+description: Learn how the CustomDeviceUI configuration service provider (CSP) allows OEMs to implement their custom foreground application.
ms.assetid: 20ED1867-7B9E-4455-B397-53B8B15C95A3
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md
index 12b590ef8c..7623b155f2 100644
--- a/windows/client-management/mdm/customdeviceui-ddf.md
+++ b/windows/client-management/mdm/customdeviceui-ddf.md
@@ -1,6 +1,6 @@
---
title: CustomDeviceUI DDF
-description: CustomDeviceUI DDF
+description: Learn about the OMA DM device description framework (DDF) for the CustomDeviceUI configuration service provider.
ms.assetid: E6D6B902-C57C-48A6-9654-CCBA3898455E
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 3b8666fb79..da9959c0a2 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -1,6 +1,6 @@
---
title: Defender CSP
-description: See how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
+description: Learn how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
ms.assetid: 481AA74F-08B2-4A32-B95D-5A3FD05B335C
ms.reviewer:
manager: dansimp
@@ -51,7 +51,7 @@ Supported operation is Get.
**Detections/*ThreatId*/Severity**
Threat severity ID.
-The data type is a integer.
+The data type is integer.
The following list shows the supported values:
@@ -66,7 +66,7 @@ Supported operation is Get.
**Detections/*ThreatId*/Category**
Threat category ID.
-The data type is a integer.
+The data type is integer.
The following table describes the supported values:
@@ -128,7 +128,7 @@ Supported operation is Get.
**Detections/*ThreatId*/CurrentStatus**
Information about the current status of the threat.
-The data type is a integer.
+The data type is integer.
The following list shows the supported values:
@@ -149,7 +149,7 @@ Supported operation is Get.
**Detections/*ThreatId*/ExecutionStatus**
Information about the execution status of the threat.
-The data type is a integer.
+The data type is integer.
Supported operation is Get.
@@ -170,7 +170,7 @@ Supported operation is Get.
**Detections/*ThreatId*/NumberOfDetections**
Number of times this threat has been detected on a particular client.
-The data type is a integer.
+The data type is integer.
Supported operation is Get.
@@ -182,7 +182,7 @@ Supported operation is Get.
**Health/ProductStatus**
Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list.
-Data type is integer. Supported operation is Get.
+The data type is integer. Supported operation is Get.
Supported product status values:
- No status = 0
@@ -233,7 +233,7 @@ Example:
**Health/ComputerState**
Provide the current state of the device.
-The data type is a integer.
+The data type is integer.
The following list shows the supported values:
@@ -394,7 +394,7 @@ When enabled or disabled exists on the client and admin moves the setting to not
Enables or disables file hash computation feature.
When this feature is enabled Windows defender will compute hashes for files it scans.
-The data type is a integer.
+The data type is integer.
Supported operations are Add, Delete, Get, Replace.
@@ -403,7 +403,7 @@ Valid values are:
- 0 (default) – Disable.
**Configuration/SupportLogLocation**
-The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
+The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (**MpCmdRun.exe**) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
Data type is string.
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 60c2372aed..a63f4dec92 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -1,6 +1,6 @@
---
title: Defender DDF file
-description: See how the the OMA DM device description framework (DDF) for the **Defender** configuration service provider is used.
+description: Learn how the OMA DM device description framework (DDF) for the Defender configuration service provider is used.
ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65
ms.reviewer:
manager: dansimp
@@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 10/21/2019
+ms.date: 08/11/2020
---
# Defender DDF file
@@ -45,7 +45,7 @@ The XML below is the current version for this CSP.
- com.microsoft/1.2/MDM/Defender
+ com.microsoft/1.3/MDM/Defender
@@ -734,6 +734,29 @@ The XML below is the current version for this CSP.
+
+ SupportLogLocation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
Scan
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index 285d96ddf8..11ab51bf9e 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -1,6 +1,6 @@
---
title: DevDetail CSP
-description: DevDetail CSP
+description: Learn how the DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server.
ms.assetid: 719bbd2d-508d-439b-b175-0874c7e6c360
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md
index 0ab07220b6..25be11c21b 100644
--- a/windows/client-management/mdm/devdetail-ddf-file.md
+++ b/windows/client-management/mdm/devdetail-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DevDetail DDF file
-description: DevDetail DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DevDetail configuration service provider.
ms.assetid: 645fc2b5-2d2c-43b1-9058-26bedbe9f00d
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md
index 09d6af05e4..f24564545c 100644
--- a/windows/client-management/mdm/deviceinstanceservice-csp.md
+++ b/windows/client-management/mdm/deviceinstanceservice-csp.md
@@ -1,6 +1,6 @@
---
title: DeviceInstanceService CSP
-description: DeviceInstanceService CSP
+description: Learn how the DeviceInstanceService configuration service provider (CSP) provides some device inventory information that could be useful for an enterprise.
ms.assetid: f113b6bb-6ce1-45ad-b725-1b6610721e2d
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md
index 246408076e..cef65071ec 100644
--- a/windows/client-management/mdm/devicelock-csp.md
+++ b/windows/client-management/mdm/devicelock-csp.md
@@ -1,6 +1,6 @@
---
title: DeviceLock CSP
-description: DeviceLock CSP
+description: Learn how the DeviceLock configuration service provider (CSP) is used by the enterprise management server to configure device lock related policies.
ms.assetid: 9a547efb-738e-4677-95d3-5506d350d8ab
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md
index 545ebcdb9b..eb63ef11fe 100644
--- a/windows/client-management/mdm/devicelock-ddf-file.md
+++ b/windows/client-management/mdm/devicelock-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DeviceLock DDF file
-description: DeviceLock DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DeviceLock configuration service provider (CSP).
ms.assetid: 46a691b9-6350-4987-bfc7-f8b1eece3ad9
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md
index b81a21b82e..aec2b4cc91 100644
--- a/windows/client-management/mdm/devinfo-ddf-file.md
+++ b/windows/client-management/mdm/devinfo-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DevInfo DDF file
-description: DevInfo DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DevInfo configuration service provider (CSP).
ms.assetid: beb07cc6-4133-4c0f-aa05-64db2b4a004f
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index 2f00912ad8..2c49067d90 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -1,6 +1,6 @@
---
title: DiagnosticLog CSP
-description: DiagnosticLog CSP
+description: Learn about the feature areas of the DiagnosticLog configuration service provider (CSP), including the DiagnosticLog area and Policy area.
ms.assetid: F76E0056-3ACD-48B2-BEA1-1048C96571C3
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md
index 8bedac1205..f635ed44c6 100644
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@@ -1,6 +1,6 @@
---
title: DiagnosticLog DDF
-description: DiagnosticLog DDF
+description: Learn about the the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider (CSP).
ms.assetid: 9DD75EDA-5913-45B4-9BED-20E30CDEBE16
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md
index aa61f9d50b..4a45bf4eb2 100644
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@@ -1,6 +1,6 @@
---
title: DMAcc CSP
-description: DMAcc CSP
+description: Learn how the DMAcc configuration service provider (CSP) allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects.
ms.assetid: 43e73d8a-6617-44e7-8459-5c96f4422e63
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md
index 232f5672cd..b10dcad38a 100644
--- a/windows/client-management/mdm/dmacc-ddf-file.md
+++ b/windows/client-management/mdm/dmacc-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DMAcc DDF file
-description: DMAcc DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DMAcc configuration service provider (CSP).
ms.assetid: 44dc99aa-2a85-498b-8f52-a81863765606
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index 15b21d0197..c5ba87da90 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DMClient DDF file
-description: DMClient DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DMClient configuration service provider (CSP).
ms.assetid: A21B33AF-DB76-4059-8170-FADF2CB898A0
ms.reviewer:
manager: dansimp
@@ -1022,7 +1022,6 @@ The XML below is for Windows 10, version 1803.
-
diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
index 2e1b590d91..b9ed5780d0 100644
--- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
+++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
@@ -1,6 +1,6 @@
---
title: DMProcessConfigXMLFiltered function
-description: Configures phone settings by using OMA Client Provisioning XML.
+description: Learn how the DMProcessConfigXMLFiltered function configures phone settings by using OMA Client Provisioning XML.
Search.Refinement.TopicID: 184
ms.assetid: 31D79901-6206-454C-AE78-9B85A3B3487F
ms.reviewer:
diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md
index b395c7c3ba..65aeb1a961 100644
--- a/windows/client-management/mdm/dmsessionactions-csp.md
+++ b/windows/client-management/mdm/dmsessionactions-csp.md
@@ -1,6 +1,6 @@
---
title: DMSessionActions CSP
-description: DMSessionActions CSP
+description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low power state.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md
index aef1210842..61b4b4754a 100644
--- a/windows/client-management/mdm/dmsessionactions-ddf.md
+++ b/windows/client-management/mdm/dmsessionactions-ddf.md
@@ -1,6 +1,6 @@
---
title: DMSessionActions DDF file
-description: DMSessionActions DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DMSessionActions configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md
index e7d55aedc0..b6fe50d931 100644
--- a/windows/client-management/mdm/dynamicmanagement-csp.md
+++ b/windows/client-management/mdm/dynamicmanagement-csp.md
@@ -1,6 +1,6 @@
---
title: DynamicManagement CSP
-description: DynamicManagement CSP
+description: Learn how the Dynamic Management configuration service provider (CSP) enables configuration of policies that change how the device is managed.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md
index 3439bf646a..2690fa4e23 100644
--- a/windows/client-management/mdm/dynamicmanagement-ddf.md
+++ b/windows/client-management/mdm/dynamicmanagement-ddf.md
@@ -1,6 +1,6 @@
---
title: DynamicManagement DDF file
-description: DynamicManagement DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DynamicManagement configuration service provider (CSP).
ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md
index ddb14a8d3f..844fc1be39 100644
--- a/windows/client-management/mdm/email2-csp.md
+++ b/windows/client-management/mdm/email2-csp.md
@@ -1,6 +1,6 @@
---
title: EMAIL2 CSP
-description: EMAIL2 CSP
+description: Learn how the EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
ms.assetid: bcfc9d98-bc2e-42c6-9b81-0b5bf65ce2b8
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md
index f24a64e3e3..4f11b5b64d 100644
--- a/windows/client-management/mdm/email2-ddf-file.md
+++ b/windows/client-management/mdm/email2-ddf-file.md
@@ -1,6 +1,6 @@
---
title: EMAIL2 DDF file
-description: EMAIL2 DDF file
+description: Learn how the OMA DM device description framework (DDF) for the EMAIL2 configuration service provider (CSP).
ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
index 1f420a71c4..805f9ee481 100644
--- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -1,6 +1,6 @@
---
title: Enable ADMX-backed policies in MDM
-description: Use this is a step-by-step guide to configuring ADMX-backed policies in MDM.
+description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX-backed policies) in Mobile Device Management (MDM).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index f45e20d377..349687ed6c 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -1,6 +1,6 @@
---
title: Enroll a Windows 10 device automatically using Group Policy
-description: Enroll a Windows 10 device automatically using Group Policy
+description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
index e70eed0ce5..98739efcb1 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
@@ -1,6 +1,6 @@
---
title: EnrollmentStatusTracking DDF
-description: View the OMA DM device description framework (DDF) for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: View the OMA DM DDF for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md
index 319356f336..5e7af9b60d 100644
--- a/windows/client-management/mdm/enterpriseapn-ddf.md
+++ b/windows/client-management/mdm/enterpriseapn-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAPN DDF
-description: EnterpriseAPN DDF
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAPN configuration service provider (CSP).
ms.assetid: A953ADEF-4523-425F-926C-48DA62EB9E21
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
index 22445122ec..272f60f44f 100644
--- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAppVManagement CSP
-description: Examine the tree format for EnterpriseAppVManagement configuration service provider (CSP) to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions).
+description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
index 626981e0ff..8cf951cf55 100644
--- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAppVManagement DDF file
-description: EnterpriseAppVManagement DDF file
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAppVManagement configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
index 2df97c9bf4..45d11904d5 100644
--- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md
+++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAssignedAccess CSP
-description: Use the EnterpriseAssignedAccess CSP to configure custom layouts on a device.
+description: Use the EnterpriseAssignedAccess configuration service provider (CSP) to configure custom layouts on a device.
ms.assetid: 5F88E567-77AA-4822-A0BC-3B31100639AA
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterpriseext-csp.md b/windows/client-management/mdm/enterpriseext-csp.md
index 782bc735ed..24cadf3270 100644
--- a/windows/client-management/mdm/enterpriseext-csp.md
+++ b/windows/client-management/mdm/enterpriseext-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseExt CSP
-description: EnterpriseExt CSP
+description: Learn how the EnterpriseExt CSP allows OEMs to set their own unique ID for their devices, set display brightness values, and set the LED behavior.
ms.assetid: ACA5CD79-BBD5-4DD1-86DA-0285B93982BD
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterpriseext-ddf.md b/windows/client-management/mdm/enterpriseext-ddf.md
index e30ceeb37f..4b3d4b0afd 100644
--- a/windows/client-management/mdm/enterpriseext-ddf.md
+++ b/windows/client-management/mdm/enterpriseext-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseExt DDF
-description: EnterpriseExt DDF
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseExt configuration service provider (CSP).
ms.assetid: 71BF81D4-FBEC-4B03-BF99-F7A5EDD4F91B
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md
index 997493aee9..7efb54af20 100644
--- a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md
+++ b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseExtFileSystem DDF
-description: EnterpriseExtFileSystem DDF
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseExtFileSystem configuration service provider (CSP).
ms.assetid: 2D292E4B-15EE-4AEB-8884-6FEE8B92D2D1
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index 5384ce0168..77b6e72ff9 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseModernAppManagement CSP
-description: EnterpriseModernAppManagement CSP
+description: Learn how the EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps.
ms.assetid: 9DD0741A-A229-41A0-A85A-93E185207C42
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
index aa2cdb680b..237000b2f0 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseModernAppManagement DDF
-description: EnterpriseModernAppManagement DDF
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider (CSP).
ms.assetid:
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
index f7544b10a4..f8b15504cc 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
@@ -1,6 +1,6 @@
---
title: EnterpriseModernAppManagement XSD
-description: Use the EnterpriseModernAppManagement XSD for set application parameters.
+description: In this article, view the EnterpriseModernAppManagement XSD example so you can set application parameters.
ms.assetid: D393D094-25E5-4E66-A60F-B59CC312BF57
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md
index 9251f6a755..79545b45cc 100644
--- a/windows/client-management/mdm/esim-enterprise-management.md
+++ b/windows/client-management/mdm/esim-enterprise-management.md
@@ -1,6 +1,6 @@
---
title: eSIM Enterprise Management
-description: Managing eSIM devices in an enterprise
+description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows.
keywords: eSIM enterprise management
ms.prod: w10
ms.mktglfcycl:
diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md
index 43626310a0..1f42e3e43d 100644
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@@ -1,6 +1,6 @@
---
title: eUICCs CSP
-description: eUICCs CSP
+description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md
index 3f3e71df8d..38bb8e5f6f 100644
--- a/windows/client-management/mdm/euiccs-ddf-file.md
+++ b/windows/client-management/mdm/euiccs-ddf-file.md
@@ -1,6 +1,6 @@
---
title: eUICCs DDF file
-description: eUICCs DDF file
+description: Learn about the OMA DM device description framework (DDF) for the eUICCs configuration service provider (CSP).
ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md
index 653b03b527..9bad3fe712 100644
--- a/windows/client-management/mdm/filesystem-csp.md
+++ b/windows/client-management/mdm/filesystem-csp.md
@@ -1,6 +1,6 @@
---
title: FileSystem CSP
-description: FileSystem CSP
+description: Learn how the FileSystem CSP is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device.
ms.assetid: 9117ee16-ca7a-4efa-9270-c9ac8547e541
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index 20172a8f10..72829fc3a9 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Firewall DDF file
-description: Firewall DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Firewall configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index e24210c9e0..0124df555f 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -1,6 +1,6 @@
---
title: Device HealthAttestation CSP
-description: Device HealthAttestation CSP
+description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions.
ms.assetid: 6F2D783C-F6B4-4A81-B9A2-522C4661D1AC
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md
index 21934f6452..d7209b1cf2 100644
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@@ -1,6 +1,6 @@
---
title: HealthAttestation DDF
-description: HealthAttestation DDF
+description: Learn about the OMA DM device description framework (DDF) for the HealthAttestation configuration service provider.
ms.assetid: D20AC78D-D2D4-434B-B9FD-294BCD9D1DDE
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md
index 025ce63385..f4a14359a1 100644
--- a/windows/client-management/mdm/hotspot-csp.md
+++ b/windows/client-management/mdm/hotspot-csp.md
@@ -1,6 +1,6 @@
---
title: HotSpot CSP
-description: HotSpot CSP
+description: Learn how HotSpot configuration service provider (CSP) is used to configure and enable Internet sharing on a device.
ms.assetid: ec49dec1-fa79-420a-a9a7-e86668b3eebf
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/images/Provisioning_CSP_Defender.png b/windows/client-management/mdm/images/Provisioning_CSP_Defender.png
deleted file mode 100644
index 6ee31a8f16..0000000000
Binary files a/windows/client-management/mdm/images/Provisioning_CSP_Defender.png and /dev/null differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-defender.png b/windows/client-management/mdm/images/provisioning-csp-defender.png
index 793b1568ff..ccf57208df 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-defender.png and b/windows/client-management/mdm/images/provisioning-csp-defender.png differ
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index 7b8e606d40..1c9ca9aba5 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -1,6 +1,6 @@
---
title: MDM enrollment of Windows 10-based devices
-description: MDM enrollment of Windows 10-based devices
+description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources.
MS-HAID:
- 'p\_phdevicemgmt.enrollment\_ui'
- 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices'
diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md
index cc739605f3..e9383e871f 100644
--- a/windows/client-management/mdm/messaging-csp.md
+++ b/windows/client-management/mdm/messaging-csp.md
@@ -1,6 +1,6 @@
---
title: Messaging CSP
-description: Use the Messaging CSP to configure the ability to get text messages audited on a mobile device.
+description: Use the Messaging configuration service provider (CSP) to configure the ability to get text messages audited on a mobile device.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md
index 7d719b40aa..3597ffa5fe 100644
--- a/windows/client-management/mdm/multisim-csp.md
+++ b/windows/client-management/mdm/multisim-csp.md
@@ -1,6 +1,6 @@
---
title: MultiSIM CSP
-description: MultiSIM CSP allows the enterprise to manage devices with dual SIM single active configuration.
+description: MultiSIM configuration service provider (CSP) allows the enterprise to manage devices with dual SIM single active configuration.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md
index c4dbd6410a..dcaef76767 100644
--- a/windows/client-management/mdm/nap-csp.md
+++ b/windows/client-management/mdm/nap-csp.md
@@ -1,6 +1,6 @@
---
title: NAP CSP
-description: NAP CSP
+description: Learn how the Network Access Point (NAP) configuration service provider (CSP) is used to manage and query GPRS and CDMA connections.
ms.assetid: 82f04492-88a6-4afd-af10-a62b8d444d21
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index 80a87e53d1..1b5f5ecdd4 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -1,6 +1,6 @@
---
title: NAPDEF CSP
-description: NAPDEF CSP
+description: Learn how the NAPDEF configuration service provider (CSP) is used to add, modify, or delete WAP network access points (NAPs).
ms.assetid: 9bcc65dd-a72b-4f90-aba7-4066daa06988
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md
index c82e246263..43aff61d37 100644
--- a/windows/client-management/mdm/networkproxy-csp.md
+++ b/windows/client-management/mdm/networkproxy-csp.md
@@ -1,6 +1,6 @@
---
title: NetworkProxy CSP
-description: NetworkProxy CSP
+description: Learn how the NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md
index 7535a3ce20..c2d3ea4a5e 100644
--- a/windows/client-management/mdm/networkqospolicy-ddf.md
+++ b/windows/client-management/mdm/networkqospolicy-ddf.md
@@ -1,6 +1,6 @@
---
title: NetworkQoSPolicy DDF
-description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML
+description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.assetid:
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index aa0f6ee57d..83fd0ea765 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -13,7 +13,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 07/01/2019
+ms.date: 08/18/2020
---
# What's new in mobile device enrollment and management
@@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [What is dmwappushsvc?](#what-is-dmwappushsvc)
- **Change history in MDM documentation**
+ - [August 2020](#august-2020)
- [July 2020](#july-2020)
- [June 2020](#june-2020)
- [May 2020](#may-2020)
@@ -314,11 +315,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
Privacy/DisablePrivacyExperience
Privacy/UploadUserActivities
Security/RecoveryEnvironmentAuthentication
-System/AllowDesktopAnalyticsProcessing
System/AllowDeviceNameInDiagnosticData
-System/AllowMicrosoftManagedDesktopProcessing
-System/AllowUpdateComplianceProcessing
-System/AllowWUfBCloudProcessing
System/ConfigureMicrosoft365UploadEndpoint
System/DisableDeviceDelete
System/DisableDiagnosticDataViewer
@@ -1998,10 +1995,16 @@ What data is handled by dmwappushsvc? | It is a component handling the internal
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. |
## Change history in MDM documentation
+
+### August 2020
+|New or updated topic | Description|
+|--- | ---|
+|[Policy CSP - System](policy-csp-system.md)|Removed the following policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing
|
+
### July 2020
|New or updated topic | Description|
|--- | ---|
-|[Policy CSP - System](policy-csp-system.md)|Added the following new policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing
Updated the following policy setting:
- System/AllowCommercialDataPipeline
|
+|[Policy CSP - System](policy-csp-system.md)|Added the following new policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing
Updated the following policy setting:
- System/AllowCommercialDataPipeline
|
### June 2020
|New or updated topic | Description|
diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md
index 7d58ebbea3..06a74f2979 100644
--- a/windows/client-management/mdm/nodecache-ddf-file.md
+++ b/windows/client-management/mdm/nodecache-ddf-file.md
@@ -1,6 +1,6 @@
---
title: NodeCache DDF file
-description: NodeCache DDF file
+description: Learn about the OMA DM device description framework (DDF) for the NodeCache configuration service provider (CSP).
ms.assetid: d7605098-12aa-4423-89ae-59624fa31236
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md
index eef4903c8c..5a9ac5cc69 100644
--- a/windows/client-management/mdm/personalization-ddf.md
+++ b/windows/client-management/mdm/personalization-ddf.md
@@ -1,6 +1,6 @@
---
title: Personalization DDF file
-description: Learn how to set the OMA DM device description framework (DDF) for the **Personalization** configuration service provider.
+description: Learn how to set the OMA DM device description framework (DDF) for the Personalization configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 5e23762281..7986a6fae0 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -1,6 +1,6 @@
---
title: Policy CSP
-description: Policy CSP
+description: Learn how the Policy configuration service provider (CSP) enables the enterprise to configure policies on Windows 10.
ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F
ms.reviewer:
manager: dansimp
@@ -168,6 +168,165 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_AddRemovePrograms policies
+
+ -
+ ADMX_AddRemovePrograms/DefaultCategory
+
+ -
+ ADMX_AddRemovePrograms/NoAddFromCDorFloppy
+
+ -
+ ADMX_AddRemovePrograms/NoAddFromInternet
+
+ -
+ ADMX_AddRemovePrograms/NoAddFromNetwork
+
+ -
+ ADMX_AddRemovePrograms/NoAddPage
+
+ -
+ ADMX_AddRemovePrograms/NoAddRemovePrograms
+
+ -
+ ADMX_AddRemovePrograms/NoChooseProgramsPage
+
+ -
+ ADMX_AddRemovePrograms/NoRemovePage
+
+ -
+ ADMX_AddRemovePrograms/NoServices
+
+ -
+ ADMX_AddRemovePrograms/NoSupportInfo
+
+ -
+ ADMX_AddRemovePrograms/NoWindowsSetupPage
+
+
+
+### ADMX_AppCompat policies
+
+
+ -
+ ADMX_AppCompat/AppCompatPrevent16BitMach
+
+ -
+ ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffSwitchBack
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffEngine
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffUserActionRecord
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffProgramInventory
+
+
+
+### ADMX_AuditSettings policies
+
+
+ -
+ ADMX_AuditSettings/IncludeCmdLine
+
+
+
+### ADMX_DnsClient policies
+
+
+ -
+ ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries
+
+ -
+ ADMX_DnsClient/DNS_AppendToMultiLabelName
+
+ -
+ ADMX_DnsClient/DNS_Domain
+
+ -
+ ADMX_DnsClient/DNS_DomainNameDevolutionLevel
+
+ -
+ ADMX_DnsClient/DNS_IdnEncoding
+
+ -
+ ADMX_DnsClient/DNS_IdnMapping
+
+ -
+ ADMX_DnsClient/DNS_NameServer
+
+ -
+ ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns
+
+ -
+ ADMX_DnsClient/DNS_PrimaryDnsSuffix
+
+ -
+ ADMX_DnsClient/DNS_RegisterAdapterName
+
+ -
+ ADMX_DnsClient/DNS_RegisterReverseLookup
+
+ -
+ ADMX_DnsClient/DNS_RegistrationEnabled
+
+ -
+ ADMX_DnsClient/DNS_RegistrationOverwritesInConflict
+
+ -
+ ADMX_DnsClient/DNS_RegistrationRefreshInterval
+
+ -
+ ADMX_DnsClient/DNS_RegistrationTtl
+
+ -
+ ADMX_DnsClient/DNS_SearchList
+
+ -
+ ADMX_DnsClient/DNS_SmartMultiHomedNameResolution
+
+ -
+ ADMX_DnsClient/DNS_SmartProtocolReorder
+
+ -
+ ADMX_DnsClient/DNS_UpdateSecurityLevel
+
+ -
+ ADMX_DnsClient/DNS_UpdateTopLevelDomainZones
+
+ -
+ ADMX_DnsClient/DNS_UseDomainNameDevolution
+
+ -
+ ADMX_DnsClient/Turn_Off_Multicast
+
+
+
+### ADMX_EventForwarding policies
+
+
+ -
+ ADMX_EventForwarding/ForwarderResourceUsage
+
+ -
+ ADMX_EventForwarding/SubscriptionManager
+
+
+
### ApplicationDefaults policies
@@ -3379,9 +3538,6 @@ The following diagram shows the Policy configuration service provider in tree fo
-
System/AllowCommercialDataPipeline
- -
- System/AllowDesktopAnalyticsProcessing
-
-
System/AllowDeviceNameInDiagnosticData
@@ -3397,24 +3553,15 @@ The following diagram shows the Policy configuration service provider in tree fo
-
System/AllowLocation
- -
- System/AllowMicrosoftManagedDesktopProcessing
-
-
System/AllowStorageCard
-
System/AllowTelemetry
-
- -
- System/AllowUpdateComplianceProcessing
-
System/AllowUserToResetPhone
- -
- System/AllowWUfBCloudProcessing
-
-
System/BootStartDriverInitialization
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index ebc28b415c..23c1bb8142 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - AboveLock
-description: Learn the various AboveLock Policy CSP for Windows editions of Home, Pro, Business, and more.
+description: Learn the various AboveLock Policy configuration service provider (CSP) for Windows editions of Home, Pro, Business, and more.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index fad4a74ad7..4367ed3ed6 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Accounts
-description: Policy CSP - Accounts
+description: Learn about the Policy configuration service provider (CSP). This articles describes account policies.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 9c2b674cee..d760021b1e 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ActiveXControls
-description: Learn the ins and outs of various Policy CSP - ActiveXControls settings, including SyncML, for Windows 10.
+description: Learn about various Policy configuration service provider (CSP) - ActiveXControls settings, including SyncML, for Windows 10.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
new file mode 100644
index 0000000000..37cf49d46f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
@@ -0,0 +1,954 @@
+---
+title: Policy CSP - ADMX_AddRemovePrograms
+description: Policy CSP - ADMX_AddRemovePrograms
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 08/13/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_AddRemovePrograms
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## Policy CSP - ADMX_AddRemovePrograms
+
+
+ -
+ ADMX_AddRemovePrograms/DefaultCategory
+
+ -
+ ADMX_AddRemovePrograms/NoAddFromCDorFloppy
+
+ -
+ ADMX_AddRemovePrograms/NoAddFromInternet
+
+ -
+ ADMX_AddRemovePrograms/NoAddFromNetwork
+
+ -
+ ADMX_AddRemovePrograms/NoAddPage
+
+ -
+ ADMX_AddRemovePrograms/NoAddRemovePrograms
+
+ -
+ ADMX_AddRemovePrograms/NoChooseProgramsPage
+
+ -
+ ADMX_AddRemovePrograms/NoRemovePage
+
+ -
+ ADMX_AddRemovePrograms/NoServices
+
+ -
+ ADMX_AddRemovePrograms/NoSupportInfo
+
+ -
+ ADMX_AddRemovePrograms/NoWindowsSetupPage
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/DefaultCategory**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+  |
+
+
+ | Pro |
+  |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories.
+
+To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation.
+
+If you disable this setting or do not configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they are most likely to need.
+
+> [!NOTE]
+> This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify default category for Add New Programs*
+- GP name: *DefaultCategory*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddFromCDorFloppy**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media.
+
+If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components.
+
+> [!NOTE]
+> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the "Add a program from CD-ROM or floppy disk" option*
+- GP name: *NoAddFromCDorFloppy*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddFromInternet**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update.
+
+If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update.
+
+> [!NOTE]
+> If the "Hide Add New Programs page" setting is enabled, this setting is ignored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the "Add programs from Microsoft" option*
+- GP name: *NoAddFromInternet*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddFromNetwork**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files.
+
+If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu.
+
+If you disable this setting or do not configure it, "Add programs from your network" is available to all users.
+
+> [!NOTE]
+> If the "Hide Add New Programs page" setting is enabled, this setting is ignored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the "Add programs from your network" option*
+- GP name: *NoAddFromNetwork*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddPage**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator.
+
+If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide Add New Programs page*
+- GP name: *NoAddPage*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddRemovePrograms**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs.
+
+If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Add or Remove Programs*
+- GP name: *NoAddRemovePrograms*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoChooseProgramsPage**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.
+
+If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the Set Program Access and Defaults page*
+- GP name: *NoChooseProgramsPage*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoRemovePage**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs.
+
+If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide Change or Remove Programs page*
+- GP name: *NoRemovePage*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoServices**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools.
+
+If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services.
+
+> [!NOTE]
+> When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Go directly to Components Wizard*
+- GP name: *NoServices*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoSupportInfo**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page.
+
+If you disable this setting or do not configure it, the Support Info hyperlink appears.
+
+> [!NOTE]
+> Not all programs provide a support information hyperlink.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Support Information*
+- GP name: *NoSupportInfo*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoWindowsSetupPage**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files.
+
+If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide Add/Remove Windows Components page*
+- GP name: *NoWindowsSetupPage*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md
new file mode 100644
index 0000000000..527d07b981
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md
@@ -0,0 +1,744 @@
+---
+title: Policy CSP - ADMX_AppCompat
+description: Policy CSP - ADMX_AppCompat
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 08/20/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_AppCompat
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## Policy CSP - ADMX_AppCompat
+
+
+ -
+ ADMX_AppCompat/AppCompatPrevent16BitMach
+
+
+ -
+ ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage
+
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry
+
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffSwitchBack
+
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffEngine
+
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1
+
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2
+
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffUserActionRecord
+
+
+ -
+ ADMX_AppCompat/AppCompatTurnOffProgramInventory
+
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatPrevent16BitMach**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system.
+
+You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased.
+
+If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components cannot run.
+
+If the status is set to Disabled, the MS-DOS subsystem runs for all users on this computer.
+
+If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value **HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault**. If that value is non-0, this prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above, the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on Windows 7 and down-level, the OS will allow 16-bit applications to run.
+
+> [!NOTE]
+> This setting appears only in Computer Configuration.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent access to 16-bit applications*
+- GP name: *AppCompatPrevent16BitMach*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file.
+
+The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications.
+
+Enabling this policy setting removes the property page from the context-menus, but does not affect previous compatibility settings applied to application using this interface.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Program Compatibility Property Page*
+- GP name: *AppCompatRemoveProgramCompatPropPage*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Application Telemetry engine in the system.
+
+Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications.
+
+Turning Application Telemetry off by selecting "enable" will stop the collection of usage data.
+
+If the customer Experience Improvement program is turned off, Application Telemetry will be turned off regardless of how this policy is set.
+
+Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, please reboot your machine.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Application Telemetry*
+- GP name: *AppCompatTurnOffApplicationImpactTelemetry*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffSwitchBack**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Switchback compatibility engine in the system.
+
+Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications.
+
+Switchback is on by default.
+
+If you enable this policy setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using.
+
+If you disable or do not configure this policy setting, the Switchback will be turned on.
+
+Reboot the system after changing the setting to ensure that your system accurately reflects those changes.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off SwitchBack Compatibility Engine*
+- GP name: *AppCompatTurnOffSwitchBack*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffEngine**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the application compatibility engine in the system.
+
+The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem.
+
+Turning off the application compatibility engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and will not block known incompatible applications from installing. For example, this may result in a blue screen if an old anti-virus application is installed.
+
+The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations will not be applied to applications and their installers and these applications may fail to install or run properly.
+
+This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential.
+
+> [!NOTE]
+> Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, reboot to ensure that your system accurately reflects those changes.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Application Compatibility Engine*
+- GP name: *AppCompatTurnOffEngine*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Program Compatibility Assistant*
+- GP name: *AppCompatTurnOffProgramCompatibilityAssistant_1*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
+
+If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues.
+
+If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
+
+> [!NOTE]
+> The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Program Compatibility Assistant*
+- GP name: *AppCompatTurnOffProgramCompatibilityAssistant_2*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffUserActionRecord**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of Steps Recorder.
+
+Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screenshots. Steps Recorder includes an option to turn on and off data collection.
+
+If you enable this policy setting, Steps Recorder will be disabled.
+
+If you disable or do not configure this policy setting, Steps Recorder will be enabled.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Steps Recorder*
+- GP name: *AppCompatTurnOffUserActionRecord*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffProgramInventory**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Inventory Collector.
+
+The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems.
+
+If you enable this policy setting, the Inventory Collector will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled.
+
+If you disable or do not configure this policy setting, the Inventory Collector will be turned on.
+
+> [!NOTE]
+> This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Inventory Collector*
+- GP name: *AppCompatTurnOffProgramInventory*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
new file mode 100644
index 0000000000..2f91449316
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
@@ -0,0 +1,119 @@
+---
+title: Policy CSP - ADMX_AuditSettings
+description: Policy CSP - ADMX_AuditSettings
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/13/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_AuditSettings
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_AuditSettings policies
+
+
+ -
+ ADMX_AuditSettings/IncludeCmdLine
+
+
+
+
+
+
+
+**ADMX_AuditSettings/IncludeCmdLine**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled.
+
+If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied.
+
+If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events.
+
+Default is Not configured.
+
+> [!NOTE]
+> When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Include command line in process creation events*
+- GP name: *IncludeCmdLine*
+- GP path: *System/Audit Process Creation*
+- GP ADMX file name: *AuditSettings.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
new file mode 100644
index 0000000000..e3fef30269
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
@@ -0,0 +1,1725 @@
+---
+title: Policy CSP - ADMX_DnsClient
+description: Policy CSP - ADMX_DnsClient
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/12/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DnsClient
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_DnsClient policies
+
+
+ -
+ ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries
+
+ -
+ ADMX_DnsClient/DNS_AppendToMultiLabelName
+
+ -
+ ADMX_DnsClient/DNS_Domain
+
+ -
+ ADMX_DnsClient/DNS_DomainNameDevolutionLevel
+
+ -
+ ADMX_DnsClient/DNS_IdnEncoding
+
+ -
+ ADMX_DnsClient/DNS_IdnMapping
+
+ -
+ ADMX_DnsClient/DNS_NameServer
+
+ -
+ ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns
+
+ -
+ ADMX_DnsClient/DNS_PrimaryDnsSuffix
+
+ -
+ ADMX_DnsClient/DNS_RegisterAdapterName
+
+ -
+ ADMX_DnsClient/DNS_RegisterReverseLookup
+
+ -
+ ADMX_DnsClient/DNS_RegistrationEnabled
+
+ -
+ ADMX_DnsClient/DNS_RegistrationOverwritesInConflict
+
+ -
+ ADMX_DnsClient/DNS_RegistrationRefreshInterval
+
+ -
+ ADMX_DnsClient/DNS_RegistrationTtl
+
+ -
+ ADMX_DnsClient/DNS_SearchList
+
+ -
+ ADMX_DnsClient/DNS_SmartMultiHomedNameResolution
+
+ -
+ ADMX_DnsClient/DNS_SmartProtocolReorder
+
+ -
+ ADMX_DnsClient/DNS_UpdateSecurityLevel
+
+ -
+ ADMX_DnsClient/DNS_UpdateTopLevelDomainZones
+
+ -
+ ADMX_DnsClient/DNS_UseDomainNameDevolution
+
+ -
+ ADMX_DnsClient/Turn_Off_Multicast
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names.
+
+If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names.
+
+If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow NetBT queries for fully qualified domain names*
+- GP name: *DNS_AllowFQDNNetBiosQueries*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_AppendToMultiLabelName**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
+
+A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot.
+
+For example, if attaching suffixes is allowed, an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If the query succeeds, the response is returned to the client. If the query fails, the unqualified multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's primary domain suffix, a connection-specific domain suffix, and a DNS suffix search list.
+
+If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com." second if the first query fails.
+
+If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails.
+
+If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.
+
+If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow DNS suffix appending to unqualified multi-label name queries*
+- GP name: *DNS_AppendToMultiLabelName*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_Domain**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.
+
+If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Connection-specific DNS suffix*
+- GP name: *DNS_Domain*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_DomainNameDevolutionLevel**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process.
+
+With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.
+
+The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.
+
+Devolution is not enabled if a global suffix search list is configured using Group Policy.
+
+If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
+
+- The primary DNS suffix, as specified on the Computer Name tab of the System control panel.
+- Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.
+
+For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
+
+If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
+
+For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.
+
+If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify.
+
+If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Primary DNS suffix devolution level*
+- GP name: *DNS_DomainNameDevolutionLevel*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_IdnEncoding**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
+
+If this policy setting is enabled, IDNs are not converted to Punycode.
+
+If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off IDN encoding*
+- GP name: *DNS_IdnEncoding*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_IdnMapping**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string.
+
+If this policy setting is enabled, IDNs are converted to the Nameprep form.
+
+If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *IDN mapping*
+- GP name: *DNS_IdnMapping*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_NameServer**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
+
+To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address.
+
+If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *DNS servers*
+- GP name: *DNS_NameServer*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
+
+If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order.
+
+If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order.
+
+> [!NOTE]
+> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prefer link local responses over DNS when received over a network with higher precedence*
+- GP name: *DNS_PreferLocalResponsesOverLowerOrderDns*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_PrimaryDnsSuffix**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.
+
+To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.
+
+> [!IMPORTANT]
+> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows.
+
+If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.
+
+You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.
+
+If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Primary DNS suffix*
+- GP name: *DNS_PrimaryDnsSuffix*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegisterAdapterName**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
+
+By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
+
+If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting.
+
+For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
+
+Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.
+
+If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Register DNS records with connection-specific DNS suffix*
+- GP name: *DNS_RegisterAdapterName*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegisterReverseLookup**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS client computers will register PTR resource records.
+
+By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record.
+
+If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records.
+
+To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:
+
+- Do not register: Computers will not attempt to register PTR resource records
+- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records was not successful.
+- Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Register PTR records*
+- GP name: *DNS_RegisterReverseLookup*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationEnabled**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
+
+If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled.
+
+If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Dynamic update*
+- GP name: *DNS_RegistrationEnabled*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationOverwritesInConflict**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
+
+This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers.
+
+During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
+
+If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update.
+
+If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Replace addresses in conflicts*
+- GP name: *DNS_RegistrationOverwritesInConflict*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationRefreshInterval**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
+
+Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records.
+
+> [!WARNING]
+> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.
+
+To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes.
+
+If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Registration refresh interval*
+- GP name: *DNS_RegistrationRefreshInterval*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationTtl**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.
+
+To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes).
+
+If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *TTL value for A and PTR records*
+- GP name: *DNS_RegistrationTtl*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_SearchList**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.
+
+An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com."
+
+Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com."
+
+To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes.
+
+If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried.
+
+If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *DNS suffix search list*
+- GP name: *DNS_SearchList*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_SmartMultiHomedNameResolution**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept.
+
+If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.
+
+If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off smart multi-homed name resolution*
+- GP name: *DNS_SmartMultiHomedNameResolution*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_SmartProtocolReorder**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
+
+If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks.
+
+If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks.
+
+> [!NOTE]
+> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off smart protocol reordering*
+- GP name: *DNS_SmartProtocolReorder*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_UpdateSecurityLevel**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the security level for dynamic DNS updates.
+
+To use this policy setting, click Enabled and then select one of the following values:
+
+- Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused.
+- Only unsecure - computers send only nonsecure dynamic updates.
+- Only secure - computers send only secure dynamic updates.
+
+If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Update security level*
+- GP name: *DNS_UpdateSecurityLevel*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_UpdateTopLevelDomainZones**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com."
+
+By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone.
+
+If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Update top level domain zones*
+- GP name: *DNS_UpdateTopLevelDomainZones*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_UseDomainNameDevolution**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process.
+
+With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.
+
+The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.
+
+Devolution is not enabled if a global suffix search list is configured using Group Policy.
+
+If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
+
+The primary DNS suffix, as specified on the Computer Name tab of the System control panel.
+
+Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.
+
+For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
+
+If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
+
+For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.
+
+If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
+
+If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Primary DNS suffix devolution*
+- GP name: *DNS_UseDomainNameDevolution*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/Turn_Off_Multicast**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
+
+LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.
+
+If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
+
+If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off multicast name resolution*
+- GP name: *Turn_Off_Multicast*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
new file mode 100644
index 0000000000..b964fbde10
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
@@ -0,0 +1,200 @@
+---
+title: Policy CSP - ADMX_EventForwarding
+description: Policy CSP - ADMX_EventForwarding
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/17/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_EventForwarding
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_EventForwarding policies
+
+
+ -
+ ADMX_EventForwarding/ForwarderResourceUsage
+
+ -
+ ADMX_EventForwarding/SubscriptionManager
+
+
+
+
+
+
+
+**ADMX_EventForwarding/ForwarderResourceUsage**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector.
+
+If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments.
+
+If you disable or do not configure this policy setting, forwarder resource usage is not specified.
+
+This setting applies across all subscriptions for the forwarder (source computer).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure forwarder resource usage*
+- GP name: *MaxForwardingRate*
+- GP path: *Windows Components/Event Forwarding*
+- GP ADMX file name: *EventForwarding.admx*
+
+
+
+
+
+
+
+
+**ADMX_EventForwarding/SubscriptionManager**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager.
+
+If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics.
+
+Use the following syntax when using the HTTPS protocol:
+
+``` syntax
+
+Server=https://:5986/wsman/SubscriptionManager/WEC,Refresh=,IssuerCA=.
+```
+
+When using the HTTP protocol, use port 5985.
+
+If you disable or do not configure this policy setting, the Event Collector computer will not be specified.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure target Subscription Manager*
+- GP name: *SubscriptionManager*
+- GP path: *Windows Components/Event Forwarding*
+- GP ADMX file name: *EventForwarding.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index ccc641c6a3..eb4a7086d1 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ApplicationDefaults
-description: Policy CSP - ApplicationDefaults
+description: Learn about various Policy configuration service provider (CSP) - ApplicationDefaults, including SyncML, for Windows 10.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 6b55aa34e3..1f128f9b64 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ApplicationManagement
-description: Policy CSP - ApplicationManagement
+description: Learn about various Policy configuration service provider (CSP) - ApplicationManagement, including SyncML, for Windows 10.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md
index 6e15e10e88..2a224f8bfe 100644
--- a/windows/client-management/mdm/policy-csp-appruntime.md
+++ b/windows/client-management/mdm/policy-csp-appruntime.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - AppRuntime
-description: Control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.Policy CSP - AppRuntime.
+description: Learn how the Policy CSP - AppRuntime setting controls whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index 29788ea127..63cdb4036d 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - AppVirtualization
-description: Policy CSP - AppVirtualization
+description: Learn how the Policy CSP - AppVirtualization setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index cb2130e778..e808f11e13 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - AttachmentManager
-description: Manage Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local).
+description: Manage Windows marks file attachments with information about their zone of origin, such as restricted, internet, intranet, local.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index ffd4519182..7d0997f275 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Audit
-description: Policy CSP - Audit
+description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't log on to a computer because the account is locked out.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 96f9787790..51f56ffbbb 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Authentication
-description: Policy CSP - Authentication
+description: The Policy CSP - Authentication setting allows the Azure AD tenant administrators to enable self service password reset feature on the Windows sign in screen.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index 36a05de8df..15b769497e 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Autoplay
-description: Policy CSP - Autoplay
+description: Learn how the Policy CSP - Autoplay setting disallows AutoPlay for MTP devices like cameras or phones.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 28123a7dc0..6426fba5e8 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Bluetooth
-description: Policy CSP - Bluetooth
+description: Learn how the Policy CSP - Bluetooth setting specifies whether the device can send out Bluetooth advertisements.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 206e99f3db..d2c9190e0b 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Browser
-description: Learn how to set the Policy CSP - Browser settings for Microsoft Edge, version 45 and earlier.
+description: Learn how to use the Policy CSP - Browser settings so you can configure Microsoft Edge browser, version 45 and earlier.
ms.topic: article
ms.prod: w10
ms.technology: windows
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 0def6900f0..93e5c5d6cf 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Camera
-description: Policy CSP - Camera
+description: Learn how to use the Policy CSP - Camera setting so that you can configure it to disable or enable the camera.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index 3d156b1c89..ccd0ab26c1 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Cellular
-description: Policy CSP - Cellular
+description: Learn how to use the Policy CSP - Cellular setting so you can specify whether Windows apps can access cellular data.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index ee83ad3d00..503ee130bc 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Connectivity
-description: Policy CSP - Connectivity
+description: Learn how to use the Policy CSP - Connectivity setting to allow the user to enable Bluetooth or restrict access.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index a822c7a831..9a867b0778 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ControlPolicyConflict
-description: Policy CSP - ControlPolicyConflict
+description: Use the Policy CSP - ControlPolicyConflict setting to control which policy is used whenever both the MDM policy and its equivalent Group Policy are set on the device.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index 425fcf361a..89e4817ce7 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - CredentialProviders
-description: Learn the policy CSP for credential provider set up, sign in, PIN requests and so on.
+description: Learn how to use the policy CSP for credential provider so you can control whether a domain user can sign in using a convenience PIN.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
index c8416c3bb9..71447f45ab 100644
--- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md
+++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - CredentialsDelegation
-description: Policy CSP - CredentialsDelegation
+description: Learn how to use the Policy CSP - CredentialsDelegation setting so that remote host can allow delegation of non-exportable credentials.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index 349800035d..5ccf34a12e 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - CredentialsUI
-description: Policy CSP - CredentialsUI
+description: Learn how to use the Policy CSP - CredentialsUI setting to configure the display of the password reveal button in password entry user experiences.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 55ceb74581..b141d4387b 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Cryptography
-description: Policy CSP - Cryptography
+description: Learn how to use the Policy CSP - Cryptography setting to allow or disallow the Federal Information Processing Standard (FIPS) policy.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index 4c71a876a5..9da8c6ce2c 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DataProtection
-description: Policy CSP - DataProtection
+description: Use the Policy CSP - DataProtection setting to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index 28f919ead9..cb540b3415 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DataUsage
-description: Policy CSP - DataUsage
+description: Learn how to use the Policy CSP - DataUsage setting to configure the cost of 4G connections on the local machine.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index c2fb83fe51..79fe896cdf 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Defender
-description: Policy CSP - Defender
+description: Learn how to use the Policy CSP - Defender setting so you can allow or disallow scanning of archives.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index bdf3985bb6..4061074c76 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DeliveryOptimization
-description: Policy CSP - DeliveryOptimization
+description: Learn how to use the Policy CSP - DeliveryOptimization setting to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 0ade992a1d..dfbed26745 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Desktop
-description: Policy CSP - Desktop
+description: Learn how to use the Policy CSP - Desktop setting to prevent users from changing the path to their profile folders.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index 163655f59f..9512ffde73 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DeviceGuard
-description: Policy CSP - DeviceGuard
+description: Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index 8277ae0425..60d4832fae 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DeviceHealthMonitoring
-description: Learn which DeviceHealthMonitoring policies are supported for your edition of Windows.
+description: Learn how the Policy CSP - DeviceHealthMonitoring setting is used as an opt-in health monitoring connection between the device and Microsoft.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 5d67b14d8d..24c7b04cbf 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -2,7 +2,7 @@
title: Policy CSP - DeviceInstallation
ms.reviewer:
manager: dansimp
-description: Policy CSP - DeviceInstallation
+description: Use the Policy CSP - DeviceInstallation setting to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install.
ms.author: dansimp
ms.date: 09/27/2019
ms.topic: article
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index f95a796932..f68a71f820 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DeviceLock
-description: Policy CSP - DeviceLock
+description: Learn how to use the Policy CSP - DeviceLock setting to specify whether the user must input a PIN or password when the device resumes from an idle state.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 9645a371ac..82dbb630ae 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Display
-description: Policy CSP - Display
+description: Learn how to use the Policy CSP - Display setting to disable Per-Process System DPI for a semicolon-separated list of applications.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index e5511ffaa0..0d8f6b40f8 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DmaGuard
-description: Policy CSP - DmaGuard
+description: Learn how to use the Policy CSP - DmaGuard setting to provide additional security against external DMA capable devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index 9e12bc04e4..18cce493eb 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Education
-description: Control graphing functionality in the Windows Calculator app.
+description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index c450267337..e9d1cb8436 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - EnterpriseCloudPrint
-description: Policy CSP - EnterpriseCloudPrint
+description: Use the Policy CSP - EnterpriseCloudPrint setting to define the maximum number of printers that should be queried from a discovery end point.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index 79bbb1b92f..b4f27cc7c0 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ErrorReporting
-description: Policy CSP - ErrorReporting
+description: Learn how to use the Policy CSP - ErrorReporting setting to determine the consent behavior of Windows Error Reporting for specific event types.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index 17080a877e..d86bd44edc 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - EventLogService
-description: Policy CSP - EventLogService
+description: Learn how to use the Policy CSP - EventLogService settting to control Event Log behavior when the log file reaches its maximum size.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index ff50088666..d9e072c7c3 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Experience
-description: Learn the various Experience policy CSP for Cortana, Sync, Spotlight and more.
+description: Learn how to use the Policy CSP - Experience setting to allow history of clipboard items to be stored in memory.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index 1e1b072f7d..92829f957e 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ExploitGuard
-description: Policy CSP - ExploitGuard
+description: Use the Policy CSP - ExploitGuard setting to push out the desired system configuration and application mitigation options to all the devices in the organization.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md
index 993073f411..58b2bf5175 100644
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - FileExplorer
-description: Policy CSP - FileExplorer
+description: Use the Policy CSP - FileExplorer setting so you can allow certain legacy plug-in applications to function without terminating Explorer.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index 63eb04a5c3..f62143e2a6 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Games
-description: Policy CSP - Games
+description: Learn to use the Policy CSP - Games setting so that you can specify whether advanced gaming services can be used.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index 8893695276..dea9168e36 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Handwriting
-description: Policy CSP - Handwriting
+description: Use the Policy CSP - Handwriting setting to allow an enterprise to configure the default mode for the handwriting panel.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index a1b9bb2b78..c63c654abe 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - InternetExplorer
-description: Policy CSP - InternetExplorer
+description: Use the Policy CSP - InternetExplorer setting to add a specific list of search providers to the user's default list of search providers.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 06023ba3f8..b5331fa661 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Kerberos
-description: Policy CSP - Kerberos
+description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index 5bbe648950..be0176ca9b 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - KioskBrowser
-description: Policy CSP - KioskBrowser
+description: Use the Policy CSP - KioskBrowser setting to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
index 011b60a5d7..bb03f10884 100644
--- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - LanmanWorkstation
-description: Policy CSP - LanmanWorkstation
+description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest logons to an SMB server.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index c4e988fd6d..bfef6090cc 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Licensing
-description: Policy CSP - Licensing
+description: Use the Policy CSP - Licensing setting to enable or disable Windows license reactivation on managed devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index 81f3ae2ca6..bc065532ed 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - LockDown
-description: Policy CSP - LockDown
+description: Use the Policy CSP - LockDown setting to allow the user to invoke any system user interface by swiping in from any screen edge using touch.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index 87ede82676..34c246f134 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Maps
-description: Policy CSP - Maps
+description: Use the Policy CSP - Maps setting to allow the download and update of map data over metered connections.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
index 7835ef3d3c..d464f4c063 100644
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - MSSecurityGuide
-description: See how this ADMX-backed policy requires a special SyncML format to enable or disable.
+description: Learn how Policy CSP - MSSecurityGuide, an ADMX-backed policy, requires a special SyncML format to enable or disable.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md
index ad6734ce70..d4a5030052 100644
--- a/windows/client-management/mdm/policy-csp-msslegacy.md
+++ b/windows/client-management/mdm/policy-csp-msslegacy.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - MSSLegacy
-description: Policy CSP - MSSLegacy
+description: Learn how Policy CSP - MSSLegacy, an ADMX-backed policy, requires a special SyncML format to enable or disable.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 3f42c5653f..95d9af4a93 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - NetworkIsolation
-description: Policy CSP - NetworkIsolation
+description: Learn how Policy CSP - NetworkIsolation contains a list of Enterprise resource domains hosted in the cloud that need to be protected.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 5da2930e76..d17cdbe1bc 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Power
-description: Learn the ins and outs of various Policy CSP - Power settings, including SyncML, for Windows 10.
+description: Learn how the Policy CSP - Power setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 9b20cf82c2..ca873b0393 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Privacy
-description: Policy CSP - Privacy
+description: Learn how the Policy CSP - Privacy setting allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index 39e59b9ba2..340bef38c2 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteAssistance
-description: Policy CSP - RemoteAssistance
+description: Learn how the Policy CSP - RemoteAssistance setting allows you to specify a custom message to display.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index e4fefcbc62..a33ad83d33 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteDesktopServices
-description: Policy CSP - RemoteDesktopServices
+description: Learn how the Policy CSP - RemoteDesktopServices setting allows you to configure remote access to computers by using Remote Desktop Services.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index 6c88c68b12..fae950baec 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteManagement
-description: Policy CSP - RemoteManagement
+description: Learn how the Policy CSP - RemoteManagement setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index d6b5c1ab71..493027a454 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteProcedureCall
-description: Policy CSP - RemoteProcedureCall
+description: The Policy CSP - RemoteProcedureCall setting controls whether RPC clients authenticate when the call they are making contains authentication information.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index 534584eca6..ac6201611a 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteShell
-description: Policy CSP - RemoteShell
+description: Learn details about the Policy CSP - RemoteShell setting so that you can configure access to remote shells.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 86a64acdd0..204cf968b0 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RestrictedGroups
-description: Policy CSP - RestrictedGroups
+description: Learn how the Policy CSP - RestrictedGroups setting allows an administrator to define the members that are part of a security-sensitive (restricted) group.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index e23ac51307..5fe588c782 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Search
-description: Policy CSP - Search
+description: Learn how the Policy CSP - Search setting allows search and Cortana to search cloud sources like OneDrive and SharePoint.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index 81eb2aa84e..7c7feb1aeb 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Security
-description: Policy CSP - Security
+description: Learn how the Policy CSP - Security setting can specify whether to allow the runtime configuration agent to install provisioning packages.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
index f1ac63ed5f..762c801e6c 100644
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ServiceControlManager
-description: Policy CSP - ServiceControlManager
+description: Learn how the Policy CSP - ServiceControlManager setting enables process mitigation options on svchost.exe processes.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 6052b904e8..1e16989ede 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Settings
-description: Policy CSP - Settings
+description: Learn how to use the Policy CSP - Settings setting so that you can allow the user to change Auto Play settings.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 2c2fceffc1..2cdf136faf 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - SmartScreen
-description: Policy CSP - SmartScreen
+description: Use the Policy CSP - SmartScreen setting to allow IT Admins to control whether users are allowed to install apps from places other than the Store.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index aca2851f58..39cd9db038 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Speech
-description: Policy CSP - Speech
+description: Learn how the Policy CSP - Speech setting specifies whether the device will receive updates to the speech recognition and speech synthesis models.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 31872e9f67..0b6888322b 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Start
-description: Use this policy CSP to control the visibility of the Documents shortcut on the Start menu.
+description: Use the Policy CSP - Start setting to control the visibility of the Documents shortcut on the Start menu.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index 0afd39b6c8..52f43753a2 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Storage
-description: Policy CSP - Storage
+description: Learn to use the Policy CSP - Storage settings to automatically clean some of the user’s files to free up disk space.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 73f8d6586a..9c05c19f4f 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 06/25/2020
+ms.date: 08/12/2020
ms.reviewer:
manager: dansimp
---
@@ -28,9 +28,6 @@ manager: dansimp
-
System/AllowCommercialDataPipeline
- -
- System/AllowDesktopAnalyticsProcessing
-
-
System/AllowDeviceNameInDiagnosticData
@@ -46,24 +43,15 @@ manager: dansimp
-
System/AllowLocation
- -
- System/AllowMicrosoftManagedDesktopProcessing
-
-
System/AllowStorageCard
-
System/AllowTelemetry
- -
- System/AllowUpdateComplianceProcessing
-
-
System/AllowUserToResetPhone
- -
- System/AllowWUfBCloudProcessing
-
-
System/BootStartDriverInitialization
@@ -257,88 +245,7 @@ The following list shows the supported values:
-
-
-
-**System/AllowDesktopAnalyticsProcessing**
-
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Desktop Analytics service is configured to use Windows diagnostic data collected from devices.
-
-If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data.
-
-If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device.
-
->[!Note]
-> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device.
-
-
-
-ADMX Info:
-- GP English name: *Allow Desktop Analytics Processing*
-- GP name: *AllowDesktopAnalyticsProcessing*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
-
-
-
-The following list shows the supported values:
-
-- 0 (default) – Diagnostic data is not processed by Desktop Analytics.
-- 2 – Diagnostic data is allowed to be processed by Desktop Analytics.
-
-
-
-
-
-
-
-
-
-
-
-
**System/AllowDeviceNameInDiagnosticData**
@@ -691,71 +598,6 @@ The following list shows the supported values:
-
-**System/AllowMicrosoftManagedDesktopProcessing**
-
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Microsoft Managed Desktop service is configured to use Windows diagnostic data collected from devices.
-
-If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data.
-
-If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device.
-
-> [!Note]
-> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device.
-
-
-
-The following list shows the supported values:
-
-- 0 (default)– Diagnostic data is not processed by Microsoft Managed Desktop.
-- 32 – Diagnostic data is processed by Microsoft Managed Desktop.
-
-
-
-
-
-
**System/AllowStorageCard**
@@ -950,78 +792,6 @@ ADMX Info:
-
-**System/AllowUpdateComplianceProcessing**
-
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Update Compliance service is configured to use Windows diagnostic data collected from devices.
-
-If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data.
-
-If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device.
-
->[!Note]
-> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) setting to limit the diagnostic data that can be collected from the device.
-
-
-
-ADMX Info:
-- GP English name: *Enable Update Compliance Processing*
-- GP name: *AllowUpdateComplianceProcessing*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
-
-
-
-The following list shows the supported values:
-
-- 0 (default)– Diagnostic data is not processed by Update Compliance.
-- 16 – Diagnostic data is allowed to be processed by Update Compliance.
-
-
-
-
-
**System/AllowUserToResetPhone**
@@ -1081,71 +851,6 @@ The following list shows the supported values:
-
-
-**System/AllowWUfBCloudProcessing**
-
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Windows Update for Business cloud service is configured to use Windows diagnostic data collected from devices.
-
-If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data.
-
-If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device.
-
->[!Note]
-> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device.
-
-
-
-
-The following list shows the supported values:
-- 0 (default) – Diagnostic data is not processed by Windows Update for Business cloud.
-- 8 – Diagnostic data is allowed to be processed by Windows Update for Business cloud.
-
-
-
-
-
**System/BootStartDriverInitialization**
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index 19836d1ca5..a7f98a6c0c 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - SystemServices
-description: Policy CSP - SystemServices
+description: Learn how to use the Policy CSP - SystemServices setting to determine whether the service's start type is Automatic(2), Manual(3), Disabled(4).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md
index 9787467c21..ce84398393 100644
--- a/windows/client-management/mdm/policy-csp-taskmanager.md
+++ b/windows/client-management/mdm/policy-csp-taskmanager.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - TaskManager
-description: Policy CSP - TaskManager
+description: Learn how to use the Policy CSP - TaskManager setting to determine whether non-administrators can use Task Manager to end tasks.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md
index 44a8f08bdd..ab6ec4d46c 100644
--- a/windows/client-management/mdm/policy-csp-taskscheduler.md
+++ b/windows/client-management/mdm/policy-csp-taskscheduler.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - TaskScheduler
-description: Policy CSP - TaskScheduler
+description: Learn how to use the Policy CSP - TaskScheduler setting to determine whether the specific task is enabled (1) or disabled (0).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index e1799a0c16..99360d692b 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - TextInput
-description: Policy CSP - TextInput
+description: The Policy CSP - TextInput setting allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index d029929145..8ef9349148 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - TimeLanguageSettings
-description: Learn which TimeLanguageSettings policies are supported for your edition of Windows.
+description: Learn to use the Policy CSP - TimeLanguageSettings setting to specify the time zone to be applied to the device.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md
index 881b9b3a43..c7862d0866 100644
--- a/windows/client-management/mdm/policy-csp-troubleshooting.md
+++ b/windows/client-management/mdm/policy-csp-troubleshooting.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Troubleshooting
-description: Policy CSP - Troubleshooting
+description: The Policy CSP - Troubleshooting setting allows IT admins to configure how to apply recommended troubleshooting for known problems on the devices in their domains.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index d9187a1854..38e9dd4066 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Update
-description: Manage a range of active hours for when update reboots are not scheduled.
+description: The Policy CSP - Update allows the IT admin, when used with Update/ActiveHoursStart, to manage a range of active hours where update reboots aren't scheduled.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 73f3dfd843..df12efd32b 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - UserRights
-description: Policy CSP - UserRights
+description: Learn how user rights are assigned for user accounts or groups, and how the name of the policy defines the user right in question.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 770316e0bc..db63da7a5a 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Wifi
-description: Policy CSP - Wifi
+description: Learn how the Policy CSP - Wifi setting allows or disallows the device to automatically connect to Wi-Fi hotspots.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
index 4cbed0f5f3..4f89b78bcf 100644
--- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
+++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsConnectionManager
-description: Policy CSP - WindowsConnectionManager
+description: The Policy CSP - WindowsConnectionManager setting prevents computers from connecting to a domain based network and a non-domain based network simultaneously.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index d2c74ba941..a4cd3536f0 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsDefenderSecurityCenter
-description: Policy CSP - WindowsDefenderSecurityCenter
+description: Learn how to use the Policy CSP - WindowsDefenderSecurityCenter setting to display the Account protection area in Windows Defender Security Center.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index bc97e2e774..e60269d795 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsInkWorkspace
-description: Policy CSP - WindowsInkWorkspace
+description: Learn to use the Policy CSP - WindowsInkWorkspace setting to specify whether to allow the user to access the ink workspace.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index d3793a4bb7..c7ccb54106 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsLogon
-description: Policy CSP - WindowsLogon
+description: Use the Policy CSP - WindowsLogon setting to control whether a device automatically signs in and locks the last interactive user after the system restarts.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md
index cc4f87b917..b60def1361 100644
--- a/windows/client-management/mdm/policy-csp-windowspowershell.md
+++ b/windows/client-management/mdm/policy-csp-windowspowershell.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsPowerShell
-description: Policy CSP - WindowsPowerShell
+description: Use the Policy CSP - WindowsPowerShell setting to enable logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index eb74f99772..3aff9aac6c 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WirelessDisplay
-description: Policy CSP - WirelessDisplay
+description: Use the Policy CSP - WirelessDisplay setting to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csps-admx-backed.md b/windows/client-management/mdm/policy-csps-admx-backed.md
index fed6d0138d..6e3d43c649 100644
--- a/windows/client-management/mdm/policy-csps-admx-backed.md
+++ b/windows/client-management/mdm/policy-csps-admx-backed.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 07/18/2019
+ms.date: 08/18/2020
---
# ADMX-backed policy CSPs
@@ -21,6 +21,51 @@ ms.date: 07/18/2019
>
- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
+- [ADMX_AddRemovePrograms/DefaultCategory](/policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory)
+- [ADMX_AddRemovePrograms/NoAddFromCDorFloppy](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromcdorfloppy)
+- [ADMX_AddRemovePrograms/NoAddFromInternet](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfrominternet)
+- [ADMX_AddRemovePrograms/NoAddFromNetwork](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromnetwork)
+- [ADMX_AddRemovePrograms/NoAddPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddpage)
+- [ADMX_AddRemovePrograms/NoAddRemovePrograms](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddremoveprograms)
+- [ADMX_AddRemovePrograms/NoChooseProgramsPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nochooseprogramspage)
+- [ADMX_AddRemovePrograms/NoRemovePage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noremovepage)
+- [ADMX_AddRemovePrograms/NoServices](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noservices)
+- [ADMX_AddRemovePrograms/NoSupportInfo](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nosupportinfo)
+- [ADMX_AddRemovePrograms/NoWindowsSetupPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nowindowssetuppage)
+- [ADMX_AppCompat/AppCompatPrevent16BitMach](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatprevent16bitmach)
+- [ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatremoveprogramcompatproppage)
+- [ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffapplicationimpacttelemetry)
+- [ADMX_AppCompat/AppCompatTurnOffSwitchBack](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffswitchback)
+- [ADMX_AppCompat/AppCompatTurnOffEngine](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffengine)
+- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_1)
+- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2)
+- [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord)
+- [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory)
+- [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline)
+- [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries)
+- [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname)
+- [ADMX_DnsClient/DNS_Domain](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domain)
+- [ADMX_DnsClient/DNS_DomainNameDevolutionLevel](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domainnamedevolutionlevel)
+- [ADMX_DnsClient/DNS_IdnEncoding](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnencoding)
+- [ADMX_DnsClient/DNS_IdnMapping](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnmapping)
+- [ADMX_DnsClient/DNS_NameServer](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-nameserver)
+- [ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-preferlocalresponsesoverlowerorderdns)
+- [ADMX_DnsClient/DNS_PrimaryDnsSuffix](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-primarydnssuffix)
+- [ADMX_DnsClient/DNS_RegisterAdapterName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registeradaptername)
+- [ADMX_DnsClient/DNS_RegisterReverseLookup](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registerreverselookup)
+- [ADMX_DnsClient/DNS_RegistrationEnabled](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationenabled)
+- [ADMX_DnsClient/DNS_RegistrationOverwritesInConflict](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationoverwritesinconflict)
+- [ADMX_DnsClient/DNS_RegistrationRefreshInterval](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationrefreshinterval)
+- [ADMX_DnsClient/DNS_RegistrationTtl](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationttl)
+- [ADMX_DnsClient/DNS_SearchList](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-searchlist)
+- [ADMX_DnsClient/DNS_SmartMultiHomedNameResolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartmultihomednameresolution)
+- [ADMX_DnsClient/DNS_SmartProtocolReorder](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartprotocolreorder)
+- [ADMX_DnsClient/DNS_UpdateSecurityLevel](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatesecuritylevel)
+- [ADMX_DnsClient/DNS_UpdateTopLevelDomainZones](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatetopleveldomainzones)
+- [ADMX_DnsClient/DNS_UseDomainNameDevolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-usedomainnamedevolution)
+- [ADMX_DnsClient/Turn_Off_Multicast](./policy-csp-admx-dnsclient.md#admx-dnsclient-turn-off-multicast)
+- [ADMX_EventForwarding/ForwarderResourceUsage](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-forwarderresourceusage)
+- [ADMX_EventForwarding/SubscriptionManager](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-subscriptionmanager)
- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional)
- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
@@ -406,8 +451,6 @@ ms.date: 07/18/2019
- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
-- [System/AllowDesktopAnalyticsProcessing](./policy-csp-system.md#system-allowdesktopanalyticsprocessing)
-- [System/AllowUpdateComplianceProcessing](./policy-csp-system.md#system-allowppdatecomplianceprocessing)
- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork)
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 7a522ee312..27c1aceaf0 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Policy DDF file
-description: Policy DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider.
ms.assetid: D90791B5-A772-4AF8-B058-5D566865AF8D
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/policymanager-csp.md b/windows/client-management/mdm/policymanager-csp.md
index ad4bb24be7..656e292b4e 100644
--- a/windows/client-management/mdm/policymanager-csp.md
+++ b/windows/client-management/mdm/policymanager-csp.md
@@ -1,6 +1,6 @@
---
title: PolicyManager CSP
-description: PolicyManager CSP
+description: Learn how PolicyManager CSP is deprecated. For Windows 10 devices you should use Policy CSP, which replaces PolicyManager CSP.
ms.assetid: 048427b1-6024-4660-8660-bd91c583f7f9
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md
index cced09bc2b..c1d9034fe8 100644
--- a/windows/client-management/mdm/proxy-csp.md
+++ b/windows/client-management/mdm/proxy-csp.md
@@ -1,6 +1,6 @@
---
title: PROXY CSP
-description: PROXY CSP
+description: Learn how the PROXY configuration service provider (CSP) is used to configure proxy connections.
ms.assetid: 9904d44c-4a1e-4ae7-a6c7-5dba06cb16ce
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md
index e7cb92b9c4..d906bca3da 100644
--- a/windows/client-management/mdm/reboot-csp.md
+++ b/windows/client-management/mdm/reboot-csp.md
@@ -1,6 +1,6 @@
---
title: Reboot CSP
-description: Reboot CSP
+description: Learn how the Reboot configuration service provider (CSP) is used to configure reboot settings.
ms.assetid: 4E3F1225-BBAD-40F5-A1AB-FF221B6BAF48
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/registry-csp.md b/windows/client-management/mdm/registry-csp.md
index 61d34774a7..4978cc70e0 100644
--- a/windows/client-management/mdm/registry-csp.md
+++ b/windows/client-management/mdm/registry-csp.md
@@ -1,6 +1,6 @@
---
title: Registry CSP
-description: Registry CSP
+description: In this article, learn how to use the Registry configuration service provider (CSP) to update registry settings.
ms.assetid: 2307e3fd-7b61-4f00-94e1-a639571f2c9d
ms.reviewer:
manager: dansimp
@@ -17,7 +17,8 @@ ms.date: 06/26/2017
The Registry configuration service provider is used to update registry settings. However, if there is configuration service provider that is specific to the settings that need to be updated, use the specific configuration service provider.
-> **Note** The Registry CSP is only supported in Windows 10 Mobile for OEM configuration. Do not use this CSP for enterprise remote management.
+> [!NOTE]
+> The Registry CSP is only supported in Windows 10 Mobile for OEM configuration. Do not use this CSP for enterprise remote management.
For Windows 10 Mobile only, this configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
@@ -32,13 +33,12 @@ For OMA Client Provisioning, the follows notes apply:
- This documentation describes the default characteristics. Additional characteristics may be added.
-- Because the **Registry** configuration service provider uses the backslash (\) character as a separator between key names, backslashes which occur in the name of a registry key must be escaped. Backslashes can be escaped by using two sequential backslashes (\\\).
+- Because the **Registry** configuration service provider uses the backslash (\\) character as a separator between key names, backslashes which occur in the name of a registry key must be escaped. Backslashes can be escaped by using two sequential backslashes (\\\\).
The default security role maps to each subnode unless specific permission is granted to the subnode. The security role for subnodes is implementation specific, and can be changed by OEMs and mobile operators.
## Microsoft Custom Elements
-
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
@@ -75,11 +75,10 @@ The following table shows the Microsoft custom elements that this configuration
-
Use these elements to build standard OMA Client Provisioning configuration XML. For information about specific elements, see MSPROV DTD elements.
-## Supported Data Types
+## Supported Data Types
The following table shows the data types this configuration service provider supports.
diff --git a/windows/client-management/mdm/registry-ddf-file.md b/windows/client-management/mdm/registry-ddf-file.md
index 164f8d4a66..6b6bc9c191 100644
--- a/windows/client-management/mdm/registry-ddf-file.md
+++ b/windows/client-management/mdm/registry-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Registry DDF file
-description: Registry DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Registry configuration service provider (CSP).
ms.assetid: 29b5cc07-f349-4567-8a77-387d816a9d15
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/remotelock-ddf-file.md b/windows/client-management/mdm/remotelock-ddf-file.md
index 2408353c86..d740994fc1 100644
--- a/windows/client-management/mdm/remotelock-ddf-file.md
+++ b/windows/client-management/mdm/remotelock-ddf-file.md
@@ -1,6 +1,6 @@
---
title: RemoteLock DDF file
-description: RemoteLock DDF file
+description: Learn about the OMA DM device description framework (DDF) for the RemoteLock configuration service provider (CSP).
ms.assetid: A301AE26-1BF1-4328-99AB-1ABBA4960797
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md
index 726df442f0..999d8b629e 100644
--- a/windows/client-management/mdm/remotering-csp.md
+++ b/windows/client-management/mdm/remotering-csp.md
@@ -1,6 +1,6 @@
---
title: RemoteRing CSP
-description: RemoteRing CSP
+description: The RemoteRing CSP can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that's set on the device.
ms.assetid: 70015243-c07f-46cb-a0f9-4b4ad13a5609
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 3ee8a2cd21..efd8cdac2b 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -1,6 +1,6 @@
---
title: RemoteWipe CSP
-description: RemoteWipe CSP
+description: Learn how the RemoteWipe configuration service provider (CSP) can be used by mobile operators DM server or enterprise management server to remotely wipe a device.
ms.assetid: 6e89bd37-7680-4940-8a67-11ed062ffb70
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index 12a8de389a..36a83bee33 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -1,6 +1,6 @@
---
title: RemoteWipe DDF file
-description: RemoteWipe DDF file
+description: Learn about the OMA DM device description framework (DDF) for the RemoteWipe configuration service provider.
ms.assetid: 10ec4fb7-f911-4d0c-9a8f-e96bf5faea0c
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
index 1b4f1ec6bc..ad6dd045e3 100644
--- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
+++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
@@ -1,6 +1,6 @@
---
title: REST API reference for Microsoft Store for Business
-description: REST API reference for Microsoft Store for Business--includes available operations and data structures.
+description: Learn how the REST API reference for Microsoft Store for Business includes available operations and data structures.
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference'
- 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business'
diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md
index 132e196cc0..1c5b7912aa 100644
--- a/windows/client-management/mdm/rootcacertificates-csp.md
+++ b/windows/client-management/mdm/rootcacertificates-csp.md
@@ -1,6 +1,6 @@
---
title: RootCATrustedCertificates CSP
-description: RootCATrustedCertificates CSP
+description: Learn how the RootCATrustedCertificates configuration service provider (CSP) enables the enterprise to set the Root Certificate Authority (CA) certificates.
ms.assetid: F2F25DEB-9DB3-40FB-BC3C-B816CE470D61
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md
index a80fb75af6..166dfc0d43 100644
--- a/windows/client-management/mdm/rootcacertificates-ddf-file.md
+++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md
@@ -1,6 +1,6 @@
---
title: RootCATrustedCertificates DDF file
-description: RootCATrustedCertificates DDF file
+description: Learn about the OMA DM device description framework (DDF) for the RootCACertificates configuration service provider (CSP).
ms.assetid: 06D8787B-D3E1-4D4B-8A21-8045A8F85C1C
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md
index 7d972a5a96..6585261229 100644
--- a/windows/client-management/mdm/secureassessment-csp.md
+++ b/windows/client-management/mdm/secureassessment-csp.md
@@ -1,6 +1,6 @@
---
title: SecureAssessment CSP
-description: SecureAssessment CSP
+description: Learn how the SecureAssessment configuration service provider (CSP) is used to provide configuration information for the secure assessment browser.
ms.assetid: 6808BE4B-961E-4638-BF15-FD7841D1C00A
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index 9b8b3ce65d..9e203d4d39 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -1,6 +1,6 @@
---
title: SecurityPolicy CSP
-description: SecurityPolicy CSP
+description: The SecurityPolicy CSP is used to configure security policy settings for WAP push, OMA DM, Service Indication (SI), Service Loading (SL), and MMS.
ms.assetid: 6014f8fe-f91b-49f3-a357-bdf625545bc9
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/server-requirements-windows-mdm.md b/windows/client-management/mdm/server-requirements-windows-mdm.md
index 50b8b73b30..032469c901 100644
--- a/windows/client-management/mdm/server-requirements-windows-mdm.md
+++ b/windows/client-management/mdm/server-requirements-windows-mdm.md
@@ -1,6 +1,6 @@
---
title: Server requirements for using OMA DM to manage Windows devices
-description: Server requirements for using OMA DM to manage Windows devices
+description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM.
MS-HAID:
- 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm'
- 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm'
diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md
index b9ea9c1767..61e26ea7a0 100644
--- a/windows/client-management/mdm/sharedpc-ddf-file.md
+++ b/windows/client-management/mdm/sharedpc-ddf-file.md
@@ -1,6 +1,6 @@
---
title: SharedPC DDF file
-description: SharedPC DDF file
+description: Learn how the OMA DM device description framework (DDF) for the SharedPC configuration service provider (CSP).
ms.assetid: 70234197-07D4-478E-97BB-F6C651C0B970
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md
index 6ed19c97e1..3cb5d8920c 100644
--- a/windows/client-management/mdm/storage-csp.md
+++ b/windows/client-management/mdm/storage-csp.md
@@ -1,6 +1,6 @@
---
title: Storage CSP
-description: Storage CSP
+description: Learn how the Storage enterprise configuration service provider (CSP) is used to configure the storage card settings.
ms.assetid: b19bdb54-53ed-42ce-a5a1-269379013f57
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md
index 9d9be94f93..17340fbf2d 100644
--- a/windows/client-management/mdm/storage-ddf-file.md
+++ b/windows/client-management/mdm/storage-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Storage DDF file
-description: See how storage configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: Learn about the OMA DM device description framework (DDF) for the Storage configuration service provider (CSP).
ms.assetid: 247062A3-4DFB-4B14-A3D1-68D02C27703C
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
index 0e0293bca8..2b482383bd 100644
--- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
+++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
@@ -1,6 +1,6 @@
---
title: Structure of OMA DM provisioning files
-description: Structure of OMA DM provisioning files
+description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body.
ms.assetid: 7bd3ef57-c76c-459b-b63f-c5a333ddc2bc
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index 28d0b9c42e..45e335fdf9 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -1,6 +1,6 @@
---
title: SUPL CSP
-description: SUPL CSP
+description: Learn how the SUPL configuration service provider (CSP) is used to configure the location client.
ms.assetid: afad0120-1126-4fc5-8e7a-64b9f2a5eae1
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md
index ad901702a5..b064d57b68 100644
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@@ -1,6 +1,6 @@
---
title: TenantLockdown DDF file
-description: XML file containing the device description framework for the TenantLockdown configuration service provider.
+description: XML file containing the device description framework for the TenantLockdown configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index 36f46f9df1..f97ea96a00 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -1,6 +1,6 @@
---
title: TPMPolicy CSP
-description: TPMPolicy CSP
+description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md
index fcdb101ad2..fd463047e0 100644
--- a/windows/client-management/mdm/tpmpolicy-ddf-file.md
+++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md
@@ -1,6 +1,6 @@
---
title: TPMPolicy DDF file
-description: TPMPolicy DDF file
+description: Learn about the OMA DM device description framework (DDF) for the TPMPolicy configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md
index 808685d36d..1432ef811a 100644
--- a/windows/client-management/mdm/uefi-ddf.md
+++ b/windows/client-management/mdm/uefi-ddf.md
@@ -1,6 +1,6 @@
---
title: UEFI DDF file
-description: UEFI DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Uefi configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index 310b0192c6..183c89df6d 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -1,6 +1,6 @@
---
title: Update CSP
-description: Update CSP
+description: Learn how the Update configuration service provider (CSP) enables IT administrators to manage and control the rollout of new updates.
ms.assetid: F1627B57-0749-47F6-A066-677FDD3D7359
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md
index 731adeeb60..44f580cb4f 100644
--- a/windows/client-management/mdm/update-ddf-file.md
+++ b/windows/client-management/mdm/update-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Update DDF file
-description: Update DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Update configuration service provider (CSP).
ms.assetid: E236E468-88F3-402A-BA7A-834ED38DD388
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md
index 7b8f154145..60702d4f69 100644
--- a/windows/client-management/mdm/vpn-csp.md
+++ b/windows/client-management/mdm/vpn-csp.md
@@ -1,6 +1,6 @@
---
title: VPN CSP
-description: VPN CSP
+description: Learn how the VPN configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device.
ms.assetid: 05ca946a-1c0b-4e11-8d7e-854e14740707
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md
index b3e8aef28c..889a2f8f25 100644
--- a/windows/client-management/mdm/vpn-ddf-file.md
+++ b/windows/client-management/mdm/vpn-ddf-file.md
@@ -1,6 +1,6 @@
---
title: VPN DDF file
-description: VPN DDF file
+description: Learn about the OMA DM device description framework (DDF) for the VPN configuration service provider (CSP).
ms.assetid: 728FCD9C-0B8E-413B-B54A-CD72C9F2B9EE
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index c7555d45bf..df6b648e6e 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -1,6 +1,6 @@
---
title: VPNv2 CSP
-description: VPNv2 CSP
+description: Learn how the VPNv2 configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device.
ms.assetid: 51ADA62E-1EE5-4F15-B2AD-52867F5B2AD2
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md
index e4c93ad525..51a1739756 100644
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@@ -1,6 +1,6 @@
---
title: w4 APPLICATION CSP
-description: w4 APPLICATION CSP
+description: Use an APPLICATION configuration service provider (CSP) that has an APPID of w4 to configure Multimedia Messaging Service (MMS).
ms.assetid: ef42b82a-1f04-49e4-8a48-bd4e439fc43a
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md
index eff35b4fd4..20f21f79bc 100644
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@@ -1,6 +1,6 @@
---
title: w7 APPLICATION CSP
-description: w7 APPLICATION CSP
+description: Learn that the APPLICATION configuration service provider (CSP) that has an APPID of w7 is used for bootstrapping a device with an OMA DM account.
ms.assetid: 10f8aa16-5c89-455d-adcd-d7fb45d4e768
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index 70f5a31c7c..174c633ba4 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -1,6 +1,6 @@
---
title: WiFi CSP
-description: The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device.
+description: The WiFi configuration service provider (CSP) provides the functionality to add or delete Wi-Fi networks on a Windows device.
ms.assetid: f927cb5f-9555-4029-838b-03fb68937f06
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index 2c51e50a62..8dff039754 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -1,6 +1,6 @@
---
title: WiFi DDF file
-description: WiFi DDF file
+description: Learn about the OMA DM device description framework (DDF) for the WiFi configuration service provider (CSP).
ms.assetid: 00DE1DA7-23DE-4871-B3F0-28EB29A62D61
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md
index abcbb92914..f6b422ce6d 100644
--- a/windows/client-management/mdm/win32appinventory-csp.md
+++ b/windows/client-management/mdm/win32appinventory-csp.md
@@ -1,6 +1,6 @@
---
title: Win32AppInventory CSP
-description: Win32AppInventory CSP
+description: Learn how the Win32AppInventory configuration service provider (CSP) is used to provide an inventory of installed applications on a device.
ms.assetid: C0DEDD51-4EAD-4F8E-AEE2-CBE9658BCA22
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md
index b22b7284fa..1f20685d75 100644
--- a/windows/client-management/mdm/win32appinventory-ddf-file.md
+++ b/windows/client-management/mdm/win32appinventory-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Win32AppInventory DDF file
-description: See the OMA DM device description framework (DDF) for the **Win32AppInventory** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: Learn about the OMA DM device description framework (DDF) for the Win32AppInventory configuration service provider (CSP).
ms.assetid: F6BCC10B-BFE4-40AB-AEEE-34679A4E15B0
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
index 2570e65b3d..be248b783d 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@@ -1,6 +1,6 @@
---
-title: Win32CompatibilityAppraiser CSP
-description:
+title: Win32CompatibilityAppraiser CSP
+description: Learn how the Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index 2508fa2863..c68424cd04 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -1,6 +1,6 @@
---
title: WindowsAdvancedThreatProtection CSP
-description: WindowsAdvancedThreatProtection CSP
+description: The Windows Defender Advanced Threat Protection (WDATP) CSP allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
ms.assetid: 6C3054CA-9890-4C08-9DB6-FBEEB74699A8
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
index 583ea67e75..5877c32e22 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
@@ -1,6 +1,6 @@
---
title: WindowsAdvancedThreatProtection DDF file
-description: WindowsAdvancedThreatProtection DDF file
+description: Learn how the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP).
ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
index e519d6dcd8..847d9d69c8 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -1,6 +1,6 @@
---
title: WindowsDefenderApplicationGuard DDF file
-description: See the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider.
+description: learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index 58a5040b72..b46f76e935 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -1,6 +1,6 @@
---
title: WindowsLicensing CSP
-description: WindowsLicensing CSP
+description: Learn how the WindowsLicensing configuration service provider (CSP) is designed for licensing related management scenarios.
ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md
index c5037971d9..7b8cb3437e 100644
--- a/windows/client-management/mdm/windowslicensing-ddf-file.md
+++ b/windows/client-management/mdm/windowslicensing-ddf-file.md
@@ -1,6 +1,6 @@
---
title: WindowsLicensing DDF file
-description: WindowsLicensing DDF file
+description: Learn about the OMA DM device description framework (DDF) for the WindowsLicensing configuration service provider (CSP).
ms.assetid: 2A24C922-A167-4CEE-8F74-08E7453800D2
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index 3462504a92..4693bb6596 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -1,6 +1,6 @@
---
title: New policies for Windows 10 (Windows 10)
-description: Windows 10 includes the following new policies for management.
+description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components.
ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index d0806c95e1..4f7a2555e1 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -1,6 +1,6 @@
---
title: Configure system failure and recovery options in Windows
-description: Learn about the system failure and recovery options in Windows.
+description: Learn how to configure the actions that Windows takes when a system error occurs and what the recovery options are.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md
index 667776a7f8..0bdc744338 100644
--- a/windows/client-management/troubleshoot-inaccessible-boot-device.md
+++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md
@@ -1,6 +1,6 @@
---
title: Advanced advice for Stop error 7B, Inaccessible_Boot_Device
-description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device
+description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device. This error may occur after some changes are made to the computer,
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
diff --git a/windows/client-management/troubleshoot-networking.md b/windows/client-management/troubleshoot-networking.md
index 57398a2764..7ff85215fe 100644
--- a/windows/client-management/troubleshoot-networking.md
+++ b/windows/client-management/troubleshoot-networking.md
@@ -2,7 +2,7 @@
title: Advanced troubleshooting for Windows networking
ms.reviewer:
manager: dansimp
-description: Learn how to troubleshoot networking
+description: Learn about the topics that are available to help you troubleshoot common problems related to Windows networking.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md
index 3fe73d34ec..7eabdf0411 100644
--- a/windows/client-management/troubleshoot-stop-errors.md
+++ b/windows/client-management/troubleshoot-stop-errors.md
@@ -2,7 +2,7 @@
title: Advanced troubleshooting for Stop error or blue screen error issue
ms.reviewer:
manager: dansimp
-description: Learn how to troubleshoot Stop error or blue screen issues.
+description: Learn advanced options for troubleshooting Stop errors, also known as blue screen errors or bug check errors.
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md
index fe6e32ce59..0d4f00510a 100644
--- a/windows/client-management/troubleshoot-tcpip-connectivity.md
+++ b/windows/client-management/troubleshoot-tcpip-connectivity.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot TCP/IP connectivity
-description: Learn how to troubleshoot TCP/IP connectivity.
+description: Learn how to troubleshoot TCP/IP connectivity and what you should do if you come across TCP reset in a network capture.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md
index 739c11d55d..f708897928 100644
--- a/windows/client-management/troubleshoot-tcpip-netmon.md
+++ b/windows/client-management/troubleshoot-tcpip-netmon.md
@@ -16,6 +16,9 @@ manager: dansimp
In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic.
+> [Note]
+> Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](https://docs.microsoft.com/message-analyzer/microsoft-message-analyzer-operating-guide).
+
To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image.
diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
index a33d808d2f..40c0ff98c2 100644
--- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md
+++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot port exhaustion issues
-description: Learn how to troubleshoot port exhaustion issues.
+description: Learn how to troubleshoot port exhaustion issues. Port exhaustion occurs when all the ports on a machine are used.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
index 7fd5ff086f..37b4dfa002 100644
--- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md
+++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot Remote Procedure Call (RPC) errors
-description: Learn how to troubleshoot Remote Procedure Call (RPC) errors
+description: Learn how to troubleshoot Remote Procedure Call (RPC) errors when connecting to Windows Management Instrumentation (WMI), SQL Server, or during a remote connection.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-tcpip.md b/windows/client-management/troubleshoot-tcpip.md
index 378c042899..48a95cd4e0 100644
--- a/windows/client-management/troubleshoot-tcpip.md
+++ b/windows/client-management/troubleshoot-tcpip.md
@@ -1,6 +1,6 @@
---
title: Advanced troubleshooting for TCP/IP issues
-description: Learn how to troubleshoot common problems in a TCP/IP network environment.
+description: Learn how to troubleshoot common problems in a TCP/IP network environment, for example by collecting data using Network monitor.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md
index 3a584ddb8f..b50e43abae 100644
--- a/windows/client-management/troubleshoot-windows-freeze.md
+++ b/windows/client-management/troubleshoot-windows-freeze.md
@@ -2,7 +2,7 @@
title: Advanced troubleshooting for Windows-based computer freeze issues
ms.reviewer:
manager: dansimp
-description: Learn how to troubleshoot computer freeze issues on Windows-based computers and servers.
+description: Learn how to troubleshoot computer freeze issues on Windows-based computers and servers. Also, you can learn how to diagnose, identify, and fix these issues.
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
diff --git a/windows/client-management/troubleshoot-windows-startup.md b/windows/client-management/troubleshoot-windows-startup.md
index 0e39db4b3f..bd9f09bfd0 100644
--- a/windows/client-management/troubleshoot-windows-startup.md
+++ b/windows/client-management/troubleshoot-windows-startup.md
@@ -1,6 +1,6 @@
---
title: Advanced troubleshooting for Windows start-up issues
-description: Learn how to troubleshoot Windows start-up issues.
+description: Learn advanced options for how to troubleshoot common Windows start-up issues, like system crashes and freezes.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md
index 8c30018235..671e14612b 100644
--- a/windows/client-management/windows-10-support-solutions.md
+++ b/windows/client-management/windows-10-support-solutions.md
@@ -1,6 +1,6 @@
---
title: Troubleshooting Windows 10
-description: Get links to troubleshooting articles for Windows 10 issues
+description: Learn where to find information about troubleshooting Windows 10 issues, for example Bitlocker issues and bugcheck errors.
ms.reviewer: kaushika
manager: dansimp
ms.prod: w10
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 700b2a16cc..875beb0290 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -2,7 +2,7 @@
title: Change history for Configure Windows 10 (Windows 10)
ms.reviewer:
manager: dansimp
-description: View changes to documentation for configuring Windows 10.
+description: Learn about new and updated topics in the Configure Windows 10 documentation for Windows 10 and Windows 10 Mobile.
keywords:
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md
index 0a333370c9..fe5186f6cf 100644
--- a/windows/configuration/changes-to-start-policies-in-windows-10.md
+++ b/windows/configuration/changes-to-start-policies-in-windows-10.md
@@ -1,6 +1,6 @@
---
title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10)
-description: Windows 10 has a brand new Start experience.
+description: Learn about changes to Group Policy settings for the Windows 10 Start menu. Also, learn about the new Windows 10 Start experience.
ms.assetid: 612FB68A-3832-451F-AA97-E73791FEAA9F
ms.reviewer:
manager: dansimp
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 037e389943..1e6ec5db4b 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -1,6 +1,6 @@
---
title: Configure Windows 10 taskbar (Windows 10)
-description: Admins can pin apps to users' taskbars.
+description: Administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file.
keywords: ["taskbar layout","pin apps"]
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
index 9b2fcfb9c3..d89ff3d90b 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@@ -1,6 +1,6 @@
---
title: Send feedback about Cortana at work back to Microsoft
-description: How to send feedback to Microsoft about Cortana at work.
+description: Learn how to send feedback to Microsoft about Cortana at work so you can provide more information to help diagnose reported issues..
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index 5158bc4ada..5d8a6999f8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -32,11 +32,11 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the
>[!NOTE]
>A microphone isn't required to use Cortana.
-|**Software** |**Minimum version** |
+| Software | Minimum version |
|---------|---------|
|Client operating system | Desktop:
- Windows 10, version 2004 (recommended)
- Windows 10, version 1703 (legacy version of Cortana)
Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-overview#how-is-my-data-processed-by-cortana) below. |
-|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn’t required. |
-|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word (“Cortana”) for hands-free activation or voice commands to easily ask for help. |
+|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. |
+|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
## Signing in using Azure AD
@@ -55,7 +55,7 @@ Cortana enterprise services that can be accessed using Azure AD through Cortana
The table below describes the data handling for Cortana enterprise services.
-|**Name** |**Description** |
+| Name | Description |
|---------|---------|
|**Storage** |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. Speech audio is not retained. |
|**Stays in Geo** |Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant. |
@@ -66,7 +66,7 @@ The table below describes the data handling for Cortana enterprise services.
#### How does the wake word (Cortana) work? If I enable it, is Cortana always listening?
>[!NOTE]
->The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon. You can still click on the microphone button to use your voice with Cortana.
+>The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
Cortana only begins listening for commands or queries when the wake word is detected, or the microphone button has been selected.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index de5e546244..e2dfea47f8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -1,5 +1,5 @@
---
-title: Sign-in to Azure AD and manage notebook with Cortana (Windows 10)
+title: Sign into Azure AD, enable the wake word, and try a voice query
description: A test scenario walking you through signing in and managing the notebook.
ms.prod: w10
ms.mktglfcycl: manage
@@ -7,7 +7,6 @@ ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
-ms.date: 10/05/2017
ms.reviewer:
manager: dansimp
---
@@ -15,7 +14,7 @@ manager: dansimp
# Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query
>[!NOTE]
->The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon.
+>The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
1. Select the **Cortana** icon in the task bar and sign in using your Azure AD account.
@@ -23,13 +22,13 @@ manager: dansimp
3. Toggle **Wake word** to **On** and close Cortana.
-4. Say **Cortana, what can you do?**.
+4. Say **Cortana, what can you do?**
-When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.
+ When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.
-:::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
+ :::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
-Once you finish saying your query, Cortana will open with the result.
+ Once you finish saying your query, Cortana will open with the result.
>[!NOTE]
->If you've disabled the wake word using MDM or Group Policy, you will need to manually activate the microphone by selecting Cortana, then the mic button.
\ No newline at end of file
+>If you've disabled the wake word using MDM or Group Policy, you will need to manually activate the microphone by selecting Cortana, then the mic button.
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index c319385e70..0ff39ff4c9 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -3,7 +3,7 @@ title: Configure kiosks and digital signs on Windows desktop editions (Windows 1
ms.reviewer:
manager: dansimp
ms.author: dansimp
-description: Learn about the methods for configuring kiosks.
+description: In this article, learn about the methods for configuring kiosks and digital signs on Windows desktop editions.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index f4825a951e..f7be8e35d2 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -1,6 +1,6 @@
---
title: Prepare a device for kiosk configuration (Windows 10)
-description: Some tips for device settings on kiosks.
+description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer:
manager: dansimp
diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md
index 6a42e81700..479b7ca96e 100644
--- a/windows/configuration/kiosk-troubleshoot.md
+++ b/windows/configuration/kiosk-troubleshoot.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot kiosk mode issues (Windows 10)
-description: Tips for troubleshooting multi-app kiosk configuration.
+description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
ms.reviewer:
manager: dansimp
diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md
index 34b8124fa2..02e0fbc422 100644
--- a/windows/configuration/kiosk-validate.md
+++ b/windows/configuration/kiosk-validate.md
@@ -1,6 +1,6 @@
---
title: Validate kiosk configuration (Windows 10)
-description: Learn what to expect on a multi-app kiosk in Windows 10 Pro, Enterprise, and Education.
+description: In this article, learn what to expect on a multi-app kiosk in Windows 10 Pro, Enterprise, and Education.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer:
manager: dansimp
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index 3de98a5454..f82225a7fe 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -1,6 +1,6 @@
---
title: Provision PCs with apps (Windows 10)
-description: Add apps to a Windows 10 provisioning package.
+description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package.
keywords: ["runtime provisioning", "provisioning package"]
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 035bdf4010..5b464073a9 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -1,6 +1,6 @@
---
title: Create a provisioning package (Windows 10)
-description: Learn how to create a provisioning package for Windows 10. Provisioning packages let you quickly configure a device without having to install a new image.
+description: Learn how to create a provisioning package for Windows 10, which lets you quickly configure a device without having to install a new image.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -21,44 +21,46 @@ manager: dansimp
- Windows 10
- Windows 10 Mobile
-You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10 or Windows 10 Mobile.
+You can use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings, and then apply the provisioning package to a device running Windows 10 or Windows 10 Mobile.
>[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
->[!TIP]
->We recommend creating a local admin account when developing and testing your provisioning package. We also recommend using a “least privileged” domain user account to join devices to the Active Directory domain.
+> [!TIP]
+> We recommend creating a local admin account when you develop and test your provisioning package. We also recommend using a *least privileged* domain user account to join devices to the Active Directory domain.
## Start a new project
1. Open Windows Configuration Designer:
- - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut,
+ - From either the Start screen or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut.
or
- - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
+ - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then select **ICD.exe**.
2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image:
- - The wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices. Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizardS](provisioning-packages.md#configuration-designer-wizards).
+ - The following wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices:
- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
- [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning)
- [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub)
+
+ Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizards](provisioning-packages.md#configuration-designer-wizards).
- - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. *The rest of this procedure uses advanced provisioning.*
+ - The **Advanced provisioning** option opens a new project with all the runtime settings available. (The rest of this procedure uses advanced provisioning.)
>[!TIP]
> You can start a project in the simple wizard editor and then switch the project to the advanced editor.
>
> 
-3. Enter a name for your project, and then click **Next**.
+3. Enter a name for your project, and then select **Next**.
-4. Select the settings you want to configure, based on the type of device, and then click **Next**. The following table describes the options.
+4. Select the settings you want to configure, based on the type of device, and then select **Next**. The following table describes the options.
| Windows edition | Settings available for customization | Provisioning package can apply to |
@@ -71,12 +73,12 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg)
| Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) |
-5. On the **Import a provisioning package (optional)** page, you can click **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then click **Finish**.
+5. On the **Import a provisioning package (optional)** page, you can select **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then select **Finish**.
>[!TIP]
->**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly.
+>**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages that you create so you don't have to reconfigure those common settings repeatedly.
-After you click **Finish**, Windows Configuration Designer will open the **Available customizations** pane and you can then configure settings for the package.
+6. In the **Available customizations** pane, you can now configure settings for the package.
@@ -94,7 +96,7 @@ The process for configuring settings is similar for all settings. The following
 Expand a category. |  |
 Select a setting. |  |
- Enter a value for the setting. Click Add if the button is displayed. |  |
+| Enter a value for the setting. Select Add if the button is displayed. | |
 Some settings, such as this example, require additional information. In Available customizations, select the value you just created, and additional settings are displayed. |  |
 When the setting is configured, it is displayed in the Selected customizations pane. |  |
@@ -106,39 +108,39 @@ For details on each specific setting, see [Windows Provisioning settings referen
## Build package
-1. After you're done configuring your customizations, click **Export** and select **Provisioning Package**.
+1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**.
-2. In the **Describe the provisioning package** window, enter the following information, and then click **Next**:
+2. In the **Describe the provisioning package** window, enter the following information, and then select **Next**:
- **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field.
- - **Version (in Major.Minor format** - - Optional. You can change the default package version by specifying a new value in the **Version** field.
+ - **Version (in Major.Minor format** - Optional. You can change the default package version by specifying a new value in the **Version** field.
- **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages).
- **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0.
-3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate. Both selections are optional. Click **Next** after you make your selections.
+3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate, and then select **Next**. Both selections are optional:
- **Encrypt package** - If you select this option, an auto-generated password will be shown on the screen.
- - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
+ - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select** and choosing the certificate you want to use to sign the package.
>[!NOTE]
- >You should only configure provisioning package security when the package is used for device provisioning and the package has contents with sensitive security data such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device.
+ >You should only configure provisioning package security when the package is used for device provisioning and when the package has content with sensitive security data, such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device.
>
>If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner.
-4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows Configuration Designer uses the project folder as the output location.
+4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then select **Next**. By default, Windows Configuration Designer uses the project folder as the output location.
-5. In the **Build the provisioning package** window, click **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+5. In the **Build the provisioning package** window, select **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
- If you need to cancel the build, click Cancel. This cancels the current build process, closes the wizard, and takes you back to the Customizations Page.
+ If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations** page.
-6. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+6. If your build fails, an error message will appear that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+ If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build.
-7. When you are done, click **Finish** to close the wizard and go back to the Customizations page.
+7. When you are done, select **Finish** to close the wizard and go back to the **Customizations** page.
**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index f1bf1aa323..6fc7d6234f 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -1,6 +1,6 @@
---
title: Install Windows Configuration Designer (Windows 10)
-description: Learn how to install and run Windows Configuration Designer.
+description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index beff0509a7..37c8bc44ec 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot Start menu errors
-description: Troubleshoot common errors related to Start menu in Windows 10.
+description: Learn how to troubleshoot common Start menu errors in Windows 10. For example, learn to troubleshoot errors related to deployment, crashes, and performance.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
index e6a50b2114..110c062f57 100644
--- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
@@ -1,6 +1,6 @@
---
title: Administering UE-V with Windows PowerShell and WMI
-description: Administering UE-V with Windows PowerShell and WMI
+description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md
index 16154765ea..1b5004453a 100644
--- a/windows/configuration/ue-v/uev-administering-uev.md
+++ b/windows/configuration/ue-v/uev-administering-uev.md
@@ -1,6 +1,6 @@
---
title: Administering UE-V
-description: Administering UE-V
+description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
index f9fb4b255a..6ca0f295e0 100644
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@@ -1,6 +1,6 @@
---
title: Application Template Schema Reference for UE-V
-description: Application Template Schema Reference for UE-V
+description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
index 63eb702d7d..508ec913ff 100644
--- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
+++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
@@ -1,6 +1,6 @@
---
title: Changing the Frequency of UE-V Scheduled Tasks
-description: Changing the Frequency of UE-V Scheduled Tasks
+description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
index fbaeb69dbf..169e31075f 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
@@ -1,6 +1,6 @@
---
title: Configuring UE-V with Group Policy Objects
-description: Configuring UE-V with Group Policy Objects
+description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
index f7f8d70fcd..f4ea6d2a5f 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Configuring UE-V with Microsoft Endpoint Configuration Manager
-description: Configuring UE-V with Microsoft Endpoint Configuration Manager
+description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Endpoint Configuration Manager.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md
index b8b4cb2155..04cf9543e9 100644
--- a/windows/configuration/ue-v/uev-deploy-required-features.md
+++ b/windows/configuration/ue-v/uev-deploy-required-features.md
@@ -1,6 +1,6 @@
---
title: Deploy required UE-V features
-description: Deploy required UE-V features
+description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example a network share that stores and retrieves user settings.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
index 918e018c48..8e69dc7cf3 100644
--- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
+++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
@@ -1,6 +1,6 @@
---
title: Use UE-V with custom applications
-description: Use UE-V with custom applications
+description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md
index d67437503a..28a035aedc 100644
--- a/windows/configuration/ue-v/uev-getting-started.md
+++ b/windows/configuration/ue-v/uev-getting-started.md
@@ -1,6 +1,6 @@
---
title: Get Started with UE-V
-description: Get Started with UE-V
+description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
index 9b68ba56df..375f826703 100644
--- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
+++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
@@ -1,6 +1,6 @@
---
title: Manage Administrative Backup and Restore in UE-V
-description: Manage Administrative Backup and Restore in UE-V
+description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md
index 71d5841793..7189998439 100644
--- a/windows/configuration/ue-v/uev-manage-configurations.md
+++ b/windows/configuration/ue-v/uev-manage-configurations.md
@@ -1,6 +1,6 @@
---
title: Manage Configurations for UE-V
-description: Manage Configurations for UE-V
+description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md
index 4ed5adc8a9..f9658f41a1 100644
--- a/windows/configuration/ue-v/uev-migrating-settings-packages.md
+++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md
@@ -1,6 +1,6 @@
---
title: Migrating UE-V settings packages
-description: Migrating UE-V settings packages
+description: Learn to relocate User Experience Virtualization (UE-V) user settings packages either when you migrate to a new server or when you perform backups.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index c56e5b4661..e10d20444a 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -1,6 +1,6 @@
---
title: Prepare a UE-V Deployment
-description: Prepare a UE-V Deployment
+description: Learn about the types of User Experience Virtualization (UE-V) deployment you can execute and what preparations you can make beforehand to be successful.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md
index d61075e1bd..663afd38eb 100644
--- a/windows/configuration/ue-v/uev-release-notes-1607.md
+++ b/windows/configuration/ue-v/uev-release-notes-1607.md
@@ -1,6 +1,6 @@
---
title: User Experience Virtualization (UE-V) Release Notes
-description: Read the latest information required to successfully install and use UE-V that is not included in the User Experience Virtualization (UE-V) documentation.
+description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that is not included in the UE-V documentation.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md
index a036b1fb3a..c45565ed5f 100644
--- a/windows/configuration/ue-v/uev-security-considerations.md
+++ b/windows/configuration/ue-v/uev-security-considerations.md
@@ -1,6 +1,6 @@
---
title: Security Considerations for UE-V
-description: Security Considerations for UE-V
+description: Learn about accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V).
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md
index ebe670eed2..02d1e1d9af 100644
--- a/windows/configuration/ue-v/uev-sync-methods.md
+++ b/windows/configuration/ue-v/uev-sync-methods.md
@@ -1,6 +1,6 @@
---
title: Sync Methods for UE-V
-description: Sync Methods for UE-V
+description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users’ application and Windows settings with the settings storage location.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md
index 3dc4b9727d..0db2a582f4 100644
--- a/windows/configuration/ue-v/uev-sync-trigger-events.md
+++ b/windows/configuration/ue-v/uev-sync-trigger-events.md
@@ -1,6 +1,6 @@
---
title: Sync Trigger Events for UE-V
-description: Sync Trigger Events for UE-V
+description: Learn how User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
index 3bf783b488..32ed4968bb 100644
--- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
+++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
@@ -1,6 +1,6 @@
---
title: Synchronizing Microsoft Office with UE-V
-description: Synchronizing Office with UE-V
+description: Learn how User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md
index 5edddf9109..8f0feaabbc 100644
--- a/windows/configuration/ue-v/uev-technical-reference.md
+++ b/windows/configuration/ue-v/uev-technical-reference.md
@@ -1,6 +1,6 @@
---
title: Technical Reference for UE-V
-description: Technical Reference for UE-V
+description: Use this technical reference to learn about the various features of User Experience Virtualization (UE-V).
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md
index 9683bd771d..7e51868298 100644
--- a/windows/configuration/ue-v/uev-troubleshooting.md
+++ b/windows/configuration/ue-v/uev-troubleshooting.md
@@ -1,6 +1,6 @@
---
title: Troubleshooting UE-V
-description: Find resources for troubleshooting UE-V for Windows 10.
+description: Use this technical reference to find resources for troubleshooting User Experience Virtualization (UE-V) for Windows 10.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
index c17b9cedb8..09d5d2ace3 100644
--- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
@@ -1,6 +1,6 @@
---
title: What's New in UE-V for Windows 10, version 1607
-description: What's New in UE-V for Windows 10, version 1607
+description: Learn about what's new in User Experience Virtualization (UE-V) for Windows 10, including new features and capabilities.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index fa8b0e3378..5fcc9f5c5c 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -44,7 +44,7 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, en
- **Feature suggestions, fun facts, tips**
- The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
+ The lock screen background will occasionally make recommendations on how to enhance your productivity and enjoyment of Microsoft products including suggesting other relevant Microsoft products and services.
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 27f6ebfdc9..b558969815 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -44,7 +44,7 @@
- name: Define your servicing strategy
href: update/plan-define-strategy.md
- name: Delivery Optimization for Windows 10 updates
- href: update/waas-delivery-optimization-reference.md
+ href: update/waas-delivery-optimization.md
- name: Best practices for feature updates on mission-critical devices
href: update/feature-update-mission-critical.md
- name: Windows 10 deployment considerations
diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md
index ae15ebea5c..a57384798d 100644
--- a/windows/deployment/Windows-AutoPilot-EULA-note.md
+++ b/windows/deployment/Windows-AutoPilot-EULA-note.md
@@ -1,24 +1,25 @@
----
-title: Windows Autopilot EULA dismissal – important information
-description: A notice about EULA dismissal through Windows Autopilot
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 08/22/2017
-ms.reviewer:
-manager: laurawi
-audience: itpro
author: greg-lindsay
-ROBOTS: noindex,nofollow
-ms.topic: article
----
-# Windows Autopilot EULA dismissal – important information
-
->[!IMPORTANT]
->The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
-
-Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.
-
-By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you did not suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you have not validly acquired a license for the software from Microsoft or its licensed distributors.
+---
+title: Windows Autopilot EULA dismissal – important information
+description: A notice about EULA dismissal through Windows Autopilot
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+ms.localizationpriority: medium
+ms.audience: itpro
+author: greg-lindsay
+ms.date: 08/22/2017
+ms.reviewer:
+manager: laurawi
+audience: itpro
+ROBOTS: noindex,nofollow
+ms.topic: article
+---
+# Windows Autopilot EULA dismissal – important information
+
+>[!IMPORTANT]
+>The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
+
+Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.
+
+By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you did not suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you have not validly acquired a license for the software from Microsoft or its licensed distributors.
diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
index f9405d730e..834b94f381 100644
--- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
@@ -11,8 +11,6 @@ audience: itpro
author: greg-lindsay
ms.reviewer:
manager: laurawi
-audience: itpro
-author: greg-lindsay
ms.author: greglin
ms.topic: article
---
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index e90d44c1b5..c28a60db3e 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -3,7 +3,7 @@ title: Deploy Windows 10 with Microsoft 365
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: Concepts about deploying Windows 10 for M365
+description: Learn about deploying Windows 10 with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index cff09982d3..519ec80cf3 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -3,7 +3,7 @@ title: What's new in Windows 10 deployment
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: Changes and new features related to Windows 10 deployment
+description: Use this article to learn about new solutions and online content related to deploying Windows 10 in your organization.
keywords: deployment, automate, tools, configure, news
ms.mktglfcycl: deploy
ms.localizationpriority: medium
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 7e06abfeb3..5c8972471b 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -170,13 +170,16 @@ The key to successful management of drivers for MDT, as well as for any other de
On **MDT01**:
+> [!IMPORTANT]
+> In the steps below, it is critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system.
+
1. Using File Explorer, create the **D:\\drivers** folder.
2. In the **D:\\drivers** folder, create the following folder structure:
1. WinPE x86
2. WinPE x64
3. Windows 10 x64
3. In the new Windows 10 x64 folder, create the following folder structure:
- - Dell
+ - Dell Inc
- Latitude E7450
- Hewlett-Packard
- HP EliteBook 8560w
@@ -185,8 +188,8 @@ On **MDT01**:
- Microsoft Corporation
- Surface Laptop
->[!NOTE]
->Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
+> [!NOTE]
+> Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
### Create the logical driver structure in MDT
@@ -197,7 +200,7 @@ When you import drivers to the MDT driver repository, MDT creates a single insta
2. WinPE x64
3. Windows 10 x64
3. In the **Windows 10 x64** folder, create the following folder structure:
- - Dell
+ - Dell Inc
- Latitude E7450
- Hewlett-Packard
- HP EliteBook 8560w
@@ -281,12 +284,12 @@ The folder you select and all sub-folders will be checked for drivers, expanding
For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544).
-In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell\\Latitude E7450** folder.
+In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc\\Latitude E7450** folder.
On **MDT01**:
-1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell** node.
-2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell\\Latitude E7450**
+1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc** node.
+2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450**
### For the HP EliteBook 8560w
diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md
index 52cc80097b..e0be07468b 100644
--- a/windows/deployment/deploy-windows-to-go.md
+++ b/windows/deployment/deploy-windows-to-go.md
@@ -1,18 +1,18 @@
---
title: Deploy Windows To Go in your organization (Windows 10)
-description: This topic helps you to deploy Windows To Go in your organization.
+description: Learn how to deploy Windows To Go in your organization through a wizard in the user interface as well as programatically with Windows PowerShell.
ms.assetid: cfe550be-ffbd-42d1-ab4d-80efae49b07f
ms.reviewer:
manager: laurawi
ms.audience: itpro
author: greg-lindsay
+ms.author: greglin
keywords: deployment, USB, device, BitLocker, workspace, security, data
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobility
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index d86cb2f2a8..5afc9307e1 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -1,17 +1,17 @@
---
title: Deploy Windows 10 (Windows 10)
-description: Learn Windows 10 upgrade options for planning, testing, and managing your production deployment.
+description: Learn about Windows 10 upgrade options for planning, testing, and managing your production deployment.
ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
ms.reviewer:
manager: laurawi
ms.audience: itpro
author: greg-lindsay
+ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 45e00f7007..94f57a06d9 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -1,6 +1,6 @@
---
title: MBR2GPT
-description: How to use the MBR2GPT tool to convert MBR partitions to GPT
+description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk.
keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt
ms.prod: w10
ms.mktglfcycl: deploy
@@ -8,11 +8,11 @@ ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
+ms.author: greglin
ms.date: 02/13/2018
ms.reviewer:
manager: laurawi
ms.audience: itpro
-author: greg-lindsay
ms.localizationpriority: medium
ms.topic: article
---
diff --git a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
index a202b57844..f128528a5e 100644
--- a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
+++ b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
@@ -1,238 +1,239 @@
----
-title: Available Data Types and Operators in Compatibility Administrator (Windows 10)
-description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
-ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Available Data Types and Operators in Compatibility Administrator
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
-
-## Available Data Types
-
-
-Customized-compatibility databases in Compatibility Administrator contain the following data types.
-
-- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value.
-
-- **String**. A series of alphanumeric characters manipulated as a group.
-
-- **Boolean**. A value of True or False.
-
-## Available Attributes
-
-
-The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator.
-
-
-
-
-
-
-
-
-
-
-
-
-APP_NAME |
-Name of the application. |
-String |
-
-
-DATABASE_GUID |
-Unique ID for your compatibility database. |
-String |
-
-
-DATABASE_INSTALLED |
-Specifies if you have installed the database. |
-Boolean |
-
-
-DATABASE_NAME |
-Descriptive name of your database. |
-String |
-
-
-DATABASE_PATH |
-Location of the database on your computer. |
-String |
-
-
-FIX_COUNT |
-Number of compatibility fixes applied to a specific application. |
-Integer |
-
-
-FIX_NAME |
-Name of your compatibility fix. |
-String |
-
-
-MATCH_COUNT |
-Number of matching files for a specific, fixed application. |
-Integer |
-
-
-MATCHFILE_NAME |
-Name of a matching file used to identify a specific, fixed application. |
-String |
-
-
-MODE_COUNT |
-Number of compatibility modes applied to a specific, fixed application. |
-Integer |
-
-
-MODE_NAME |
-Name of your compatibility mode. |
-String |
-
-
-PROGRAM_APPHELPTYPE |
-Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program. |
-Integer |
-
-
-PROGRAM_DISABLED |
-Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application. |
-Boolean |
-
-
-PROGRAM_GUID |
-Unique ID for an application. |
-String |
-
-
-PROGRAM_NAME |
-Name of the application that you are fixing. |
-String |
-
-
-
-
-
-
-## Available Operators
-
-
-The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator.
-
-
-
-
-
-
-
-
-
-
-
-
-
-> |
-Greater than |
-Integer or string |
-1 |
-
-
->= |
-Greater than or equal to |
-Integer or string |
-1 |
-
-
-< |
-Less than |
-Integer or string |
-1 |
-
-
-<= |
-Less than or equal to |
-Integer or string |
-1 |
-
-
-<> |
-Not equal to |
-Integer or string |
-1 |
-
-
-= |
-Equal to |
-Integer, string, or Boolean |
-1 |
-
-
-HAS |
-A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand. |
-Left-hand operand. MATCHFILE_NAME, MODE_NAME, FIX_NAME
-
- NoteOnly the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.
-
-
-
-Right-hand operand. String |
-1 |
-
-
-OR |
-Logical OR operator |
-Boolean |
-2 |
-
-
-AND |
-Logical AND operator |
-Boolean |
-2 |
-
-
-
-
-
-
-## Related topics
-[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
-
-
-
-
-
-
-
-
-
+---
+title: Available Data Types and Operators in Compatibility Administrator (Windows 10)
+description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
+ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Available Data Types and Operators in Compatibility Administrator
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
+
+## Available Data Types
+
+
+Customized-compatibility databases in Compatibility Administrator contain the following data types.
+
+- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value.
+
+- **String**. A series of alphanumeric characters manipulated as a group.
+
+- **Boolean**. A value of True or False.
+
+## Available Attributes
+
+
+The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator.
+
+
+
+
+
+
+
+
+
+
+
+
+APP_NAME |
+Name of the application. |
+String |
+
+
+DATABASE_GUID |
+Unique ID for your compatibility database. |
+String |
+
+
+DATABASE_INSTALLED |
+Specifies if you have installed the database. |
+Boolean |
+
+
+DATABASE_NAME |
+Descriptive name of your database. |
+String |
+
+
+DATABASE_PATH |
+Location of the database on your computer. |
+String |
+
+
+FIX_COUNT |
+Number of compatibility fixes applied to a specific application. |
+Integer |
+
+
+FIX_NAME |
+Name of your compatibility fix. |
+String |
+
+
+MATCH_COUNT |
+Number of matching files for a specific, fixed application. |
+Integer |
+
+
+MATCHFILE_NAME |
+Name of a matching file used to identify a specific, fixed application. |
+String |
+
+
+MODE_COUNT |
+Number of compatibility modes applied to a specific, fixed application. |
+Integer |
+
+
+MODE_NAME |
+Name of your compatibility mode. |
+String |
+
+
+PROGRAM_APPHELPTYPE |
+Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program. |
+Integer |
+
+
+PROGRAM_DISABLED |
+Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application. |
+Boolean |
+
+
+PROGRAM_GUID |
+Unique ID for an application. |
+String |
+
+
+PROGRAM_NAME |
+Name of the application that you are fixing. |
+String |
+
+
+
+
+
+
+## Available Operators
+
+
+The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator.
+
+
+
+
+
+
+
+
+
+
+
+
+
+> |
+Greater than |
+Integer or string |
+1 |
+
+
+>= |
+Greater than or equal to |
+Integer or string |
+1 |
+
+
+< |
+Less than |
+Integer or string |
+1 |
+
+
+<= |
+Less than or equal to |
+Integer or string |
+1 |
+
+
+<> |
+Not equal to |
+Integer or string |
+1 |
+
+
+= |
+Equal to |
+Integer, string, or Boolean |
+1 |
+
+
+HAS |
+A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand. |
+Left-hand operand. MATCHFILE_NAME, MODE_NAME, FIX_NAME
+
+ NoteOnly the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.
+
+
+
+Right-hand operand. String |
+1 |
+
+
+OR |
+Logical OR operator |
+Boolean |
+2 |
+
+
+AND |
+Logical AND operator |
+Boolean |
+2 |
+
+
+
+
+
+
+## Related topics
+[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
index 41c34aec02..36a7463bcc 100644
--- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
+++ b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
@@ -1,6 +1,6 @@
---
title: Best practice recommendations for Windows To Go (Windows 10)
-description: Best practice recommendations for Windows To Go
+description: Learn about best practice recommendations for using Windows To Go, like using a USB 3.0 port with Windows to Go if it's available.
ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
index 8724e8278a..13c1aa16fd 100644
--- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
@@ -1,6 +1,6 @@
---
title: Deployment considerations for Windows To Go (Windows 10)
-description: Deployment considerations for Windows To Go
+description: Learn about deployment considerations for Windows To Go, such as the boot experience, deployment methods, and tools that you can use with Windows To Go.
ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md
index a59b98bcff..0f635b9f80 100644
--- a/windows/deployment/planning/features-lifecycle.md
+++ b/windows/deployment/planning/features-lifecycle.md
@@ -1,6 +1,6 @@
---
title: Windows 10 features lifecycle
-description: Learn about the lifecycle of Windows 10 features
+description: Learn about the lifecycle of Windows 10 features, as well as features that are no longer developed, removed features, and terminology assigned to a feature.
ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
diff --git a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
index 98986e0bfd..ea3a21ed29 100644
--- a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
+++ b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
@@ -1,76 +1,77 @@
----
-title: Fixing Applications by Using the SUA Tool (Windows 10)
-description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
-ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Fixing Applications by Using the SUA Tool
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
-
-**To fix an application by using the SUA tool**
-
-1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
-
-2. After you finish testing, open the SUA tool.
-
-3. On the **Mitigation** menu, click the command that corresponds to the action that you want to take. The following table describes the commands.
-
-
-
-
-
-
-
-
-
-
-
- Apply Mitigations |
- Opens the Mitigate AppCompat Issues dialog box, in which you can select the fixes that you intend to apply to the application. |
-
-
- Undo Mitigations |
- Removes the application fixes that you just applied.
- This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using Programs and Features in Control Panel. |
-
-
- Export Mitigations as Windows Installer file |
- Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application. |
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: Fixing Applications by Using the SUA Tool (Windows 10)
+description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
+ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Fixing Applications by Using the SUA Tool
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
+
+**To fix an application by using the SUA tool**
+
+1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
+
+2. After you finish testing, open the SUA tool.
+
+3. On the **Mitigation** menu, click the command that corresponds to the action that you want to take. The following table describes the commands.
+
+
+
+
+
+
+
+
+
+
+
+ Apply Mitigations |
+ Opens the Mitigate AppCompat Issues dialog box, in which you can select the fixes that you intend to apply to the application. |
+
+
+ Undo Mitigations |
+ Removes the application fixes that you just applied.
+ This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using Programs and Features in Control Panel. |
+
+
+ Export Mitigations as Windows Installer file |
+ Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application. |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
index 08db3b24d6..d4b510cd08 100644
--- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
+++ b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
@@ -1,80 +1,81 @@
----
-title: Showing Messages Generated by the SUA Tool (Windows 10)
-description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
-ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Showing Messages Generated by the SUA Tool
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
-
-**To show the messages that the SUA tool has generated**
-
-1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
-
-2. After you finish testing, in the SUA tool, click the **App Info** tab.
-
-3. On the **View** menu, click the command that corresponds to the messages that you want to see. The following table describes the commands.
-
-
-
-
-
-
-
-
-
-
-
- Error Messages |
- When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.
- This command is selected by default. |
-
-
- Warning Messages |
- When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow. |
-
-
- Information Messages |
- When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green. |
-
-
- Detailed Information |
- When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information. |
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: Showing Messages Generated by the SUA Tool (Windows 10)
+description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
+ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Showing Messages Generated by the SUA Tool
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
+
+**To show the messages that the SUA tool has generated**
+
+1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
+
+2. After you finish testing, in the SUA tool, click the **App Info** tab.
+
+3. On the **View** menu, click the command that corresponds to the messages that you want to see. The following table describes the commands.
+
+
+
+
+
+
+
+
+
+
+
+ Error Messages |
+ When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.
+ This command is selected by default. |
+
+
+ Warning Messages |
+ When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow. |
+
+
+ Information Messages |
+ When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green. |
+
+
+ Detailed Information |
+ When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information. |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
index d58bf1d2ce..d3c279c3eb 100644
--- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
+++ b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
@@ -1,105 +1,106 @@
----
-title: Tabs on the SUA Tool Interface (Windows 10)
-description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
-ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Tabs on the SUA Tool Interface
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
-
-The following table provides a description of each tab on the user interface for the SUA tool.
-
-
-
-
-
-
-
-
-
-
-
-App Info |
-Provides the following information for the selected application:
-
-Debugging information Error, warning, and informational messages (if they are enabled) Options for running the application |
-
-
-File |
-Provides information about access to the file system.
-For example, this tab might show an attempt to write to a file that only administrators can typically access. |
-
-
-Registry |
-Provides information about access to the system registry.
-For example, this tab might show an attempt to write to a registry key that only administrators can typically access. |
-
-
-INI |
-Provides information about WriteProfile API issues.
-For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from Standard to Scientific, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators. |
-
-
-Token |
-Provides information about access-token checking.
-For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user. |
-
-
-Privilege |
-Provides information about permissions.
-For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user. |
-
-
-Name Space |
-Provides information about creation of system objects.
-For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user. |
-
-
-Other Objects |
-Provides information related to applications accessing objects other than files and registry keys. |
-
-
-Process |
-Provides information about process elevation.
-For example, this tab might show the use of the CreateProcess API to open an executable (.exe) file that, in turn, requires process elevation that will not function for a standard user. |
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: Tabs on the SUA Tool Interface (Windows 10)
+description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
+ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Tabs on the SUA Tool Interface
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
+
+The following table provides a description of each tab on the user interface for the SUA tool.
+
+
+
+
+
+
+
+
+
+
+
+App Info |
+Provides the following information for the selected application:
+
+Debugging information Error, warning, and informational messages (if they are enabled) Options for running the application |
+
+
+File |
+Provides information about access to the file system.
+For example, this tab might show an attempt to write to a file that only administrators can typically access. |
+
+
+Registry |
+Provides information about access to the system registry.
+For example, this tab might show an attempt to write to a registry key that only administrators can typically access. |
+
+
+INI |
+Provides information about WriteProfile API issues.
+For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from Standard to Scientific, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators. |
+
+
+Token |
+Provides information about access-token checking.
+For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user. |
+
+
+Privilege |
+Provides information about permissions.
+For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user. |
+
+
+Name Space |
+Provides information about creation of system objects.
+For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user. |
+
+
+Other Objects |
+Provides information related to applications accessing objects other than files and registry keys. |
+
+
+Process |
+Provides information about process elevation.
+For example, this tab might show the use of the CreateProcess API to open an executable (.exe) file that, in turn, requires process elevation that will not function for a standard user. |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
index b38891eae2..cb84beaa58 100644
--- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md
+++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
@@ -1,94 +1,95 @@
----
-title: Using the Compatibility Administrator Tool (Windows 10)
-description: This section provides information about using the Compatibility Administrator tool.
-ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Using the Compatibility Administrator Tool
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section provides information about using the Compatibility Administrator tool.
-
-## In this section
-
-
-
-
-
-
-
-
-
-
-
-
-Available Data Types and Operators in Compatibility Administrator |
-The Compatibility Administrator tool provides a way to query your custom-compatibility databases. |
-
-
-Searching for Fixed Applications in Compatibility Administrator |
-With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application. |
-
-
-Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator |
-You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. |
-
-
-Creating a Custom Compatibility Fix in Compatibility Administrator |
-The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages. |
-
-
-Creating a Custom Compatibility Mode in Compatibility Administrator |
-Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases. |
-
-
-Creating an AppHelp Message in Compatibility Administrator |
-The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system. |
-
-
-Viewing the Events Screen in Compatibility Administrator |
-The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities. |
-
-
-Enabling and Disabling Compatibility Fixes in Compatibility Administrator |
-You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes. |
-
-
-Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator |
-The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers. |
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: Using the Compatibility Administrator Tool (Windows 10)
+description: This section provides information about using the Compatibility Administrator tool.
+ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Using the Compatibility Administrator Tool
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+This section provides information about using the Compatibility Administrator tool.
+
+## In this section
+
+
+
+
+
+
+
+
+
+
+
+
+Available Data Types and Operators in Compatibility Administrator |
+The Compatibility Administrator tool provides a way to query your custom-compatibility databases. |
+
+
+Searching for Fixed Applications in Compatibility Administrator |
+With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application. |
+
+
+Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator |
+You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. |
+
+
+Creating a Custom Compatibility Fix in Compatibility Administrator |
+The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages. |
+
+
+Creating a Custom Compatibility Mode in Compatibility Administrator |
+Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases. |
+
+
+Creating an AppHelp Message in Compatibility Administrator |
+The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system. |
+
+
+Viewing the Events Screen in Compatibility Administrator |
+The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities. |
+
+
+Enabling and Disabling Compatibility Fixes in Compatibility Administrator |
+You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes. |
+
+
+Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator |
+The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers. |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md
index 464e7e03de..965ad4dad7 100644
--- a/windows/deployment/planning/windows-10-compatibility.md
+++ b/windows/deployment/planning/windows-10-compatibility.md
@@ -1,60 +1,61 @@
----
-title: Windows 10 compatibility (Windows 10)
-description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
-ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, upgrade, update, appcompat
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows 10 compatibility
-
-
-**Applies to**
-
-- Windows 10
-
-Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
-
-For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10.
-
-Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues.
-
-Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store.
-
-For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](https://go.microsoft.com/fwlink/p/?LinkId=734031)
-
-## Recommended application testing process
-
-
-Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level:
-
-- Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release.
-
-- For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines.
-
-## Related topics
-
-
-[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
-
-[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
-
-[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
-
-
-
-
-
-
-
-
-
+---
+title: Windows 10 compatibility (Windows 10)
+description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
+ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deploy, upgrade, update, appcompat
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows 10 compatibility
+
+
+**Applies to**
+
+- Windows 10
+
+Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
+
+For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10.
+
+Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues.
+
+Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store.
+
+For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](https://go.microsoft.com/fwlink/p/?LinkId=734031)
+
+## Recommended application testing process
+
+
+Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level:
+
+- Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release.
+
+- For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines.
+
+## Related topics
+
+
+[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
+
+[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
+
+[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index 764b8d1ca5..546b8de3af 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -6,14 +6,12 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
ms.sitesec: library
-audience: itpro
author: greg-lindsay
ms.date: 08/18/2017
ms.reviewer:
manager: laurawi
ms.author: greglin
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
index b79a9e0b9d..65c52cf2dd 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -1,6 +1,6 @@
---
title: Windows 10 - Features that have been removed
-description: Learn about features and functionality that has been removed or replaced in Windows 10
+description: In this article, learn about the features and functionality that have been removed or replaced in Windows 10.
ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
@@ -27,6 +27,8 @@ The following features and functionalities have been removed from the installed
|Feature | Details and mitigation | Removed in version |
| ----------- | --------------------- | ------ |
+| Connect app | The [Connect app](https://docs.microsoft.com/windows-hardware/design/device-experiences/wireless-projection-understanding) for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 |
+| Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13th, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 |
| Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 |
| Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 |
| Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for non-cellular devices.| 2004 |
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index bd9b8af4d0..37b3315a1d 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -11,8 +11,8 @@ ms.reviewer:
manager: laurawi
ms.audience: itpro
author: greg-lindsay
+ms.author: greglin
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index 3534c08c5c..97f6eb21e1 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -7,9 +7,7 @@ ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md
index 99bb88d5a4..fc8013e00c 100644
--- a/windows/deployment/update/change-history-for-update-windows-10.md
+++ b/windows/deployment/update/change-history-for-update-windows-10.md
@@ -4,7 +4,6 @@ description: This topic lists new and updated topics in the Update Windows 10 do
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
-itproauthor: jaimeo
author: jaimeo
ms.author: jaimeo
ms.reviewer:
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index af6fe156e8..77795ce1c4 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -10,7 +10,6 @@ audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
---
diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md
index 5c72afc8c0..a23c157317 100644
--- a/windows/deployment/update/feature-update-conclusion.md
+++ b/windows/deployment/update/feature-update-conclusion.md
@@ -1,6 +1,6 @@
---
title: Best practices for feature updates - conclusion
-description: Final thoughts about how to deploy feature updates
+description: This article includes final thoughts about how to deploy and stay up-to-date with Windows 10 feature updates.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
index da74aafced..2df56fa684 100644
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@@ -1,10 +1,9 @@
---
title: Best practices - deploy feature updates during maintenance windows
-description: Learn how to deploy feature updates during a maintenance window
+description: Learn how to configure maintenance windows and how to deploy feature updates during a maintenance window.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
-itproauthor: jaimeo
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md
index 760c0f0182..69b91b9184 100644
--- a/windows/deployment/update/feature-update-mission-critical.md
+++ b/windows/deployment/update/feature-update-mission-critical.md
@@ -1,6 +1,6 @@
---
title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices
-description: Learn how to deploy feature updates to your mission-critical devices
+description: Learn how to use the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md
index e22be01edd..254703b4dc 100644
--- a/windows/deployment/update/feature-update-user-install.md
+++ b/windows/deployment/update/feature-update-user-install.md
@@ -1,6 +1,6 @@
---
title: Best practices - deploy feature updates for user-initiated installations
-description: Learn how to manually deploy feature updates
+description: Learn recommendations and best practices for manually deploying a feature update for a user-initiated installation.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index adb1e56155..232fb2748c 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -1,6 +1,6 @@
---
title: Olympia Corp enrollment guidelines
-description: Olympia Corp enrollment guidelines
+description: Learn about the Olympia Corp enrollment and setting up an Azure Active Directory-REGISTERED Windows 10 device or an Azure Active Directory-JOINED Windows 10 device.
ms.author: jaimeo
ms.topic: article
ms.prod: w10
diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md
index a2ff53df19..4264b434b1 100644
--- a/windows/deployment/update/plan-define-readiness.md
+++ b/windows/deployment/update/plan-define-readiness.md
@@ -10,7 +10,6 @@ audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
---
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index b7e1707a7d..645903d80f 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -7,12 +7,12 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature,
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
-author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
+ms.author: jaimeo
+author: jaimeo
---
# Determine application readiness
diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md
index c3c6abb633..1fa0437e08 100644
--- a/windows/deployment/update/update-compliance-delivery-optimization.md
+++ b/windows/deployment/update/update-compliance-delivery-optimization.md
@@ -2,7 +2,7 @@
title: Delivery Optimization in Update Compliance (Windows 10)
ms.reviewer:
manager: laurawi
-description: new Delivery Optimization data displayed in Update Compliance
+description: Learn how the Update Compliance solution provides you with information about your Delivery Optimization configuration.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index 5953fcc349..6be6180063 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -2,7 +2,7 @@
title: Update Compliance - Feature Update Status report
ms.reviewer:
manager: laurawi
-description: Find the latest status of feature updates with an overview of the Feature Update Status report.
+description: Learn how the Feature Update Status report provides information about the status of feature updates across all devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
@@ -16,7 +16,7 @@ ms.topic: article
# Feature Update Status
-
+[  ](images/UC_workspace_FU_status.png#lightbox)
The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels).
@@ -41,7 +41,14 @@ Microsoft uses diagnostic data to determine whether devices that use Windows Upd
### Opting out of compatibility hold
-Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. To opt out, set the registry key **HKLM\Software\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0** to a name of **DataRequireGatedScanForFeatureUpdates** and a value of **0**.
+Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired.
+To opt out, set the registry key as follows:
+
+- Registry Key Path :: **Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion**
+- Create New Key :: **502505fe-762c-4e80-911e-0c3fa4c63fb0**
+- Name :: **DataRequireGatedScanForFeatureUpdates**
+- Type :: **REG_DWORD**
+- Value :: **0**
Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device.
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
index f17250eec3..78b60d2c7a 100644
--- a/windows/deployment/update/update-compliance-need-attention.md
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -2,8 +2,7 @@
title: Update Compliance - Need Attention! report
ms.reviewer:
manager: laurawi
-description: an overview of the Update Compliance Need Attention! report
-ms.prod: w10
+description: Learn how the Needs attention! section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance.
ms.mktglfcycl: deploy
ms.pagetype: deploy
audience: itpro
diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md
index 67cc9067ac..5396a3f77c 100644
--- a/windows/deployment/update/update-compliance-security-update-status.md
+++ b/windows/deployment/update/update-compliance-security-update-status.md
@@ -2,7 +2,7 @@
title: Update Compliance - Security Update Status report
ms.reviewer:
manager: laurawi
-description: an overview of the Security Update Status report
+description: Learn how the Security Update Status section provides information about security updates across all devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index b61cef1778..09cf255a00 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -2,7 +2,7 @@
title: Using Update Compliance (Windows 10)
ms.reviewer:
manager: laurawi
-description: Explains how to begin using Update Compliance.
+description: Learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status.
keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md
index dbf94c9677..58e2b5e496 100644
--- a/windows/deployment/update/update-policies.md
+++ b/windows/deployment/update/update-policies.md
@@ -10,7 +10,6 @@ audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
---
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 13b02958f8..db7cd77c90 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -82,6 +82,9 @@ When using WSUS to manage updates on Windows client devices, start by configurin
9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
+
+ >[!IMPORTANT]
+ > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdateDoNotConnectToWindowsUpdateInternetLocations
> [!NOTE]
> There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md
index b23dfbb017..377895abf7 100644
--- a/windows/deployment/update/waas-morenews.md
+++ b/windows/deployment/update/waas-morenews.md
@@ -4,13 +4,11 @@ ms.prod: w10
ms.topic: article
ms.manager: elizapo
audience: itpro
-itproauthor: jaimeo
author: jaimeo
ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.localizationpriority: high
-ms.topic: article
---
# Windows as a service - More news
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index e1866cfcc0..0031ab8ee0 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -1,6 +1,6 @@
---
title: Manage device restarts after updates (Windows 10)
-description: tbd
+description: Use Group Policy settings, mobile device management (MDM) or Registry to configure when devices will restart after a Windows 10 update is installed.
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 2eae42de3a..e9be73508c 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -1,6 +1,6 @@
---
title: Assign devices to servicing channels for Windows 10 updates (Windows 10)
-description: tbd
+description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM .
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md
index d55a28a5c1..81e33643c9 100644
--- a/windows/deployment/update/waas-servicing-differences.md
+++ b/windows/deployment/update/waas-servicing-differences.md
@@ -7,7 +7,6 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature,
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
-author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
author: jaimeo
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 83cc19c6e9..323e565a06 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -3,9 +3,7 @@ title: Manage additional Windows Update settings (Windows 10)
description: Additional settings to control the behavior of Windows Update (WU) in Windows 10
ms.prod: w10
ms.mktglfcycl: deploy
-
audience: itpro
-author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
author: jaimeo
diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md
index 30af2075e1..92ee39c436 100644
--- a/windows/deployment/update/waas-wufb-intune.md
+++ b/windows/deployment/update/waas-wufb-intune.md
@@ -4,14 +4,14 @@ description: Configure Windows Update for Business settings using Microsoft Intu
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
-author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.date: 07/27/2017
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.author: jaimeo
+author: jaimeo
---
# Walkthrough: use Microsoft Intune to configure Windows Update for Business
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
index b83dd307b0..471073ea8f 100644
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -1,6 +1,6 @@
---
title: Windows Update error code list by component
-description: Reference information for Windows Update error codes
+description: Learn about reference information for Windows Update error codes, including automatic update errors, UI errors, and reporter errors.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
@@ -8,7 +8,6 @@ itproauthor: jaimeo
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md
index cdb6ea9f85..e3d4342c33 100644
--- a/windows/deployment/update/windows-update-errors.md
+++ b/windows/deployment/update/windows-update-errors.md
@@ -5,8 +5,6 @@ ms.prod: w10
ms.mktglfcycl:
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.date: 09/18/2018
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index 1e9deff347..68d6b72b20 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -1,12 +1,10 @@
---
title: Windows Update log files
-description: Learn about the Windows Update log files
+description: Learn about the Windows Update log files and how to merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.date: 09/18/2018
diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md
index 47cb14f395..d96f16274f 100644
--- a/windows/deployment/update/windows-update-overview.md
+++ b/windows/deployment/update/windows-update-overview.md
@@ -6,9 +6,7 @@ ms.mktglfcycl:
audience: itpro
itproauthor: jaimeo
author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md
index 0371ab7f89..49b83d23f1 100644
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@@ -1,17 +1,17 @@
---
title: Windows Update - Additional resources
-description: Use these resource to troubleshoot and reset Windows Update.
+description: In this article, learn details about to troubleshooting WSUS and resetting Windows Update components manually.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
-author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.author: jaimeo
+author: jaimeo
---
# Windows Update - additional resources
diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md
index 967245b7d0..32b31d106f 100644
--- a/windows/deployment/update/windows-update-troubleshooting.md
+++ b/windows/deployment/update/windows-update-troubleshooting.md
@@ -1,12 +1,10 @@
---
title: Windows Update troubleshooting
-description: Learn how to troubleshoot Windows Update
+description: Learn about troubleshooting Windows Update, issues related to HTTP/Proxy, and why some features are offered and others aren't.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.reviewer:
@@ -21,9 +19,13 @@ ms.topic: article
If you run into problems when using Windows Update, start with the following steps:
1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**.
+
2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU.
+
3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:
+ - [Windows 10, version 2004 and Windows Server, version 2004](https://support.microsoft.com/help/4555932)
+ - [Windows 10, version 1909 and Windows Server, version 1909](https://support.microsoft.com/help/4529964)
- [Windows 10, version 1903 and Windows Server, version 1903](https://support.microsoft.com/help/4498140)
- [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history)
- [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history)
@@ -51,8 +53,11 @@ If the update you're offered isn't the most current available, it might be becau
## My device is frozen at scan. Why?
The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following:
+
1. Close the Settings app and reopen it.
+
2. Launch Services.msc and check if the following services are running:
+
- Update State Orchestrator
- Windows Update
@@ -166,7 +171,7 @@ Check that your device can access these Windows Update endpoints:
## Updates aren't downloading from the intranet endpoint (WSUS or Configuration Manager)
Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:
-1. Start Windows PowerShell as an administrator
+1. Start Windows PowerShell as an administrator.
2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager".
3. Run \$MUSM.Services.
diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md
index ac584017e2..0fc1330492 100644
--- a/windows/deployment/update/wufb-autoupdate.md
+++ b/windows/deployment/update/wufb-autoupdate.md
@@ -1,14 +1,12 @@
---
title: Setting up Automatic Update in Windows Update for Business (Windows 10)
-description: Learn how to configure Automatic Update group policies in Windows Update for Business.
+description: In this article, learn how to configure Automatic Update in Windows Update for Business with group policies.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.date: 06/20/2018
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/update/wufb-basics.md b/windows/deployment/update/wufb-basics.md
index 719b115f4f..0c8f5c32db 100644
--- a/windows/deployment/update/wufb-basics.md
+++ b/windows/deployment/update/wufb-basics.md
@@ -8,7 +8,6 @@ itproauthor: jaimeo
author: jaimeo
ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md
index e451d7751a..56f956aae8 100644
--- a/windows/deployment/update/wufb-managedrivers.md
+++ b/windows/deployment/update/wufb-managedrivers.md
@@ -5,8 +5,6 @@ ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.date: 06/21/2018
diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md
index 10037c56b2..93a5ab27b7 100644
--- a/windows/deployment/update/wufb-manageupdate.md
+++ b/windows/deployment/update/wufb-manageupdate.md
@@ -6,9 +6,7 @@ ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.date: 06/20/2018
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/update/wufb-onboard.md b/windows/deployment/update/wufb-onboard.md
index 058f595090..de44721666 100644
--- a/windows/deployment/update/wufb-onboard.md
+++ b/windows/deployment/update/wufb-onboard.md
@@ -1,12 +1,10 @@
---
title: Onboarding to Windows Update for Business (Windows 10)
-description: Learn how to get started using Windows Update for Business.
+description: Get started using Windows Update for Business, a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
-author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.reviewer:
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index 3a7f854132..9cef992dea 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -1,64 +1,65 @@
----
-title: Resolve Windows 10 upgrade errors - Windows IT Pro
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
-keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.topic: article
----
-
-# Resolve Windows 10 upgrade errors : Technical information for IT Pros
-
-**Applies to**
-- Windows 10
-
->[!IMPORTANT]
->This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](quick-fixes.md) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md).
-
-This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
-
-The article was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods.
-
-The following four levels are assigned:
-
-Level 100: Basic
-Level 200: Moderate
-Level 300: Moderate advanced
-Level 400: Advanced
-
-## In this guide
-
-See the following topics in this article:
-
-- [Quick fixes](quick-fixes.md): \Level 100\ Steps you can take to eliminate many Windows upgrade errors.
-- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help you isolate the root cause of an upgrade failure.
-- [Troubleshooting upgrade errors](troubleshoot-upgrade-errors.md): \Level 300\ General advice and techniques for troubleshooting Windows 10 upgrade errors, and an explanation of phases used during the upgrade process.
-- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows 10 upgrade.
-- [Upgrade error codes](upgrade-error-codes.md): \Level 400\ The components of an error code are explained.
- - [Result codes](upgrade-error-codes.md#result-codes): Information about result codes.
- - [Extend codes](upgrade-error-codes.md#extend-codes): Information about extend codes.
-- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting.
- - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described.
- - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example.
-- [Resolution procedures](resolution-procedures.md): \Level 200\ Causes and mitigation procedures associated with specific error codes.
- - [0xC1900101](resolution-procedures.md#0xc1900101): Information about the 0xC1900101 result code.
- - [0x800xxxxx](resolution-procedures.md#0x800xxxxx): Information about result codes that start with 0x800.
- - [Other result codes](resolution-procedures.md#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
- - [Other error codes](resolution-procedures.md#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
-- [Submit Windows 10 upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis.
-
-## Related topics
-
-[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
-
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
-
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
-
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
-
+---
+title: Resolve Windows 10 upgrade errors - Windows IT Pro
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.topic: article
+---
+
+# Resolve Windows 10 upgrade errors : Technical information for IT Pros
+
+**Applies to**
+- Windows 10
+
+>[!IMPORTANT]
+>This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](quick-fixes.md) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md).
+
+This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
+
+The article was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods.
+
+The following four levels are assigned:
+
+Level 100: Basic
+Level 200: Moderate
+Level 300: Moderate advanced
+Level 400: Advanced
+
+## In this guide
+
+See the following topics in this article:
+
+- [Quick fixes](quick-fixes.md): \Level 100\ Steps you can take to eliminate many Windows upgrade errors.
+- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help you isolate the root cause of an upgrade failure.
+- [Troubleshooting upgrade errors](troubleshoot-upgrade-errors.md): \Level 300\ General advice and techniques for troubleshooting Windows 10 upgrade errors, and an explanation of phases used during the upgrade process.
+- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows 10 upgrade.
+- [Upgrade error codes](upgrade-error-codes.md): \Level 400\ The components of an error code are explained.
+ - [Result codes](upgrade-error-codes.md#result-codes): Information about result codes.
+ - [Extend codes](upgrade-error-codes.md#extend-codes): Information about extend codes.
+- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting.
+ - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described.
+ - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example.
+- [Resolution procedures](resolution-procedures.md): \Level 200\ Causes and mitigation procedures associated with specific error codes.
+ - [0xC1900101](resolution-procedures.md#0xc1900101): Information about the 0xC1900101 result code.
+ - [0x800xxxxx](resolution-procedures.md#0x800xxxxx): Information about result codes that start with 0x800.
+ - [Other result codes](resolution-procedures.md#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
+ - [Other error codes](resolution-procedures.md#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
+- [Submit Windows 10 upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis.
+
+## Related topics
+
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
+
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
+
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
+
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
+
diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
index 6062bfa905..080018fb21 100644
--- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
+++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
@@ -1,79 +1,80 @@
----
-title: Windows Upgrade and Migration Considerations (Windows 10)
-description: Windows Upgrade and Migration Considerations
-ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows upgrade and migration considerations
-Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration.
-
-## Upgrade from a previous version of Windows
-You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete.
-
-## Migrate files and settings
-Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves.
-
-For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](https://go.microsoft.com/fwlink/p/?LinkId=131349).
-
-The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a small number of computers or for individually customized deployments, you can use Windows Easy Transfer.
-
-### Migrate with Windows Easy Transfer
-Windows Easy Transfer is a software wizard for transferring files and settings from one computer that is running Windows to another. It helps you select what to move to your new computer, enables you to set which migration method to use, and then performs the transfer. When the transfer has completed, Windows Easy Transfer Reports shows you what was transferred and provides a list of programs you might want to install on your new computer, in addition to links to other programs you might want to download.
-
-With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store.
-
-> [!NOTE]
-> Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10).
-
-### Migrate with the User State Migration Tool
-You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded.
-
-## Upgrade and migration considerations
-Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
-
-### Application compatibility
-For more information about application compatibility in Windows, see [Use Upgrade Readiness to manage Windows upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades).
-
-### Multilingual Windows image upgrades
-When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English.
-
-If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed.
-
-### Errorhandler.cmd
-When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run.
-
-### Data drive ACL migration
-During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files.
-
-Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature:
-
-``` syntax
-Key: HKLM\System\Setup
-Type: REG_DWORD
-Value: "DDACLSys_Disabled" = 1
-```
-
-This feature is disabled if this registry key value exists and is configured to `1`.
-
-## Related topics
-[User State Migration Tool (USMT) Overview Topics](../usmt/usmt-topics.md)
-[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
-
-
-
-
-
-
-
-
-
-
+---
+title: Windows Upgrade and Migration Considerations (Windows 10)
+description: Discover the Microsoft tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.
+ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows upgrade and migration considerations
+Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration.
+
+## Upgrade from a previous version of Windows
+You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete.
+
+## Migrate files and settings
+Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves.
+
+For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](https://go.microsoft.com/fwlink/p/?LinkId=131349).
+
+The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a small number of computers or for individually customized deployments, you can use Windows Easy Transfer.
+
+### Migrate with Windows Easy Transfer
+Windows Easy Transfer is a software wizard for transferring files and settings from one computer that is running Windows to another. It helps you select what to move to your new computer, enables you to set which migration method to use, and then performs the transfer. When the transfer has completed, Windows Easy Transfer Reports shows you what was transferred and provides a list of programs you might want to install on your new computer, in addition to links to other programs you might want to download.
+
+With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store.
+
+> [!NOTE]
+> Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10).
+
+### Migrate with the User State Migration Tool
+You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded.
+
+## Upgrade and migration considerations
+Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
+
+### Application compatibility
+For more information about application compatibility in Windows, see [Use Upgrade Readiness to manage Windows upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades).
+
+### Multilingual Windows image upgrades
+When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English.
+
+If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed.
+
+### Errorhandler.cmd
+When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run.
+
+### Data drive ACL migration
+During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files.
+
+Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature:
+
+``` syntax
+Key: HKLM\System\Setup
+Type: REG_DWORD
+Value: "DDACLSys_Disabled" = 1
+```
+
+This feature is disabled if this registry key value exists and is configured to `1`.
+
+## Related topics
+[User State Migration Tool (USMT) Overview Topics](../usmt/usmt-topics.md)
+[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md
index 8ca3e5b215..0a5069eff9 100644
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@@ -1,172 +1,173 @@
----
-title: Migrate Application Settings (Windows 10)
-description: Migrate Application Settings
-ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Migrate Application Settings
-
-
-You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines.
-
-This topic defines how to author a custom migration .xml file that migrates the settings of an application that is not migrated by default using MigApp.xml. You should migrate the settings after you install the application, but before the user runs the application for the first time.
-
-This topic does not contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also does not contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this topic does not discuss how to migrate the .doc files and templates themselves.
-
-## In this Topic
-
-
-- [Before You Begin](#bkmk-beforebegin)
-
-- [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#bkmk-step1).
-
-- [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#bkmk-step2).
-
-- [Step 3: Identify how to apply the gathered settings](#bkmk-step3).
-
-- [Step 4: Create the migration XML component for the application](#bkmk-step4).
-
-- [Step 5: Test the application settings migration](#bkmk-step5).
-
-## Before You Begin
-
-
-You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application.
-
-## Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer.
-
-
-Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it is the correct version. If the application is not installed on the source computer, you probably do not want USMT to spend time searching for the application’s settings. More importantly, if USMT collects settings for an application that is not installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there is more than one version of the application. This is because the new version may not store the settings in the same place, which may lead to unexpected results on the destination computer.
-
-There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It is important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want.
-
-### Check the registry for an application uninstall key.
-
-When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall**. For example, when Adobe Acrobat Reader 7 is installed, it creates a key named **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall \\{AC76BA86-7AD7-1033-7B44-A70000000000}**. Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the **DoesObjectExist** helper function.
-
-Usually, you can find this key by searching under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor (**Regedit.exe** located in the %**SystemRoot**%) to search the registry.
-
-### Check the file system for the application executable file.
-
-You should also check the application binaries for the executable that installed the application. To do this, you will first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you have determined the path to the application executable, you can use the **DoesFileVersionMatch** helper function to check for the correct version of the application executable. For an example of how to do this, see the Windows Live™ Messenger section of the MigApp.xml file.
-
-## Step 2: Identify settings to collect and determine where each setting is stored on the computer.
-
-
-Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you do not want to migrate. To determine where each setting is stored, you will need to change each setting and monitor the activity on the registry and the file system. You do not need to migrate the binary files and registry settings that are made when the application is installed. This is because you will need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable.
-
-###
-
-**How To Determine Where Each Setting is Stored**
-
-1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](https://go.microsoft.com/fwlink/p/?linkid=36109).
-
-2. Shut down as many applications as possible to limit the registry and file system activity on the computer.
-
-3. Filter the output of the tools so it only displays changes being made by the application.
-
- **Note**
- Most applications store their settings under the user profile. That is, the settings stored in the file system are under the %**UserProfile**% directory, and the settings stored in the registry are under the **HKEY\_CURRENT\_USER** hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine.
-
-
-
-4. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you are changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically will not take effect until you close the dialog box by clicking **OK**.
-
-5. When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting.
-
- **Note**
- Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values.
-
-
-
-## Step 3: Identify how to apply the gathered settings.
-
-
-If the version of the application on the source computer is the same as the one on the destination computer, then you do not have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the C:\\Documents and Settings\\User1\\My Documents folder and the profile directory on the destination computer is located at D:\\Users\\User1, then USMT will automatically migrate the file to D:\\Users\\User1\\My Documents. However, you may need to modify the location of some settings in the following three cases:
-
-### Case 1: The version of the application on the destination computer is newer than the one on the source computer.
-
-In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following is true:
-
-- **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications do this automatically after settings are migrated; however, other applications will only do this if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer does not contain this set of files and registry keys so the mapping does not occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer.
-
- To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#bkmkdetermine). Once you know the set of files that the computer needs, you can use the <`addObjects`> element to add them to the destination computer.
-
-- [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#bkmkdetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions.
-
-### Case 2: The destination computer already contains settings for the application.
-
-We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the <`destinationCleanup`> element. If for any reason you want to preserve the settings that are on the destination computer, you can use the <`merge`> element and **DestinationPriority** helper function.
-
-### Case 3: The application overwrites settings when it is installed.
-
-We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This is common for applications that store settings in locations that are outside of the user profile (typically these are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they are replaced by default values. To avoid this, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer.
-
-## Step 4: Create the migration XML component for the application
-
-
-After you have completed steps 1 through 3, you will need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the MigApp.xml file as a model because it contains examples of many of the concepts discussed in this topic. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file.
-
-**Note**
-We recommend that you create a separate .xml file instead of adding your script to the **MigApp.xml** file. This is because the **MigApp.xml** file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the **MigApp.xml** file will be overwritten by the default version of the file and you will lose your customized version.
-
-
-
-**Important**
-Some applications store information in the user profile that should not be migrated (for example, application installation paths, the computer name, and so on). You should make sure to exclude these files and registry keys from the migration.
-
-
-
-Your script should do the following:
-
-1. Check whether the application and correct version is installed by:
-
- - Searching for the installation uninstall key under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** using the **DoesObjectExist** helper function.
-
- - Checking for the correct version of the application executable file using the **DoesFileVersionMatch** helper function.
-
-2. If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer.
-
- - If the versions of the applications are the same on both the source and destination computers, migrate each setting using the <`include`> and <`exclude`> elements.
-
- - If the version of the application on the destination computer is newer than the one on the source computer, and the application cannot import the settings, your script should either 1) add the set of files that trigger the import using the <`addObjects`> element or 2) create a mapping that applies the old settings to the correct location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions.
-
- - If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the <`destinationCleanup`> element.
-
-For information about the .xml elements and helper functions, see [XML Elements Library](usmt-xml-elements-library.md).
-
-## Step 5: Test the application settings migration
-
-
-On a test computer, install the operating system that will be installed on the destination computers. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly.
-
-To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you are testing. To specify only User1 in the migration, type: **/ue:\*\\\* /ui:user1**. For more information, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md) and User options in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration.
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
-
-[XML Elements Library](usmt-xml-elements-library.md)
-
-[Log Files](usmt-log-files.md)
-
-
-
-
-
-
-
-
-
+---
+title: Migrate Application Settings (Windows 10)
+description: Learn how to author a custom migration .xml file that migrates the settings of an application that isn't migrated by default using MigApp.xml.
+ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Migrate Application Settings
+
+
+You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines.
+
+This topic defines how to author a custom migration .xml file that migrates the settings of an application that is not migrated by default using MigApp.xml. You should migrate the settings after you install the application, but before the user runs the application for the first time.
+
+This topic does not contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also does not contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this topic does not discuss how to migrate the .doc files and templates themselves.
+
+## In this Topic
+
+
+- [Before You Begin](#bkmk-beforebegin)
+
+- [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#bkmk-step1).
+
+- [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#bkmk-step2).
+
+- [Step 3: Identify how to apply the gathered settings](#bkmk-step3).
+
+- [Step 4: Create the migration XML component for the application](#bkmk-step4).
+
+- [Step 5: Test the application settings migration](#bkmk-step5).
+
+## Before You Begin
+
+
+You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application.
+
+## Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer.
+
+
+Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it is the correct version. If the application is not installed on the source computer, you probably do not want USMT to spend time searching for the application’s settings. More importantly, if USMT collects settings for an application that is not installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there is more than one version of the application. This is because the new version may not store the settings in the same place, which may lead to unexpected results on the destination computer.
+
+There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It is important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want.
+
+### Check the registry for an application uninstall key.
+
+When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall**. For example, when Adobe Acrobat Reader 7 is installed, it creates a key named **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall \\{AC76BA86-7AD7-1033-7B44-A70000000000}**. Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the **DoesObjectExist** helper function.
+
+Usually, you can find this key by searching under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor (**Regedit.exe** located in the %**SystemRoot**%) to search the registry.
+
+### Check the file system for the application executable file.
+
+You should also check the application binaries for the executable that installed the application. To do this, you will first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you have determined the path to the application executable, you can use the **DoesFileVersionMatch** helper function to check for the correct version of the application executable. For an example of how to do this, see the Windows Live™ Messenger section of the MigApp.xml file.
+
+## Step 2: Identify settings to collect and determine where each setting is stored on the computer.
+
+
+Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you do not want to migrate. To determine where each setting is stored, you will need to change each setting and monitor the activity on the registry and the file system. You do not need to migrate the binary files and registry settings that are made when the application is installed. This is because you will need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable.
+
+###
+
+**How To Determine Where Each Setting is Stored**
+
+1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](https://go.microsoft.com/fwlink/p/?linkid=36109).
+
+2. Shut down as many applications as possible to limit the registry and file system activity on the computer.
+
+3. Filter the output of the tools so it only displays changes being made by the application.
+
+ **Note**
+ Most applications store their settings under the user profile. That is, the settings stored in the file system are under the %**UserProfile**% directory, and the settings stored in the registry are under the **HKEY\_CURRENT\_USER** hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine.
+
+
+
+4. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you are changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically will not take effect until you close the dialog box by clicking **OK**.
+
+5. When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting.
+
+ **Note**
+ Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values.
+
+
+
+## Step 3: Identify how to apply the gathered settings.
+
+
+If the version of the application on the source computer is the same as the one on the destination computer, then you do not have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the C:\\Documents and Settings\\User1\\My Documents folder and the profile directory on the destination computer is located at D:\\Users\\User1, then USMT will automatically migrate the file to D:\\Users\\User1\\My Documents. However, you may need to modify the location of some settings in the following three cases:
+
+### Case 1: The version of the application on the destination computer is newer than the one on the source computer.
+
+In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following is true:
+
+- **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications do this automatically after settings are migrated; however, other applications will only do this if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer does not contain this set of files and registry keys so the mapping does not occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer.
+
+ To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#bkmkdetermine). Once you know the set of files that the computer needs, you can use the <`addObjects`> element to add them to the destination computer.
+
+- [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#bkmkdetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions.
+
+### Case 2: The destination computer already contains settings for the application.
+
+We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the <`destinationCleanup`> element. If for any reason you want to preserve the settings that are on the destination computer, you can use the <`merge`> element and **DestinationPriority** helper function.
+
+### Case 3: The application overwrites settings when it is installed.
+
+We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This is common for applications that store settings in locations that are outside of the user profile (typically these are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they are replaced by default values. To avoid this, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer.
+
+## Step 4: Create the migration XML component for the application
+
+
+After you have completed steps 1 through 3, you will need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the MigApp.xml file as a model because it contains examples of many of the concepts discussed in this topic. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file.
+
+**Note**
+We recommend that you create a separate .xml file instead of adding your script to the **MigApp.xml** file. This is because the **MigApp.xml** file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the **MigApp.xml** file will be overwritten by the default version of the file and you will lose your customized version.
+
+
+
+**Important**
+Some applications store information in the user profile that should not be migrated (for example, application installation paths, the computer name, and so on). You should make sure to exclude these files and registry keys from the migration.
+
+
+
+Your script should do the following:
+
+1. Check whether the application and correct version is installed by:
+
+ - Searching for the installation uninstall key under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** using the **DoesObjectExist** helper function.
+
+ - Checking for the correct version of the application executable file using the **DoesFileVersionMatch** helper function.
+
+2. If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer.
+
+ - If the versions of the applications are the same on both the source and destination computers, migrate each setting using the <`include`> and <`exclude`> elements.
+
+ - If the version of the application on the destination computer is newer than the one on the source computer, and the application cannot import the settings, your script should either 1) add the set of files that trigger the import using the <`addObjects`> element or 2) create a mapping that applies the old settings to the correct location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions.
+
+ - If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the <`destinationCleanup`> element.
+
+For information about the .xml elements and helper functions, see [XML Elements Library](usmt-xml-elements-library.md).
+
+## Step 5: Test the application settings migration
+
+
+On a test computer, install the operating system that will be installed on the destination computers. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly.
+
+To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you are testing. To specify only User1 in the migration, type: **/ue:\*\\\* /ui:user1**. For more information, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md) and User options in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration.
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
+
+[XML Elements Library](usmt-xml-elements-library.md)
+
+[Log Files](usmt-log-files.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index 2d1d744fa6..84a87a0aac 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -1,81 +1,82 @@
----
-title: Migration Store Types Overview (Windows 10)
-description: Migration Store Types Overview
-ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Migration Store Types Overview
-
-
-When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you are using a local share, network share, or storage device.
-
-## In This Topic
-
-
-[Migration Store Types](#bkmk-types)
-
-[Local Store vs. Remote Store](#bkmk-localvremote)
-
-[The /localonly Command-Line Option](#bkmk-localonly)
-
-## Migration Store Types
-
-
-This section describes the three migration store types available in USMT.
-
-### Uncompressed (UNC)
-
-The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer.
-
-### Compressed
-
-The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and cannot be navigated with Windows Explorer.
-
-### Hard-Link
-
-A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are “wired” into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. This is because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration.
-
-You use a command-line option,**/hardlink** , to create a hard-link migration store, which functions the same as an uncompressed migration store. Files are not duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md).
-
-The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store.
-
-
-
-## Local Store vs. Remote Store
-
-
-If you have enough space and you are migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you are using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It is also good practice to ensure that the migration is the only task the server is performing.
-
-If there is not enough local disk space, or if you are moving the user state to another computer, then you must store the data remotely. For example, you can store it in on a shared folder, on removable media such as a UFD drive, or you can store it directly on the destination computer. For example, create and share C:\\store on the destination computer. Then run the ScanState command on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store. Then, run the **LoadState** command on the destination computer and specify **C:\\Store** as the store location. By doing this, you do not need to save the files to a server.
-
-**Important**
-If possible, have users store their data within their %UserProfile%\\My Documents and %UserProfile%\\Application Data folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check.
-
-
-
-### The /localonly Command-Line Option
-
-You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify **/LocalOnly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
-
-## Related topics
-
-
-[Plan Your Migration](usmt-plan-your-migration.md)
-
-
-
-
-
-
-
-
-
+---
+title: Migration Store Types Overview (Windows 10)
+description: Learn about the migration store types and how to determine which migration store type best suits your needs.
+ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Migration Store Types Overview
+
+
+When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you are using a local share, network share, or storage device.
+
+## In This Topic
+
+
+[Migration Store Types](#bkmk-types)
+
+[Local Store vs. Remote Store](#bkmk-localvremote)
+
+[The /localonly Command-Line Option](#bkmk-localonly)
+
+## Migration Store Types
+
+
+This section describes the three migration store types available in USMT.
+
+### Uncompressed (UNC)
+
+The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer.
+
+### Compressed
+
+The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and cannot be navigated with Windows Explorer.
+
+### Hard-Link
+
+A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are “wired” into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. This is because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration.
+
+You use a command-line option,**/hardlink** , to create a hard-link migration store, which functions the same as an uncompressed migration store. Files are not duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md).
+
+The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store.
+
+
+
+## Local Store vs. Remote Store
+
+
+If you have enough space and you are migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you are using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It is also good practice to ensure that the migration is the only task the server is performing.
+
+If there is not enough local disk space, or if you are moving the user state to another computer, then you must store the data remotely. For example, you can store it in on a shared folder, on removable media such as a UFD drive, or you can store it directly on the destination computer. For example, create and share C:\\store on the destination computer. Then run the ScanState command on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store. Then, run the **LoadState** command on the destination computer and specify **C:\\Store** as the store location. By doing this, you do not need to save the files to a server.
+
+**Important**
+If possible, have users store their data within their %UserProfile%\\My Documents and %UserProfile%\\Application Data folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check.
+
+
+
+### The /localonly Command-Line Option
+
+You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify **/LocalOnly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index 2eab7ea7b8..9e83bf7287 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -1,6 +1,6 @@
---
title: Offline Migration Reference (Windows 10)
-description: Offline Migration Reference
+description: Offline migration enables the ScanState tool to run inside a different Windows OS than the Windows OS from which ScanState is gathering files and settings.
ms.assetid: f347547c-d601-4c3e-8f2d-0138edeacfda
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index d21fac244a..eebb4c23d3 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -1,6 +1,6 @@
---
title: Understanding Migration XML Files (Windows 10)
-description: Modify the behavior of a basic User State Migration Tool (USMT) 10.0 migration by using XML files.
+description: Learn how to modify the behavior of a basic User State Migration Tool (USMT) 10.0 migration by using XML files.
ms.assetid: d3d1fe89-085c-4da8-9657-fd54b8bfc4b7
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index 48782e0bdc..81f3d94585 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -1,6 +1,6 @@
---
title: USMT Best Practices (Windows 10)
-description: USMT Best Practices
+description: Learn about general and security-related best practices when using User State Migration Tool (USMT) 10.0.
ms.assetid: e3cb1e78-4230-4eae-b179-e6e9160542d2
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md
index 75c4393563..6985683c08 100644
--- a/windows/deployment/usmt/usmt-choose-migration-store-type.md
+++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md
@@ -1,65 +1,66 @@
----
-title: Choose a Migration Store Type (Windows 10)
-description: Choose a Migration Store Type
-ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Choose a Migration Store Type
-
-
-One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you are using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store.
-
-## In This Section
-
-
-
-
-
-
-
-
-
-Migration Store Types Overview |
-Choose the migration store type that works best for your needs and migration scenario. |
-
-
-Estimate Migration Store Size |
-Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure. |
-
-
-Hard-Link Migration Store |
-Learn about hard-link migration stores and the scenarios in which they are used. |
-
-
-Migration Store Encryption |
-Learn about the using migration store encryption to protect user data integrity during a migration. |
-
-
-
-
-
-
-## Related topics
-
-
-[Plan Your Migration](usmt-plan-your-migration.md)
-
-[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
-
-
-
-
-
-
-
-
-
+---
+title: Choose a Migration Store Type (Windows 10)
+description: Learn how to choose a migration store type and estimate the amount of disk space needed for computers in your organization.
+ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Choose a Migration Store Type
+
+
+One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you are using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store.
+
+## In This Section
+
+
+
+
+
+
+
+
+
+Migration Store Types Overview |
+Choose the migration store type that works best for your needs and migration scenario. |
+
+
+Estimate Migration Store Size |
+Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure. |
+
+
+Hard-Link Migration Store |
+Learn about hard-link migration stores and the scenarios in which they are used. |
+
+
+Migration Store Encryption |
+Learn about the using migration store encryption to protect user data integrity during a migration. |
+
+
+
+
+
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md
index 43d9d9c686..85adbc467d 100644
--- a/windows/deployment/usmt/usmt-command-line-syntax.md
+++ b/windows/deployment/usmt/usmt-command-line-syntax.md
@@ -1,54 +1,55 @@
----
-title: User State Migration Tool (USMT) Command-line Syntax (Windows 10)
-description: User State Migration Tool (USMT) Command-line Syntax
-ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) Command-line Syntax
-
-
-The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation.
-
-## In This Section
-
-
-
-
-
-
-
-
-
-ScanState Syntax |
-Lists the command-line options for using the ScanState tool. |
-
-
-LoadState Syntax |
-Lists the command-line options for using the LoadState tool. |
-
-
-UsmtUtils Syntax |
-Lists the command-line options for using the UsmtUtils tool. |
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: User State Migration Tool (USMT) Command-line Syntax (Windows 10)
+description: Learn about the User State Migration Tool (USMT) command-line syntax for using the ScanState tool, LoadState tool, and UsmtUtils tool.
+ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) Command-line Syntax
+
+
+The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation.
+
+## In This Section
+
+
+
+
+
+
+
+
+
+ScanState Syntax |
+Lists the command-line options for using the ScanState tool. |
+
+
+LoadState Syntax |
+Lists the command-line options for using the LoadState tool. |
+
+
+UsmtUtils Syntax |
+Lists the command-line options for using the UsmtUtils tool. |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md
index 49aa08dbfe..44a264cb28 100644
--- a/windows/deployment/usmt/usmt-common-issues.md
+++ b/windows/deployment/usmt/usmt-common-issues.md
@@ -1,340 +1,341 @@
----
-title: Common Issues (Windows 10)
-description: Common Issues
-ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.date: 09/19/2017
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Common Issues
-
-
-The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures.
-
-## In This Topic
-
-
-[User Account Problems](#user)
-
-[Command-line Problems](#command)
-
-[XML File Problems](#xml)
-
-[Migration Problems](#migration)
-
-[Offline Migration Problems](#bkmk-offline)
-
-[Hard Link Migration Problems](#bkmk-hardlink)
-
-[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout)
-
-## General Guidelines for Identifying Migration Problems
-
-
-When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem:
-
-- Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line.
-
- In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger.
-
- **Note**
- Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred.
-
-
-
-- Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md).
-
-- Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
-
-- Create a progress log using the **/Progress** option to monitor your migration.
-
-- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment.
-
-- Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on.
-
-- Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files.
-
- **Note**
- USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate.
-
-
-
-## User Account Problems
-
-
-The following sections describe common user account problems. Expand the section to see recommended solutions.
-
-### I'm having problems creating local accounts on the destination computer.
-
-**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate User Accounts](usmt-migrate-user-accounts.md).
-
-### Not all of the user accounts were migrated to the destination computer.
-
-**Causes/Resolutions** There are two possible causes for this problem:
-
-When running the ScanState tool on Windows Vista, or the ScanState and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode:
-
-1. Click **Start**.
-
-2. Click **All Programs**.
-
-3. Click **Accessories**.
-
-4. Right-click **Command Prompt**.
-
-5. Click **Run as administrator**.
-
-Then specify your LoadState or ScanState command. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration.
-
-Any user accounts on the computer that have not been used will not be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT will not migrate the User1 account.
-
-### User accounts that I excluded were migrated to the destination computer.
-
-**Cause:** The command that you specified might have had conflicting **/ui** and **/ue** options. If a user is specified with the **/ui** option and is also specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the **/ui** option takes precedence.
-
-**Resolution:** For more information about how to use the **/ui** and **/ue** options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) topic.
-
-### I am using the /uel option, but many accounts are still being included in the migration.
-
-**Cause** The **/uel** option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last logon date.
-
-**Resolution** This is a limitation of the **/uel** option. You might need to exclude these users manually with the **/ue** option.
-
-### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test.
-
-**Cause:** During a migration test, if you run the ScanState tool on your test computer and then delete user profiles in order to test the LoadState tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but will not remove the registry key.
-
-**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile:
-
-1. Open the registry editor by typing `regedit` at an elevated command prompt.
-
-2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`.
-
- Each user profile is stored in a System Identifier key under `ProfileList`.
-
-3. Delete the key for the user profile you are trying to remove.
-
-### Files that were not encrypted before the migration are now encrypted with the account used to run the LoadState tool.
-
-**Cause:** The ScanState tool was run using the **/EFS: copyraw** option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration.
-
-**Resolution:** Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder.
-
-To remove encryption from files that have already been migrated incorrectly, you must log on to the computer with the account that you used to run the LoadState tool and then remove the encryption from the affected files.
-
-### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file.
-
-**Cause:** The computer name was changed during an offline migration of a local user profile.
-
-**Resolution:** You can use the **/mu** option when you run the LoadState tool to specify a new name for the user. For example,
-
-``` syntax
-loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore
-/progress:prog.log /l:load.log /mu:fareast\user1:farwest\user1
-```
-
-## Command-line Problems
-
-
-The following sections describe common command-line problems. Expand the section to see recommended solutions.
-
-### I received the following error message: "Usage Error: You cannot specify a file path with any of the command-line options that exceeds 256 characters."
-
-**Cause:** You might receive this error message in some cases even if you do not specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the **scanstate.exe /o store** command from C:\\Program Files\\USMT40, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path.
-
-**Resolution:** Ensure that the total path length—the store path plus the current directory—does not exceed 256 characters.
-
-### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory."
-
-**Cause:** If you are running the ScanState or LoadState tools from a shared network resource, you will receive this error message if you do not specify **/l**.
-
-**Resolution:** To fix this issue in this scenario, specify the **/l:scan.log** or **/l:load.log** option.
-
-## XML File Problems
-
-
-The following sections describe common XML file problems. Expand the section to see recommended solutions.
-
-### I used the /genconfig option to create a Config.xml file, but I see only a few applications and components that are in MigApp.xml. Why does Config.xml not contain all of the same applications?
-
-**Cause:** Config.xml will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the **/genconfig** option. Otherwise, these applications and components will not appear in the Config.xml file.
-
-**Resolution:** Install all of the desired applications on the computer before running the **/genconfig** option. Then run ScanState with all of the .xml files. For example, run the following:
-
-`scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:scanstate.log`
-
-### I am having problems with a custom .xml file that I authored, and I cannot verify that the syntax is correct.
-
-**Resolution:** You can load the XML schema (MigXML.xsd), included with USMT, into your XML authoring tool. For examples, see the [Visual Studio Development Center](https://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there is a syntax error. In addition, see [USMT XML Reference](usmt-xml-reference.md) for more information about using the XML elements.
-
-### I am using a MigXML helper function, but the migration isn’t working the way I expected it to. How do I troubleshoot this issue?
-
-**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate did not get collected or applied, or weren’t collected or applied in the way you expected.
-
-**Resolution:** You should search the ScanState or LoadState log for either the component name which contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file.
-
-## Migration Problems
-
-
-The following sections describe common migration problems. Expand the section to see recommended solutions.
-
-### Files that I specified to exclude are still being migrated.
-
-**Cause:** There might be another rule that is including the files. If there is a more specific rule or a conflicting rule, the files will be included in the migration.
-
-**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md).
-
-### I specified rules to move a folder to a specific location on the destination computer, but it has not migrated correctly.
-
-**Cause:** There might be an error in the XML syntax.
-
-**Resolution:** You can use the USMT XML schema (MigXML.xsd) to write and validate migration .xml files. Also see the XML examples in the following topics:
-
-[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
-
-[Exclude Files and Settings](usmt-exclude-files-and-settings.md)
-
-[Reroute Files and Settings](usmt-reroute-files-and-settings.md)
-
-[Include Files and Settings](usmt-include-files-and-settings.md)
-
-[Custom XML Examples](usmt-custom-xml-examples.md)
-
-### After LoadState completes, the new desktop background does not appear on the destination computer.
-
-There are three typical causes for this issue.
-
-**Cause \#1:**: Some settings such as fonts, desktop backgrounds, and screen-saver settings are not applied by LoadState until after the destination computer has been restarted.
-
-**Resolution:** To fix this issue, log off, and then log back on to see the migrated desktop background.
-
-**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background will not be migrated. Instead, the destination computer will have the default Windows® desktop background. This will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate.
-
-**Resolution:** Ensure that the desktop background images that you want to migrate are not in the \\WINDOWS\\Web\\Wallpaper folder on the source computer.
-
-**Cause \#3:** If ScanState was not run on Windows XP from an account with administrative credentials, some operating system settings will not migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings will not migrate.
-
-**Resolution:** Run the ScanState and LoadState tools from within an account with administrative credentials.
-
-### I included MigApp.xml in the migration, but some PST files aren’t migrating.
-
-**Cause:** The MigApp.xml file migrates only the PST files that are linked to Outlook profiles.
-
-**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files.
-
-### USMT does not migrate the Start layout
-
-**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured.
-
-**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function.
-
-**Resolution:** The following workaround is available:
-
-1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired:
-
- ```
- Export-StartLayout -Path "C:\Layout\user1.xml"
- ```
-2. Migrate the user's profile with USMT.
-3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command:
-
- ```
- Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive%
- ```
-
-This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout.
-
-## Offline Migration Problems
-
-
-The following sections describe common offline migration problems. Expand the section to see recommended solutions.
-
-### Some of my system settings do not migrate in an offline migration.
-
-**Cause:** Some system settings, such as desktop backgrounds and network printers, are not supported in an offline migration. For more information, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
-
-**Resolution:** In an offline migration, these system settings must be restored manually.
-
-### The ScanState tool fails with return code 26.
-
-**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The ScanState log shows a MigStartupOfflineCaught exception that includes the message "User profile duplicate SID error".
-
-**Resolution:** You can reboot the computer to get rid of the temp profile or you can set MIG\_FAIL\_ON\_PROFILE\_ERROR=0 to skip the error and exclude the temp profile.
-
-### Include and Exclude rules for migrating user profiles do not work the same offline as they do online.
-
-**Cause:** When offline, the DNS server cannot be queried to resolve the user name and SID mapping.
-
-**Resolution:** Use a Security Identifier (SID) to include a user when running the ScanState tool. For example:
-
-``` syntax
-Scanstate /ui:S1-5-21-124525095-708259637-1543119021*
-```
-
-The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well.
-
-You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=190277).
-
-### My script to wipe the disk fails after running the ScanState tool on a 64-bit system.
-
-**Cause:** The HKLM registry hive is not unloaded after the ScanState tool has finished running.
-
-**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the ScanState tool has finished running. For example, at a command prompt, type:
-
-``` syntax
-reg.exe unload hklm\$dest$software
-```
-
-## Hard-Link Migration Problems
-
-
-The following sections describe common hard-link migration problems. Expand the section to see recommended solutions.
-
-### EFS files are not restored to the new partition.
-
-**Cause:** EFS files cannot be moved to a new partition with a hard link. The **/efs:hardlink** command-line option is only applicable to files migrated on the same partition.
-
-**Resolution:** Use the **/efs:copyraw** command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store.
-
-### The ScanState tool cannot delete a previous hard-link migration store.
-
-**Cause:** The migration store contains hard links to locked files.
-
-**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, type:
-
-``` syntax
-USMTutils /rd
-```
-
-You should also reboot the machine.
-
-
-
-
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-
-[Frequently Asked Questions](usmt-faq.md)
-
-[Return Codes](usmt-return-codes.md)
-
-[UsmtUtils Syntax](usmt-utilities.md)
-
-
-
-
-
-
-
-
-
+---
+title: Common Issues (Windows 10)
+description: Learn about common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools.
+ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.date: 09/19/2017
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Common Issues
+
+
+The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures.
+
+## In This Topic
+
+
+[User Account Problems](#user)
+
+[Command-line Problems](#command)
+
+[XML File Problems](#xml)
+
+[Migration Problems](#migration)
+
+[Offline Migration Problems](#bkmk-offline)
+
+[Hard Link Migration Problems](#bkmk-hardlink)
+
+[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout)
+
+## General Guidelines for Identifying Migration Problems
+
+
+When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem:
+
+- Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line.
+
+ In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger.
+
+ **Note**
+ Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred.
+
+
+
+- Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md).
+
+- Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
+
+- Create a progress log using the **/Progress** option to monitor your migration.
+
+- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment.
+
+- Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on.
+
+- Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files.
+
+ **Note**
+ USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate.
+
+
+
+## User Account Problems
+
+
+The following sections describe common user account problems. Expand the section to see recommended solutions.
+
+### I'm having problems creating local accounts on the destination computer.
+
+**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate User Accounts](usmt-migrate-user-accounts.md).
+
+### Not all of the user accounts were migrated to the destination computer.
+
+**Causes/Resolutions** There are two possible causes for this problem:
+
+When running the ScanState tool on Windows Vista, or the ScanState and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode:
+
+1. Click **Start**.
+
+2. Click **All Programs**.
+
+3. Click **Accessories**.
+
+4. Right-click **Command Prompt**.
+
+5. Click **Run as administrator**.
+
+Then specify your LoadState or ScanState command. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration.
+
+Any user accounts on the computer that have not been used will not be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT will not migrate the User1 account.
+
+### User accounts that I excluded were migrated to the destination computer.
+
+**Cause:** The command that you specified might have had conflicting **/ui** and **/ue** options. If a user is specified with the **/ui** option and is also specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the **/ui** option takes precedence.
+
+**Resolution:** For more information about how to use the **/ui** and **/ue** options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) topic.
+
+### I am using the /uel option, but many accounts are still being included in the migration.
+
+**Cause** The **/uel** option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last logon date.
+
+**Resolution** This is a limitation of the **/uel** option. You might need to exclude these users manually with the **/ue** option.
+
+### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test.
+
+**Cause:** During a migration test, if you run the ScanState tool on your test computer and then delete user profiles in order to test the LoadState tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but will not remove the registry key.
+
+**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile:
+
+1. Open the registry editor by typing `regedit` at an elevated command prompt.
+
+2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`.
+
+ Each user profile is stored in a System Identifier key under `ProfileList`.
+
+3. Delete the key for the user profile you are trying to remove.
+
+### Files that were not encrypted before the migration are now encrypted with the account used to run the LoadState tool.
+
+**Cause:** The ScanState tool was run using the **/EFS: copyraw** option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration.
+
+**Resolution:** Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder.
+
+To remove encryption from files that have already been migrated incorrectly, you must log on to the computer with the account that you used to run the LoadState tool and then remove the encryption from the affected files.
+
+### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file.
+
+**Cause:** The computer name was changed during an offline migration of a local user profile.
+
+**Resolution:** You can use the **/mu** option when you run the LoadState tool to specify a new name for the user. For example,
+
+``` syntax
+loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore
+/progress:prog.log /l:load.log /mu:fareast\user1:farwest\user1
+```
+
+## Command-line Problems
+
+
+The following sections describe common command-line problems. Expand the section to see recommended solutions.
+
+### I received the following error message: "Usage Error: You cannot specify a file path with any of the command-line options that exceeds 256 characters."
+
+**Cause:** You might receive this error message in some cases even if you do not specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the **scanstate.exe /o store** command from C:\\Program Files\\USMT40, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path.
+
+**Resolution:** Ensure that the total path length—the store path plus the current directory—does not exceed 256 characters.
+
+### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory."
+
+**Cause:** If you are running the ScanState or LoadState tools from a shared network resource, you will receive this error message if you do not specify **/l**.
+
+**Resolution:** To fix this issue in this scenario, specify the **/l:scan.log** or **/l:load.log** option.
+
+## XML File Problems
+
+
+The following sections describe common XML file problems. Expand the section to see recommended solutions.
+
+### I used the /genconfig option to create a Config.xml file, but I see only a few applications and components that are in MigApp.xml. Why does Config.xml not contain all of the same applications?
+
+**Cause:** Config.xml will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the **/genconfig** option. Otherwise, these applications and components will not appear in the Config.xml file.
+
+**Resolution:** Install all of the desired applications on the computer before running the **/genconfig** option. Then run ScanState with all of the .xml files. For example, run the following:
+
+`scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:scanstate.log`
+
+### I am having problems with a custom .xml file that I authored, and I cannot verify that the syntax is correct.
+
+**Resolution:** You can load the XML schema (MigXML.xsd), included with USMT, into your XML authoring tool. For examples, see the [Visual Studio Development Center](https://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there is a syntax error. In addition, see [USMT XML Reference](usmt-xml-reference.md) for more information about using the XML elements.
+
+### I am using a MigXML helper function, but the migration isn’t working the way I expected it to. How do I troubleshoot this issue?
+
+**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate did not get collected or applied, or weren’t collected or applied in the way you expected.
+
+**Resolution:** You should search the ScanState or LoadState log for either the component name which contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file.
+
+## Migration Problems
+
+
+The following sections describe common migration problems. Expand the section to see recommended solutions.
+
+### Files that I specified to exclude are still being migrated.
+
+**Cause:** There might be another rule that is including the files. If there is a more specific rule or a conflicting rule, the files will be included in the migration.
+
+**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md).
+
+### I specified rules to move a folder to a specific location on the destination computer, but it has not migrated correctly.
+
+**Cause:** There might be an error in the XML syntax.
+
+**Resolution:** You can use the USMT XML schema (MigXML.xsd) to write and validate migration .xml files. Also see the XML examples in the following topics:
+
+[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
+
+[Exclude Files and Settings](usmt-exclude-files-and-settings.md)
+
+[Reroute Files and Settings](usmt-reroute-files-and-settings.md)
+
+[Include Files and Settings](usmt-include-files-and-settings.md)
+
+[Custom XML Examples](usmt-custom-xml-examples.md)
+
+### After LoadState completes, the new desktop background does not appear on the destination computer.
+
+There are three typical causes for this issue.
+
+**Cause \#1:**: Some settings such as fonts, desktop backgrounds, and screen-saver settings are not applied by LoadState until after the destination computer has been restarted.
+
+**Resolution:** To fix this issue, log off, and then log back on to see the migrated desktop background.
+
+**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background will not be migrated. Instead, the destination computer will have the default Windows® desktop background. This will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate.
+
+**Resolution:** Ensure that the desktop background images that you want to migrate are not in the \\WINDOWS\\Web\\Wallpaper folder on the source computer.
+
+**Cause \#3:** If ScanState was not run on Windows XP from an account with administrative credentials, some operating system settings will not migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings will not migrate.
+
+**Resolution:** Run the ScanState and LoadState tools from within an account with administrative credentials.
+
+### I included MigApp.xml in the migration, but some PST files aren’t migrating.
+
+**Cause:** The MigApp.xml file migrates only the PST files that are linked to Outlook profiles.
+
+**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files.
+
+### USMT does not migrate the Start layout
+
+**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured.
+
+**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function.
+
+**Resolution:** The following workaround is available:
+
+1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired:
+
+ ```
+ Export-StartLayout -Path "C:\Layout\user1.xml"
+ ```
+2. Migrate the user's profile with USMT.
+3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command:
+
+ ```
+ Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive%
+ ```
+
+This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout.
+
+## Offline Migration Problems
+
+
+The following sections describe common offline migration problems. Expand the section to see recommended solutions.
+
+### Some of my system settings do not migrate in an offline migration.
+
+**Cause:** Some system settings, such as desktop backgrounds and network printers, are not supported in an offline migration. For more information, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
+
+**Resolution:** In an offline migration, these system settings must be restored manually.
+
+### The ScanState tool fails with return code 26.
+
+**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The ScanState log shows a MigStartupOfflineCaught exception that includes the message "User profile duplicate SID error".
+
+**Resolution:** You can reboot the computer to get rid of the temp profile or you can set MIG\_FAIL\_ON\_PROFILE\_ERROR=0 to skip the error and exclude the temp profile.
+
+### Include and Exclude rules for migrating user profiles do not work the same offline as they do online.
+
+**Cause:** When offline, the DNS server cannot be queried to resolve the user name and SID mapping.
+
+**Resolution:** Use a Security Identifier (SID) to include a user when running the ScanState tool. For example:
+
+``` syntax
+Scanstate /ui:S1-5-21-124525095-708259637-1543119021*
+```
+
+The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well.
+
+You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=190277).
+
+### My script to wipe the disk fails after running the ScanState tool on a 64-bit system.
+
+**Cause:** The HKLM registry hive is not unloaded after the ScanState tool has finished running.
+
+**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the ScanState tool has finished running. For example, at a command prompt, type:
+
+``` syntax
+reg.exe unload hklm\$dest$software
+```
+
+## Hard-Link Migration Problems
+
+
+The following sections describe common hard-link migration problems. Expand the section to see recommended solutions.
+
+### EFS files are not restored to the new partition.
+
+**Cause:** EFS files cannot be moved to a new partition with a hard link. The **/efs:hardlink** command-line option is only applicable to files migrated on the same partition.
+
+**Resolution:** Use the **/efs:copyraw** command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store.
+
+### The ScanState tool cannot delete a previous hard-link migration store.
+
+**Cause:** The migration store contains hard links to locked files.
+
+**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, type:
+
+``` syntax
+USMTutils /rd
+```
+
+You should also reboot the machine.
+
+
+
+
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+[Frequently Asked Questions](usmt-faq.md)
+
+[Return Codes](usmt-return-codes.md)
+
+[UsmtUtils Syntax](usmt-utilities.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md
index db0aad8633..6a280b171a 100644
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@@ -1,6 +1,6 @@
---
title: Config.xml File (Windows 10)
-description: Config.xml File
+description: Learn how the Config.xml file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the /genconfig option with the ScanState.exe tool.
ms.assetid: 9dc98e76-5155-4641-bcb3-81915db538e8
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index 5b40bd3e9d..660d157cfc 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -1,6 +1,6 @@
---
title: Conflicts and Precedence (Windows 10)
-description: Conflicts and Precedence
+description: In this article, learn how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence.
ms.assetid: 0e2691a8-ff1e-4424-879b-4d5a2f8a113a
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index 66f4f18511..5314d52e8e 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -1,6 +1,6 @@
---
title: Custom XML Examples (Windows 10)
-description: Custom XML Examples
+description: Use custom XML examples to learn how to migrate an unsupported application, migrate files and registry keys, and migrate the My Videos folder.
ms.assetid: 48f441d9-6c66-43ef-91e9-7c78cde6fcc0
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md
index 9376707ccd..37708b7766 100644
--- a/windows/deployment/usmt/usmt-customize-xml-files.md
+++ b/windows/deployment/usmt/usmt-customize-xml-files.md
@@ -1,138 +1,139 @@
----
-title: Customize USMT XML Files (Windows 10)
-description: Customize USMT XML Files
-ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Customize USMT XML Files
-
-
-## In This Topic
-
-
-[Overview](#bkmk-overview)
-
-[Migration .xml Files](#bkmk-migxml)
-
-[Custom .xml Files](#bkmk-customxmlfiles)
-
-[The Config.xml File](#bkmk-configxml)
-
-[Examples](#bkmk-examples)
-
-[Additional Information](#bkmk-addlinfo)
-
-## Overview
-
-
-If you want the **ScanState** and **LoadState** tools to use any of the migration .xml files, specify these files at the command line using the **/i** option. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, specify the same set of .xml files for both the **ScanState** and **LoadState** commands. However, you do not have to specify the Config.xml file with the **/config** option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. Then the **LoadState** command will migrate only the files and settings that you want to migrate.
-
-If you leave out an .xml file from the **LoadState** command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the **ScanState** command will not apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as: `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files, and they will be migrated to C:\\data.
-
-To modify the migration, do one or more of the following.
-
-- **Modify the migration .xml files.** If you want to exclude a portion of a component—for example, you want to migrate C:\\ but exclude all of the .mp3 files—or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want **ScanState** and **LoadState** to use these files, specify them at the command line when each command is entered.
-
-- **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For **ScanState** and **LoadState** to use this file, specify them on both command lines.
-
-- **Create and modify a Config.xml file.** Do this if you want to exclude an entire component from the migration. For example, you can use a Config.xml file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a Config.xml file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. In addition, using a Config.xml file is the only way to exclude the operating system settings from being migrated.
-
-For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic.
-
-## Migration .xml Files
-
-
-This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they are migrated to on the destination computer.
-
-**Note**
-You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character.
-
-
-
-- **The MigApp.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate application settings.
-
-- **The MigDocs.xml file.** Specify this file with both the **ScanState** and **LoadState** tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it does not find and migrate any application data, program files, or any files in the Windows directory. You can modify the MigDocs.xml file.
-
-- **The MigUser.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate user folders, files, and file types. You can modify the MigUser.xml file. This file does not contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the **ScanState** and the **LoadState** user options.
-
- **Note**
- Do not use the MigUser.xml and MigDocs.xml files together. For more information, see the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) and [USMT Best Practices](usmt-best-practices.md) topics.
-
-
-
-## Custom .xml Files
-
-
-You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want **ScanState** and **LoadState** to use this file, specify it with both commands. For more information, see the How to Create a Custom .xml File topic.
-
-## The Config.xml File
-
-
-The Config.xml file is an optional file that you create using the **/genconfig** option with the **ScanState** command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The Config.xml file format is different from that of the migration .xml files because it does not contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) topic. For this reason, excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in a Config.xml file.
-
-If you want to include all of the default components, you do not need to create the Config.xml file. Alternatively, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigDocs.xml, and MigUser.xml files, and you want to exclude only some components, you can create and modify a Config.xml file and leave the other .xml files in their original state.
-
-When you run the **ScanState** command with the **/genconfig** option, **ScanState** reads the other .xml files that you specify using the **/i** option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the **ScanState** command with the **/genconfig** option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. This will ensure that this file contains every component that can be migrated. The components are organized into sections: <Applications>, <WindowsComponents>, and <Documents>. To choose not to migrate a component, change its entry to `migrate="no"`.
-
-After you create this file, you need to specify it only with the **ScanState** command using the **/Config** option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the Config.xml file and specify the updated file with the **LoadState** command. For example, if you collected the My Documents folder in the store, but you decide that you do not want to migrate the My Documents folder to a destination computer, you can modify the Config.xml file to indicate `migrate="no"` before you run the **LoadState** command, and the file will not be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic.
-
-In addition, note the following functionality with the Config.xml file:
-
-- If a parent component is removed from the migration in the Config.xml file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`.
-
-- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated.
-
-- In USMT there are several migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. For more information, see the [Config.xml File](usmt-configxml-file.md) topic.
-
-**Note**
-To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
-
-
-
-### Examples
-
-- The following command creates a Config.xml file in the current directory, but it does not create a store:
-
- `scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:5`
-
-- The following command creates an encrypted store using the Config.xml file and the default migration .xml files:
-
- `scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:5 /encrypt /key:"mykey"`
-
-- The following command decrypts the store and migrates the files and settings:
-
- `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:5 /decrypt /key:"mykey"`
-
-## Additional Information
-
-
-- For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
-
-- For more information about each .xml element, see the [XML Elements Library](usmt-xml-elements-library.md) topic.
-
-- For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.md) topic.
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
-
-[USMT Resources](usmt-resources.md)
-
-
-
-
-
-
-
-
-
+---
+title: Customize USMT XML Files (Windows 10)
+description: Learn how to customize USMT XML files. Also, learn about the migration XML files that are included with USMT.
+ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Customize USMT XML Files
+
+
+## In This Topic
+
+
+[Overview](#bkmk-overview)
+
+[Migration .xml Files](#bkmk-migxml)
+
+[Custom .xml Files](#bkmk-customxmlfiles)
+
+[The Config.xml File](#bkmk-configxml)
+
+[Examples](#bkmk-examples)
+
+[Additional Information](#bkmk-addlinfo)
+
+## Overview
+
+
+If you want the **ScanState** and **LoadState** tools to use any of the migration .xml files, specify these files at the command line using the **/i** option. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, specify the same set of .xml files for both the **ScanState** and **LoadState** commands. However, you do not have to specify the Config.xml file with the **/config** option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. Then the **LoadState** command will migrate only the files and settings that you want to migrate.
+
+If you leave out an .xml file from the **LoadState** command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the **ScanState** command will not apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as: `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files, and they will be migrated to C:\\data.
+
+To modify the migration, do one or more of the following.
+
+- **Modify the migration .xml files.** If you want to exclude a portion of a component—for example, you want to migrate C:\\ but exclude all of the .mp3 files—or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want **ScanState** and **LoadState** to use these files, specify them at the command line when each command is entered.
+
+- **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For **ScanState** and **LoadState** to use this file, specify them on both command lines.
+
+- **Create and modify a Config.xml file.** Do this if you want to exclude an entire component from the migration. For example, you can use a Config.xml file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a Config.xml file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. In addition, using a Config.xml file is the only way to exclude the operating system settings from being migrated.
+
+For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic.
+
+## Migration .xml Files
+
+
+This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they are migrated to on the destination computer.
+
+**Note**
+You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character.
+
+
+
+- **The MigApp.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate application settings.
+
+- **The MigDocs.xml file.** Specify this file with both the **ScanState** and **LoadState** tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it does not find and migrate any application data, program files, or any files in the Windows directory. You can modify the MigDocs.xml file.
+
+- **The MigUser.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate user folders, files, and file types. You can modify the MigUser.xml file. This file does not contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the **ScanState** and the **LoadState** user options.
+
+ **Note**
+ Do not use the MigUser.xml and MigDocs.xml files together. For more information, see the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) and [USMT Best Practices](usmt-best-practices.md) topics.
+
+
+
+## Custom .xml Files
+
+
+You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want **ScanState** and **LoadState** to use this file, specify it with both commands. For more information, see the How to Create a Custom .xml File topic.
+
+## The Config.xml File
+
+
+The Config.xml file is an optional file that you create using the **/genconfig** option with the **ScanState** command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The Config.xml file format is different from that of the migration .xml files because it does not contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) topic. For this reason, excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in a Config.xml file.
+
+If you want to include all of the default components, you do not need to create the Config.xml file. Alternatively, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigDocs.xml, and MigUser.xml files, and you want to exclude only some components, you can create and modify a Config.xml file and leave the other .xml files in their original state.
+
+When you run the **ScanState** command with the **/genconfig** option, **ScanState** reads the other .xml files that you specify using the **/i** option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the **ScanState** command with the **/genconfig** option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. This will ensure that this file contains every component that can be migrated. The components are organized into sections: <Applications>, <WindowsComponents>, and <Documents>. To choose not to migrate a component, change its entry to `migrate="no"`.
+
+After you create this file, you need to specify it only with the **ScanState** command using the **/Config** option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the Config.xml file and specify the updated file with the **LoadState** command. For example, if you collected the My Documents folder in the store, but you decide that you do not want to migrate the My Documents folder to a destination computer, you can modify the Config.xml file to indicate `migrate="no"` before you run the **LoadState** command, and the file will not be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic.
+
+In addition, note the following functionality with the Config.xml file:
+
+- If a parent component is removed from the migration in the Config.xml file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`.
+
+- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated.
+
+- In USMT there are several migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. For more information, see the [Config.xml File](usmt-configxml-file.md) topic.
+
+**Note**
+To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
+
+
+
+### Examples
+
+- The following command creates a Config.xml file in the current directory, but it does not create a store:
+
+ `scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:5`
+
+- The following command creates an encrypted store using the Config.xml file and the default migration .xml files:
+
+ `scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:5 /encrypt /key:"mykey"`
+
+- The following command decrypts the store and migrates the files and settings:
+
+ `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:5 /decrypt /key:"mykey"`
+
+## Additional Information
+
+
+- For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
+
+- For more information about each .xml element, see the [XML Elements Library](usmt-xml-elements-library.md) topic.
+
+- For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.md) topic.
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
+
+[USMT Resources](usmt-resources.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
index 21a829f394..f429351369 100644
--- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
@@ -1,279 +1,280 @@
----
-title: Exclude Files and Settings (Windows 10)
-description: Exclude Files and Settings
-ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Exclude Files and Settings
-When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a Config.xml file to exclude an entire component from a migration. You cannot, however, exclude users by using the migration .xml files or the Config.xml file. The only way to specify which users to include and exclude is by using the User options on the command line in the ScanState tool. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md).
-
-In this topic:
-
-- [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude:
-
- - include and exclude: You can use the <include> and <exclude> elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](usmt-conflicts-and-precedence.md) apply to these elements.
-
- - [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the <unconditionalExclude> element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other <include> rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData.
-
-- [Create a Config.xml File](#create-a-config-xml-file): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax.
-
-## Create a custom .xml file
-We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications.
-
-### <include> and <exclude>
-The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the <component> element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the <include> and <exclude> elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md).
-
-**Note**
-If you specify an <exclude> rule, always specify a corresponding <include> rule. Otherwise, if you do not specify an <include> rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied <exclude> rule is unnecessary.
-
-- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)
-
-- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp)
-
-- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders)
-
-- [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder)
-
-- [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location)
-
-### Example 1: How to migrate all files from C:\\ except .mp3 files
-The following .xml file migrates all files located on the C: drive, except any .mp3 files.
-
-``` xml
-
-
-
- MP3 Files
-
-
-
-
- C:\* [*]
-
-
-
-
- C:\* [*.mp3]
-
-
-
-
-
-
-```
-### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp
-The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp.
-
-``` xml
-
-
- Test component
-
-
-
-
- C:\Data\* [*]
-
-
-
-
- C:\Data\temp\* [*]
-
-
-
-
-
-
-```
-
-### Example 3: How to exclude the files in a folder but include all subfolders
-The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts.
-
-``` xml
-
-
- Component to migrate all Engineering Drafts Documents without subfolders
-
-
-
-
- C:\EngineeringDrafts\* [*]
-
-
-
-
- C:\EngineeringDrafts\ [*]
-
-
-
-
-
-
-```
-
-### Example 4: How to exclude a file from a specific folder
-The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts.
-
-``` xml
-
-
- Component to migrate all Engineering Drafts Documents except Sample.doc
-
-
-
-
- C:\EngineeringDrafts\* [*]
-
-
-
-
- C:\EngineeringDrafts\ [Sample.doc]
-
-
-
-
-
-
-```
-
-### Example 5: How to exclude a file from any location
-To exclude a Sample.doc file from any location on the C: drive, use the <pattern> element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
-
-``` xml
- C:\* [Sample.doc]
-```
-
-To exclude a Sample.doc file from any drive on the computer, use the <script> element. If multiple files exist with the same name, all of these files will be excluded.
-
-``` xml
-
-```
-#### Examples of how to use XML to exclude files, folders, and registry keys
-Here are some examples of how to use XML to exclude files, folders, and registry keys. For more info, see [USMT XML Reference](usmt-xml-reference.md)
-
-**Example 1: How to exclude all .mp3 files**
-The following .xml file excludes all .mp3 files from the migration:
-
-``` xml
-
-
- Test
-
-
-
-
-
-
-
-
-
-
-
-```
-**Example 2: How to exclude all of the files on a specific drive**
-The following .xml file excludes only the files located on the C: drive.
-
-``` xml
-
-
- Test
-
-
-
-
- c:\*[*]
-
-
-
-
-
-
-```
-**Example 3: How to exclude registry keys**
-The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry key and all of its subkeys.
-
-``` xml
-
-
-
- Test
-
-
-
-
- HKCU\testReg[*]
-
-
-
-
- HKCU\*[*]
-
-
-
-
-
-
-```
-**Example 4: How to Exclude `C:\Windows` and `C:\Program Files`**
-The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the <unconditionalExclude> element takes precedence over the <include> element.
-
-``` xml
-
-
-
- Test
-
-
-
-
-
-
-
-
-
-
-
- C:\Program Files\* [*]
-C:\Windows\* [*]
-
-
-
-
-
-
-```
-## Create a Config XML File
-You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows.
-
-- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file.
-
-- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the <WindowsComponents> section.
-
-- **To exclude My Documents:** Specify `migrate="no"` for My Documents under the <Documents> section. Note that any <include> rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not.
-
-See [Config.xml File](usmt-configxml-file.md) for more information.
-
-**Note**
-To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
-
-## Related topics
-- [Customize USMT XML Files](usmt-customize-xml-files.md)
-- [USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Exclude Files and Settings (Windows 10)
+description: In this article, learn how to exclude files and settings when creating a custom .xml file and a config.xml file.
+ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Exclude Files and Settings
+When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a Config.xml file to exclude an entire component from a migration. You cannot, however, exclude users by using the migration .xml files or the Config.xml file. The only way to specify which users to include and exclude is by using the User options on the command line in the ScanState tool. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+In this topic:
+
+- [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude:
+
+ - include and exclude: You can use the <include> and <exclude> elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](usmt-conflicts-and-precedence.md) apply to these elements.
+
+ - [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the <unconditionalExclude> element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other <include> rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData.
+
+- [Create a Config.xml File](#create-a-config-xml-file): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax.
+
+## Create a custom .xml file
+We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications.
+
+### <include> and <exclude>
+The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the <component> element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the <include> and <exclude> elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md).
+
+**Note**
+If you specify an <exclude> rule, always specify a corresponding <include> rule. Otherwise, if you do not specify an <include> rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied <exclude> rule is unnecessary.
+
+- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)
+
+- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp)
+
+- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders)
+
+- [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder)
+
+- [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location)
+
+### Example 1: How to migrate all files from C:\\ except .mp3 files
+The following .xml file migrates all files located on the C: drive, except any .mp3 files.
+
+``` xml
+
+
+
+ MP3 Files
+
+
+
+
+ C:\* [*]
+
+
+
+
+ C:\* [*.mp3]
+
+
+
+
+
+
+```
+### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp
+The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp.
+
+``` xml
+
+
+ Test component
+
+
+
+
+ C:\Data\* [*]
+
+
+
+
+ C:\Data\temp\* [*]
+
+
+
+
+
+
+```
+
+### Example 3: How to exclude the files in a folder but include all subfolders
+The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts.
+
+``` xml
+
+
+ Component to migrate all Engineering Drafts Documents without subfolders
+
+
+
+
+ C:\EngineeringDrafts\* [*]
+
+
+
+
+ C:\EngineeringDrafts\ [*]
+
+
+
+
+
+
+```
+
+### Example 4: How to exclude a file from a specific folder
+The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts.
+
+``` xml
+
+
+ Component to migrate all Engineering Drafts Documents except Sample.doc
+
+
+
+
+ C:\EngineeringDrafts\* [*]
+
+
+
+
+ C:\EngineeringDrafts\ [Sample.doc]
+
+
+
+
+
+
+```
+
+### Example 5: How to exclude a file from any location
+To exclude a Sample.doc file from any location on the C: drive, use the <pattern> element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
+
+``` xml
+ C:\* [Sample.doc]
+```
+
+To exclude a Sample.doc file from any drive on the computer, use the <script> element. If multiple files exist with the same name, all of these files will be excluded.
+
+``` xml
+
+```
+#### Examples of how to use XML to exclude files, folders, and registry keys
+Here are some examples of how to use XML to exclude files, folders, and registry keys. For more info, see [USMT XML Reference](usmt-xml-reference.md)
+
+**Example 1: How to exclude all .mp3 files**
+The following .xml file excludes all .mp3 files from the migration:
+
+``` xml
+
+
+ Test
+
+
+
+
+
+
+
+
+
+
+
+```
+**Example 2: How to exclude all of the files on a specific drive**
+The following .xml file excludes only the files located on the C: drive.
+
+``` xml
+
+
+ Test
+
+
+
+
+ c:\*[*]
+
+
+
+
+
+
+```
+**Example 3: How to exclude registry keys**
+The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry key and all of its subkeys.
+
+``` xml
+
+
+
+ Test
+
+
+
+
+ HKCU\testReg[*]
+
+
+
+
+ HKCU\*[*]
+
+
+
+
+
+
+```
+**Example 4: How to Exclude `C:\Windows` and `C:\Program Files`**
+The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the <unconditionalExclude> element takes precedence over the <include> element.
+
+``` xml
+
+
+
+ Test
+
+
+
+
+
+
+
+
+
+
+
+ C:\Program Files\* [*]
+C:\Windows\* [*]
+
+
+
+
+
+
+```
+## Create a Config XML File
+You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows.
+
+- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file.
+
+- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the <WindowsComponents> section.
+
+- **To exclude My Documents:** Specify `migrate="no"` for My Documents under the <Documents> section. Note that any <include> rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not.
+
+See [Config.xml File](usmt-configxml-file.md) for more information.
+
+**Note**
+To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
+
+## Related topics
+- [Customize USMT XML Files](usmt-customize-xml-files.md)
+- [USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
index 6a97acb78b..a6d6154a83 100644
--- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
@@ -1,122 +1,123 @@
----
-title: Extract Files from a Compressed USMT Migration Store (Windows 10)
-description: Extract Files from a Compressed USMT Migration Store
-ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Extract Files from a Compressed USMT Migration Store
-
-
-When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store.
-
-Options used with the **/extract** option can specify:
-
-- The cryptographic algorithm that was used to create the migration store.
-
-- The encryption key or the text file that contains the encryption key.
-
-- Include and exclude patterns for selective data extraction.
-
-In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools.
-
-## In this topic
-
-
-- [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax)
-
-- [To extract all files from a compressed migration store](#bkmk-extractallfiles)
-
-- [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles)
-
-- [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern)
-
-- [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles)
-
-### To run the USMTutils tool with the /extract option
-
-To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax:
-
-Cd /d <USMTpath> usmtutils /extract <filePath> <destinationPath> \[/i:<includePattern>\] \[/e:<excludePattern>\] \[/l:<logfile>\] \[/decrypt\[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] \[/o\]
-
-Where the placeholders have the following values:
-
-- *<USMTpath>* is the location where you have saved the USMT files and tools.
-
-- *<filePath>* is the location of the migration store.
-
-- *<destination path>* is the location of the file where you want the **/extract** option to put the extracted migration store contents.
-
-- *<includePattern>* specifies the pattern for the files to include in the extraction.
-
-- *<excludePattern>* specifies the pattern for the files to omit from the extraction.
-
-- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line.
-
-- *<logfile>* is the location and name of the log file.
-
-- *<keystring>* is the encryption key that was used to encrypt the migration store.
-
-- *<filename>* is the location and name of the text file that contains the encryption key.
-
-### To extract all files from a compressed migration store
-
-To extract everything from a compressed migration store to a file on the C:\\ drive, type:
-
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
-```
-
-### To extract specific file types from an encrypted compressed migration store
-
-To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type:
-
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt
-```
-
-In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey.
-
-### To extract all but one, or more, file types from an encrypted compressed migration store
-
-To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type:
-
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt
-```
-
-### To extract file types using the include pattern and the exclude pattern
-
-To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example:
-
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o
-```
-
-In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option.
-
-## Related topics
-
-
-[UsmtUtils Syntax](usmt-utilities.md)
-
-[Return Codes](usmt-return-codes.md)
-
-[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
-
-
-
-
-
-
-
-
-
+---
+title: Extract Files from a Compressed USMT Migration Store (Windows 10)
+description: In this article, learn how to extract files from a compressed User State Migration Tool (USMT) migration store.
+ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Extract Files from a Compressed USMT Migration Store
+
+
+When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store.
+
+Options used with the **/extract** option can specify:
+
+- The cryptographic algorithm that was used to create the migration store.
+
+- The encryption key or the text file that contains the encryption key.
+
+- Include and exclude patterns for selective data extraction.
+
+In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools.
+
+## In this topic
+
+
+- [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax)
+
+- [To extract all files from a compressed migration store](#bkmk-extractallfiles)
+
+- [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles)
+
+- [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern)
+
+- [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles)
+
+### To run the USMTutils tool with the /extract option
+
+To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax:
+
+Cd /d <USMTpath> usmtutils /extract <filePath> <destinationPath> \[/i:<includePattern>\] \[/e:<excludePattern>\] \[/l:<logfile>\] \[/decrypt\[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] \[/o\]
+
+Where the placeholders have the following values:
+
+- *<USMTpath>* is the location where you have saved the USMT files and tools.
+
+- *<filePath>* is the location of the migration store.
+
+- *<destination path>* is the location of the file where you want the **/extract** option to put the extracted migration store contents.
+
+- *<includePattern>* specifies the pattern for the files to include in the extraction.
+
+- *<excludePattern>* specifies the pattern for the files to omit from the extraction.
+
+- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line.
+
+- *<logfile>* is the location and name of the log file.
+
+- *<keystring>* is the encryption key that was used to encrypt the migration store.
+
+- *<filename>* is the location and name of the text file that contains the encryption key.
+
+### To extract all files from a compressed migration store
+
+To extract everything from a compressed migration store to a file on the C:\\ drive, type:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
+```
+
+### To extract specific file types from an encrypted compressed migration store
+
+To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt
+```
+
+In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey.
+
+### To extract all but one, or more, file types from an encrypted compressed migration store
+
+To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt
+```
+
+### To extract file types using the include pattern and the exclude pattern
+
+To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o
+```
+
+In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option.
+
+## Related topics
+
+
+[UsmtUtils Syntax](usmt-utilities.md)
+
+[Return Codes](usmt-return-codes.md)
+
+[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-faq.md b/windows/deployment/usmt/usmt-faq.md
index 49092e9f6f..97be09803c 100644
--- a/windows/deployment/usmt/usmt-faq.md
+++ b/windows/deployment/usmt/usmt-faq.md
@@ -1,137 +1,138 @@
----
-title: Frequently Asked Questions (Windows 10)
-description: Frequently Asked Questions
-ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Frequently Asked Questions
-
-
-The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.
-
-## General
-
-
-### How much space is needed on the destination computer?
-
-The destination computer needs enough available space for the following:
-
-- Operating system
-
-- Applications
-
-- Uncompressed store
-
-### Can I store the files and settings directly on the destination computer or do I need a server?
-
-You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps:
-
-1. Create and share the directory C:\\store on the destination computer.
-
-2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store
-
-3. Run the LoadState tool on the destination computer and specify C:\\store as the store location.
-
-### Can I migrate data between operating systems with different languages?
-
-No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language.
-
-### Can I change the location of the temporary directory on the destination computer?
-
-Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media.
-
-### How do I install USMT?
-
-Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer.
-
-### How do I uninstall USMT?
-
-If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT.
-
-## Files and Settings
-
-
-### How can I exclude a folder or a certain type of file from the migration?
-
-You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md).
-
-### What happens to files that were located on a drive that does not exist on the destination computer?
-
-USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer.
-
-## USMT .xml Files
-
-
-### Where can I get examples of USMT .xml files?
-
-The following topics include examples of USMT .xml files:
-
-- [Exclude Files and Settings](usmt-exclude-files-and-settings.md)
-
-- [Reroute Files and Settings](usmt-reroute-files-and-settings.md)
-
-- [Include Files and Settings](usmt-include-files-and-settings.md)
-
-- [Custom XML Examples](usmt-custom-xml-examples.md)
-
-### Can I use custom .xml files that were written for USMT 5.0?
-
-Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements.
-
-### How can I validate the .xml files?
-
-You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files.
-
-### Why must I list the .xml files with both the ScanState and LoadState commands?
-
-The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate.
-
-If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
-
-### Which files can I modify and specify on the command line?
-
-You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file.
-
-### What happens if I do not specify the .xml files on the command line?
-
-- **ScanState**
-
- If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated.
-
-- **LoadState**
-
- If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
-
-## Conflicts and Precedence
-
-
-### What happens when there are conflicting XML rules or conflicting objects on the destination computer?
-
-For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-
-[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)
-
-[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
-
-
-
-
-
-
-
-
-
+---
+title: Frequently Asked Questions (Windows 10)
+description: Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.
+ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Frequently Asked Questions
+
+
+The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.
+
+## General
+
+
+### How much space is needed on the destination computer?
+
+The destination computer needs enough available space for the following:
+
+- Operating system
+
+- Applications
+
+- Uncompressed store
+
+### Can I store the files and settings directly on the destination computer or do I need a server?
+
+You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps:
+
+1. Create and share the directory C:\\store on the destination computer.
+
+2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store
+
+3. Run the LoadState tool on the destination computer and specify C:\\store as the store location.
+
+### Can I migrate data between operating systems with different languages?
+
+No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language.
+
+### Can I change the location of the temporary directory on the destination computer?
+
+Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media.
+
+### How do I install USMT?
+
+Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer.
+
+### How do I uninstall USMT?
+
+If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT.
+
+## Files and Settings
+
+
+### How can I exclude a folder or a certain type of file from the migration?
+
+You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md).
+
+### What happens to files that were located on a drive that does not exist on the destination computer?
+
+USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer.
+
+## USMT .xml Files
+
+
+### Where can I get examples of USMT .xml files?
+
+The following topics include examples of USMT .xml files:
+
+- [Exclude Files and Settings](usmt-exclude-files-and-settings.md)
+
+- [Reroute Files and Settings](usmt-reroute-files-and-settings.md)
+
+- [Include Files and Settings](usmt-include-files-and-settings.md)
+
+- [Custom XML Examples](usmt-custom-xml-examples.md)
+
+### Can I use custom .xml files that were written for USMT 5.0?
+
+Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements.
+
+### How can I validate the .xml files?
+
+You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files.
+
+### Why must I list the .xml files with both the ScanState and LoadState commands?
+
+The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate.
+
+If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
+
+### Which files can I modify and specify on the command line?
+
+You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file.
+
+### What happens if I do not specify the .xml files on the command line?
+
+- **ScanState**
+
+ If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated.
+
+- **LoadState**
+
+ If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
+
+## Conflicts and Precedence
+
+
+### What happens when there are conflicting XML rules or conflicting objects on the destination computer?
+
+For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)
+
+[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md
index 3439d25d7a..49cbfc3f28 100644
--- a/windows/deployment/usmt/usmt-general-conventions.md
+++ b/windows/deployment/usmt/usmt-general-conventions.md
@@ -1,106 +1,107 @@
----
-title: General Conventions (Windows 10)
-description: General Conventions
-ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# General Conventions
-
-
-This topic describes the XML helper functions.
-
-## In This Topic
-
-
-[General XML Guidelines](#bkmk-general)
-
-[Helper Functions](#bkmk-helperfunctions)
-
-## General XML Guidelines
-
-
-Before you modify the .xml files, become familiar with the following guidelines:
-
-- **XML schema**
-
- You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files.
-
-- **Conflits**
-
- In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-- **Required elements**
-
- The required elements for a migration .xml file are **<migration>**, **<component>**, **<role>**, and **<rules>**.
-
-- **Required child elements**
-
- - USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration.
-
- - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `` in **<namedElements>**, and you specify `` in **<component>** to refer to this element, the definition inside **<namedElements>** must have the required child elements, but the **<component>** element does not need to have the required child elements.
-
-- **File names with brackets**
-
- If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named **file].txt**, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`.
-
-- **Using quotation marks**
-
- When you surround code in quotation marks, you can use either double ("") or single (') quotation marks.
-
-## Helper Functions
-
-
-You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following:
-
-- **All of the parameters are strings**
-
-- **You can leave NULL parameters blank**
-
- As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function:
-
- ``` syntax
- SomeFunction("My String argument",NULL,NULL)
- ```
-
- is equivalent to:
-
- ``` syntax
- SomeFunction("My String argument")
- ```
-
-- **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object**
-
- It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves.
-
- For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters.
-
- The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**.
-
-- **You specify a location pattern in a way that is similar to how you specify an actual location**
-
- The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf.
-
- For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**.
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: General Conventions (Windows 10)
+description: Learn about general XML guidelines and how to use XML helper functions in the XML Elements library to change migration behavior.
+ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# General Conventions
+
+
+This topic describes the XML helper functions.
+
+## In This Topic
+
+
+[General XML Guidelines](#bkmk-general)
+
+[Helper Functions](#bkmk-helperfunctions)
+
+## General XML Guidelines
+
+
+Before you modify the .xml files, become familiar with the following guidelines:
+
+- **XML schema**
+
+ You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files.
+
+- **Conflicts**
+
+ In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+- **Required elements**
+
+ The required elements for a migration .xml file are **<migration>**, **<component>**, **<role>**, and **<rules>**.
+
+- **Required child elements**
+
+ - USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration.
+
+ - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `` in **<namedElements>**, and you specify `` in **<component>** to refer to this element, the definition inside **<namedElements>** must have the required child elements, but the **<component>** element does not need to have the required child elements.
+
+- **File names with brackets**
+
+ If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named **file].txt**, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`.
+
+- **Using quotation marks**
+
+ When you surround code in quotation marks, you can use either double ("") or single (') quotation marks.
+
+## Helper Functions
+
+
+You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following:
+
+- **All of the parameters are strings**
+
+- **You can leave NULL parameters blank**
+
+ As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function:
+
+ ``` syntax
+ SomeFunction("My String argument",NULL,NULL)
+ ```
+
+ is equivalent to:
+
+ ``` syntax
+ SomeFunction("My String argument")
+ ```
+
+- **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object**
+
+ It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves.
+
+ For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters.
+
+ The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**.
+
+- **You specify a location pattern in a way that is similar to how you specify an actual location**
+
+ The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf.
+
+ For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**.
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md
index 5c8bbb6d9b..441dccf3f7 100644
--- a/windows/deployment/usmt/usmt-how-it-works.md
+++ b/windows/deployment/usmt/usmt-how-it-works.md
@@ -1,150 +1,135 @@
----
-title: How USMT Works (Windows 10)
-description: How USMT Works
-ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# How USMT Works
-
-
-USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer.
-
-- [ScanState Process](#bkmk-ssprocess)
-
-- [LoadState Process](#bkmk-lsprocess)
-
- **Note**
- For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-
-
-## The ScanState Process
-
-
-When you run the ScanState tool on the source computer, it goes through the following process:
-
-1. It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
-
-2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component.
-
- There are three types of components:
-
- - Components that migrate the operating system settings
-
- - Components that migrate application settings
-
- - Components that migrate users’ files
-
- The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line.
-
- In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
-
-3. ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration.
-
-4. In the "Scanning" phase, ScanState does the following for each user profile selected for migration:
-
- 1. For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
-
- **Note**
- From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way.
-
-
-
- 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory.
-
- 3. For each selected component, ScanState evaluates the <detects> section. If the condition in the <detects> section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues.
-
- 4. For each selected component, ScanState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
-
- 5. ScanState creates a list of migration units that need to be migrated by processing the various subsections under this <rules> section. Each unit is collected if it is mentioned in an <include> subsection, as long as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
- In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an <UnconditionalExclude> section is not migrated.
-
- **Note**
- ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer.
-
-
-
-5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile.
-
-6. In the "Saving" phase, ScanState writes the migration units that were collected to the store location.
-
- **Note**
- ScanState does not modify the source computer in any way.
-
-
-
-## The LoadState Process
-
-
-The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer.
-
-1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
-
-2. LoadState collects information about the migration components that need to be migrated.
-
- LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command.
-
- In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
-
-3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration.
-
- - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the/lac command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated.
-
- - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified.
-
- - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md).
-
-4. In the "Scanning" phase, LoadState does the following for each user profile:
-
- 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
-
- **Note**
- From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way.
-
-
-
- 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory).
-
- **Note**
- LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration.
-
-
-
- 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
-
- 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
- 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections.
-
- 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState.
-
- **Important**
- It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran.
-
-
-
-5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed.
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
-
-
-
-
-
-
-
-
-
+---
+title: How USMT Works (Windows 10)
+description: Learn how USMT works and how it includes two tools that migrate settings and data - ScanState and LoadState.
+ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# How USMT Works
+
+
+USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer.
+
+- [ScanState Process](#the-scanstate-process)
+- [LoadState Process](#the-loadstate-process)
+
+ **Note**
+ For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+## The ScanState Process
+
+When you run the ScanState tool on the source computer, it goes through the following process:
+
+1. It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
+
+2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component.
+
+ There are three types of components:
+
+ - Components that migrate the operating system settings
+ - Components that migrate application settings
+ - Components that migrate users’ files
+
+ The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line.
+
+ In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
+
+3. ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration.
+
+4. In the "Scanning" phase, ScanState does the following for each user profile selected for migration:
+
+ 1. For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
+
+ **Note**
+ From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way.
+
+ 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory.
+
+ 3. For each selected component, ScanState evaluates the <detects> section. If the condition in the <detects> section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues.
+
+ 4. For each selected component, ScanState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
+
+ 5. ScanState creates a list of migration units that need to be migrated by processing the various subsections under this <rules> section. Each unit is collected if it is mentioned in an <include> subsection, as long as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+ In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an <UnconditionalExclude> section is not migrated.
+
+ **Note**
+ ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer.
+
+5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile.
+
+6. In the "Saving" phase, ScanState writes the migration units that were collected to the store location.
+
+ **Note**
+ ScanState does not modify the source computer in any way.
+
+## The LoadState Process
+
+
+The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer.
+
+1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
+
+2. LoadState collects information about the migration components that need to be migrated.
+
+ LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command.
+
+ In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
+
+3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration.
+
+ - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the/lac command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated.
+
+ - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified.
+
+ - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md).
+
+4. In the "Scanning" phase, LoadState does the following for each user profile:
+
+ 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
+
+ **Note**
+ From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way.
+
+
+
+ 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory).
+
+ **Note**
+ LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration.
+
+
+
+ 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
+
+ 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+ 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections.
+
+ 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState.
+
+ **Important**
+ It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran.
+
+5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed.
+
+## Related topics
+
+[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md
index 9fdba24603..f883284978 100644
--- a/windows/deployment/usmt/usmt-how-to.md
+++ b/windows/deployment/usmt/usmt-how-to.md
@@ -1,35 +1,36 @@
----
-title: User State Migration Tool (USMT) How-to topics (Windows 10)
-description: User State Migration Tool (USMT) How-to topics
-ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) How-to topics
-The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
-
-## In This Section
-
-|Topic |Description|
-|------|-----------|
-|[Exclude Files and Settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.|
-|[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.|
-|[Include Files and Settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.|
-|[Migrate Application Settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file does not include by default.|
-|[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.|
-|[Migrate User Accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.|
-|[Reroute Files and Settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.|
-|[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.|
-
-## Related topics
-- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
-- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-- [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+---
+title: User State Migration Tool (USMT) How-to topics (Windows 10)
+description: Reference the topics in this article to learn how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
+ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) How-to topics
+The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
+
+## In This Section
+
+|Topic |Description|
+|------|-----------|
+|[Exclude Files and Settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.|
+|[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.|
+|[Include Files and Settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.|
+|[Migrate Application Settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file does not include by default.|
+|[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.|
+|[Migrate User Accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.|
+|[Reroute Files and Settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.|
+|[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.|
+
+## Related topics
+- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+- [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
index 45cd2a17a7..e8c15402b9 100644
--- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
+++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
@@ -1,51 +1,52 @@
----
-title: Identify File Types, Files, and Folders (Windows 10)
-description: Identify File Types, Files, and Folders
-ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Identify File Types, Files, and Folders
-
-
-When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following:
-
-- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis.
-
-- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files).
-
-- **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules.
-
-Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer.
-
-**To find the registered file types on a computer running Windows 7 or Windows 8**
-
-1. Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**.
-
-2. Click **Default Programs**, and click **Associate a file type or protocol with a program**.
-
-3. On this screen, the registered file types are displayed.
-
-For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
-
-## Related topics
-
-
-[Determine What to Migrate](usmt-determine-what-to-migrate.md)
-
-
-
-
-
-
-
-
-
+---
+title: Identify File Types, Files, and Folders (Windows 10)
+description: Learn how to identify the file types, files, folders, and settings that you want to migrate when you're planning your migration.
+ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Identify File Types, Files, and Folders
+
+
+When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following:
+
+- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis.
+
+- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files).
+
+- **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules.
+
+Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer.
+
+**To find the registered file types on a computer running Windows 7 or Windows 8**
+
+1. Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**.
+
+2. Click **Default Programs**, and click **Associate a file type or protocol with a program**.
+
+3. On this screen, the registered file types are displayed.
+
+For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
+
+## Related topics
+
+
+[Determine What to Migrate](usmt-determine-what-to-migrate.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md
index b58c711dbf..f592773c30 100644
--- a/windows/deployment/usmt/usmt-identify-users.md
+++ b/windows/deployment/usmt/usmt-identify-users.md
@@ -1,6 +1,6 @@
---
title: Identify Users (Windows 10)
-description: Identify Users
+description: Learn how to identify users you plan to migrate, as well as how to migrate local accounts and domain accounts.
ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md
index 3bbf83959b..2a52999416 100644
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@@ -1,6 +1,6 @@
---
title: LoadState Syntax (Windows 10)
-description: LoadState Syntax
+description: Learn about the syntax and usage of the command-line options available when you use the LoadState command.
ms.assetid: 53d2143b-cbe9-4cfc-8506-36e9d429f6d4
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md
index d9917d3495..7460f63692 100644
--- a/windows/deployment/usmt/usmt-log-files.md
+++ b/windows/deployment/usmt/usmt-log-files.md
@@ -1,6 +1,6 @@
---
title: Log Files (Windows 10)
-description: Log Files
+description: Learn how to use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations.
ms.assetid: 28185ebd-630a-4bbd-94f4-8c48aad05649
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
index 706f2c6a6e..17fe9cfc7d 100644
--- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
+++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
@@ -1,55 +1,56 @@
----
-title: Migrate EFS Files and Certificates (Windows 10)
-description: Migrate EFS Files and Certificates
-ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Migrate EFS Files and Certificates
-
-
-This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md).
-
-## To Migrate EFS Files and Certificates
-
-
-Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated.
-
-**Note**
-The **/efs** options are not used with the LoadState command.
-
-
-
-Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool.
-
-You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type:
-
-``` syntax
-Cipher /D /S:
-```
-
-Where *<Path>* is the full path of the topmost parent directory where the encryption attribute is set.
-
-## Related topics
-
-
-[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
-
-[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md)
-
-
-
-
-
-
-
-
-
+---
+title: Migrate EFS Files and Certificates (Windows 10)
+description: Learn how to migrate Encrypting File System (EFS) certificates. Also, learn where to find information about how to identify file types, files, and folders.
+ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Migrate EFS Files and Certificates
+
+
+This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+## To Migrate EFS Files and Certificates
+
+
+Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated.
+
+**Note**
+The **/efs** options are not used with the LoadState command.
+
+
+
+Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool.
+
+You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type:
+
+``` syntax
+Cipher /D /S:
+```
+
+Where *<Path>* is the full path of the topmost parent directory where the encryption attribute is set.
+
+## Related topics
+
+
+[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
+
+[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md
index 663964c7eb..330d9984b5 100644
--- a/windows/deployment/usmt/usmt-migrate-user-accounts.md
+++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md
@@ -1,96 +1,97 @@
----
-title: Migrate User Accounts (Windows 10)
-description: Migrate User Accounts
-ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Migrate User Accounts
-
-
-By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file.
-
-## In this Topic
-
-
-- [To migrate all user accounts and user settings](#bkmk-migrateall)
-
-- [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo)
-
-- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone)
-
-## To migrate all user accounts and user settings
-Links to detailed explanations of commands are available in the Related Topics section.
-
-1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window:
-
- `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o`
-
-2. Log on to the destination computer as an administrator.
-
-3. Do one of the following:
-
- - If you are migrating domain accounts, specify:
-
- `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
-
- - If you are migrating local accounts along with domain accounts, specify:
-
- `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae`
-
- **Note**
- You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer.
-
-
-
-## To migrate two domain accounts (User1 and User2)
-Links to detailed explanations of commands are available in the Related Topics section.
-
-1. Log on to the source computer as an administrator, and specify:
-
- `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o`
-
-2. Log on to the destination computer as an administrator.
-
-3. Specify the following:
-
- `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
-
-## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain
-Links to detailed explanations of commands are available in the Related Topics section.
-
-1. Log on to the source computer as an administrator, and type the following at the command-line prompt:
-
- `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o`
-
-2. Log on to the destination computer as an administrator.
-
-3. Specify the following:
-
- `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml`
-
-## Related topics
-
-
-[Identify Users](usmt-identify-users.md)
-
-[ScanState Syntax](usmt-scanstate-syntax.md)
-
-[LoadState Syntax](usmt-loadstate-syntax.md)
-
-
-
-
-
-
-
-
-
+---
+title: Migrate User Accounts (Windows 10)
+description: Learn how to migrate user accounts and how to specify which users to include and exclude by using the User options on the command line.
+ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Migrate User Accounts
+
+
+By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file.
+
+## In this Topic
+
+
+- [To migrate all user accounts and user settings](#bkmk-migrateall)
+
+- [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo)
+
+- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone)
+
+## To migrate all user accounts and user settings
+Links to detailed explanations of commands are available in the Related Topics section.
+
+1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window:
+
+ `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o`
+
+2. Log on to the destination computer as an administrator.
+
+3. Do one of the following:
+
+ - If you are migrating domain accounts, specify:
+
+ `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
+
+ - If you are migrating local accounts along with domain accounts, specify:
+
+ `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae`
+
+ **Note**
+ You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer.
+
+
+
+## To migrate two domain accounts (User1 and User2)
+Links to detailed explanations of commands are available in the Related Topics section.
+
+1. Log on to the source computer as an administrator, and specify:
+
+ `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o`
+
+2. Log on to the destination computer as an administrator.
+
+3. Specify the following:
+
+ `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
+
+## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain
+Links to detailed explanations of commands are available in the Related Topics section.
+
+1. Log on to the source computer as an administrator, and type the following at the command-line prompt:
+
+ `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o`
+
+2. Log on to the destination computer as an administrator.
+
+3. Specify the following:
+
+ `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml`
+
+## Related topics
+
+
+[Identify Users](usmt-identify-users.md)
+
+[ScanState Syntax](usmt-scanstate-syntax.md)
+
+[LoadState Syntax](usmt-loadstate-syntax.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index 6d80871901..5ec6da19d3 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -1,60 +1,61 @@
----
-title: User State Migration Tool (USMT) Overview (Windows 10)
-description: User State Migration Tool (USMT) Overview
-ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 10/16/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) Overview
-You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md).
-
-USMT enables you to do the following:
-
-- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md).
-
-- Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md).
-
-- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md).
-
-## Benefits
-USMT provides the following benefits to businesses that are deploying Windows operating systems:
-
-- Safely migrates user accounts, operating system and application settings.
-
-- Lowers the cost of deploying Windows by preserving user state.
-
-- Reduces end-user downtime required to customize desktops and find missing files.
-
-- Reduces help-desk calls.
-
-- Reduces the time needed for the user to become familiar with the new operating system.
-
-- Increases employee satisfaction with the migration experience.
-
-## Limitations
-USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink.
-
-There are some scenarios in which the use of USMT is not recommended. These include:
-
-- Migrations that require end-user interaction.
-
-- Migrations that require customization on a machine-by-machine basis.
-
-## Related topics
-- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)
-
-
-
-
-
-
-
-
+---
+title: User State Migration Tool (USMT) Overview (Windows 10)
+description: Learn about using User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems.
+ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 10/16/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) Overview
+You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md).
+
+USMT enables you to do the following:
+
+- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md).
+
+- Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md).
+
+- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md).
+
+## Benefits
+USMT provides the following benefits to businesses that are deploying Windows operating systems:
+
+- Safely migrates user accounts, operating system and application settings.
+
+- Lowers the cost of deploying Windows by preserving user state.
+
+- Reduces end-user downtime required to customize desktops and find missing files.
+
+- Reduces help-desk calls.
+
+- Reduces the time needed for the user to become familiar with the new operating system.
+
+- Increases employee satisfaction with the migration experience.
+
+## Limitations
+USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink.
+
+There are some scenarios in which the use of USMT is not recommended. These include:
+
+- Migrations that require end-user interaction.
+
+- Migrations that require customization on a machine-by-machine basis.
+
+## Related topics
+- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md
index 1fa60664bd..7ea0c4d341 100644
--- a/windows/deployment/usmt/usmt-plan-your-migration.md
+++ b/windows/deployment/usmt/usmt-plan-your-migration.md
@@ -1,71 +1,72 @@
----
-title: Plan Your Migration (Windows 10)
-description: Plan Your Migration
-ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Plan Your Migration
-
-
-Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure.
-
-In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out.
-
-One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer.
-
-## In This Section
-
-
-
-
-
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Plan Your Migration (Windows 10)
+description: Learn how to your plan your migration carefully so your migration can proceed smoothly and so that you reduce the risk of migration failure.
+ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Plan Your Migration
+
+
+Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure.
+
+In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out.
+
+One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer.
+
+## In This Section
+
+
+
+
+
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index d2862feb9a..dfb923bbd4 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -1,470 +1,471 @@
----
-title: Recognized Environment Variables (Windows 10)
-description: Recognized Environment Variables
-ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Recognized Environment Variables
-
-
-When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\<Username>\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file.
-
-## In This Topic
-
-
-- [Variables that are processed for the operating system and in the context of each user](#bkmk-1)
-
-- [Variables that are recognized only in the user context](#bkmk-2)
-
-## Variables that are processed for the operating system and in the context of each user
-
-
-You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`.
-
-
-
-
-
-
-
-
-
-
-
-ALLUSERSAPPDATA |
-Same as CSIDL_COMMON_APPDATA. |
-
-
-ALLUSERSPROFILE |
-Refers to %PROFILESFOLDER%\Public or %PROFILESFOLDER%\all users. |
-
-
-COMMONPROGRAMFILES |
-Same as CSIDL_PROGRAM_FILES_COMMON. |
-
-
-COMMONPROGRAMFILES(X86) |
-Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems. |
-
-
-CSIDL_COMMON_ADMINTOOLS |
-Version 10.0. The file-system directory that contains administrative tools for all users of the computer. |
-
-
-CSIDL_COMMON_ALTSTARTUP |
-The file-system directory that corresponds to the non-localized Startup program group for all users. |
-
-
-CSIDL_COMMON_APPDATA |
-The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData. |
-
-
-CSIDL_COMMON_DESKTOPDIRECTORY |
-The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop. |
-
-
-CSIDL_COMMON_DOCUMENTS |
-The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents. |
-
-
-CSIDL_COMMON_FAVORITES |
-The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites. |
-
-
-CSIDL_COMMON_MUSIC |
-The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music. |
-
-
-CSIDL_COMMON_PICTURES |
-The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures. |
-
-
-CSIDL_COMMON_PROGRAMS |
-The file-system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs. |
-
-
-CSIDL_COMMON_STARTMENU |
-The file-system directory that contains the programs and folders which appear on the Start menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu. |
-
-
-CSIDL_COMMON_STARTUP |
-The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup. |
-
-
-CSIDL_COMMON_TEMPLATES |
-The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates. |
-
-
-CSIDL_COMMON_VIDEO |
-The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos. |
-
-
-CSIDL_DEFAULT_APPDATA |
-Refers to the Appdata folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_LOCAL_APPDATA |
-Refers to the local Appdata folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_COOKIES |
-Refers to the Cookies folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_CONTACTS |
-Refers to the Contacts folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_DESKTOP |
-Refers to the Desktop folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_DOWNLOADS |
-Refers to the Downloads folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_FAVORITES |
-Refers to the Favorites folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_HISTORY |
-Refers to the History folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_INTERNET_CACHE |
-Refers to the Internet Cache folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_PERSONAL |
-Refers to the Personal folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_MYDOCUMENTS |
-Refers to the My Documents folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_MYPICTURES |
-Refers to the My Pictures folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_MYMUSIC |
-Refers to the My Music folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_MYVIDEO |
-Refers to the My Videos folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_RECENT |
-Refers to the Recent folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_SENDTO |
-Refers to the Send To folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_STARTMENU |
-Refers to the Start Menu folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_PROGRAMS |
-Refers to the Programs folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_STARTUP |
-Refers to the Startup folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_TEMPLATES |
-Refers to the Templates folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_DEFAULT_QUICKLAUNCH |
-Refers to the Quick Launch folder inside %DEFAULTUSERPROFILE%. |
-
-
-CSIDL_FONTS |
-A virtual folder containing fonts. A typical path is C:\Windows\Fonts. |
-
-
-CSIDL_PROGRAM_FILESX86 |
-The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86). |
-
-
-CSIDL_PROGRAM_FILES_COMMONX86 |
-A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common. |
-
-
-CSIDL_PROGRAM_FILES |
-The Program Files folder. A typical path is C:\Program Files. |
-
-
-CSIDL_PROGRAM_FILES_COMMON |
-A folder for components that are shared across applications. A typical path is C:\Program Files\Common. |
-
-
-CSIDL_RESOURCES |
-The file-system directory that contains resource data. A typical path is C:\Windows\Resources. |
-
-
-CSIDL_SYSTEM |
-The Windows System folder. A typical path is C:\Windows\System32. |
-
-
-CSIDL_WINDOWS |
-The Windows directory or system root. This corresponds to the %WINDIR% or %SYSTEMROOT% environment variables. A typical path is C:\Windows. |
-
-
-DEFAULTUSERPROFILE |
-Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile]. |
-
-
-PROFILESFOLDER |
-Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory]. |
-
-
-PROGRAMFILES |
-Same as CSIDL_PROGRAM_FILES. |
-
-
-PROGRAMFILES(X86) |
-Refers to the C:\Program Files (x86) folder on 64-bit systems. |
-
-
-SYSTEM |
-Refers to %WINDIR%\system32. |
-
-
-SYSTEM16 |
-Refers to %WINDIR%\system. |
-
-
-SYSTEM32 |
-Refers to %WINDIR%\system32. |
-
-
-SYSTEMPROFILE |
-Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath]. |
-
-
-SYSTEMROOT |
-Refers to the root of the system drive. |
-
-
-WINDIR |
-Refers to the Windows folder located on the system drive. |
-
-
-
-
-
-
-## Variables that are recognized only in the user context
-
-
-You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`.
-
-
-
-
-
-
-
-
-
-
-
-APPDATA |
-Same as CSIDL_APPDATA. |
-
-
-CSIDL_ADMINTOOLS |
-The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile. |
-
-
-CSIDL_ALTSTARTUP |
-The file-system directory that corresponds to the user's non-localized Startup program group. |
-
-
-CSIDL_APPDATA |
-The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming. |
-
-
-CSIDL_BITBUCKET |
-The virtual folder that contains the objects in the user's Recycle Bin. |
-
-
-CSIDL_CDBURN_AREA |
-The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning. |
-
-
-CSIDL_CONNECTIONS |
-The virtual folder representing Network Connections that contains network and dial-up connections. |
-
-
-CSIDL_CONTACTS |
-This refers to the Contacts folder in %CSIDL_PROFILE%. |
-
-
-CSIDL_CONTROLS |
-The virtual folder that contains icons for the Control Panel items. |
-
-
-CSIDL_COOKIES |
-The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies. |
-
-
-CSIDL_DESKTOP |
-The virtual folder representing the Windows desktop. |
-
-
-CSIDL_DESKTOPDIRECTORY |
-The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop. |
-
-
-CSIDL_DRIVES |
-The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives. |
-
-
-CSIDL_FAVORITES |
-The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites. |
-
-
-CSIDL_HISTORY |
-The file-system directory that serves as a common repository for Internet history items. |
-
-
-CSIDL_INTERNET |
-A virtual folder for Internet Explorer. |
-
-
-CSIDL_INTERNET_CACHE |
-The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files |
-
-
-CSIDL_LOCAL_APPDATA |
-The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local. |
-
-
-CSIDL_MYDOCUMENTS |
-The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents. |
-
-
-CSIDL_MYMUSIC |
-The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music. |
-
-
-CSIDL_MYPICTURES |
-The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures. |
-
-
-CSIDL_MYVIDEO |
-The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos. |
-
-
-CSIDL_NETHOOD |
-A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts. |
-
-
-CSIDL_NETWORK |
-A virtual folder representing My Network Places, the root of the network namespace hierarchy. |
-
-
-CSIDL_PERSONAL |
-The virtual folder representing the My Documents desktop item. This is equivalent to CSIDL_MYDOCUMENTS.
-A typical path is C:\Documents and Settings\username\My Documents. |
-
-
-CSIDL_PLAYLISTS |
-The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists. |
-
-
-CSIDL_PRINTERS |
-The virtual folder that contains installed printers. |
-
-
-CSIDL_PRINTHOOD |
-The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts. |
-
-
-CSIDL_PROFILE |
-The user's profile folder. A typical path is C:\Users\Username. |
-
-
-CSIDL_PROGRAMS |
-The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs. |
-
-
-CSIDL_RECENT |
-The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent. |
-
-
-CSIDL_SENDTO |
-The file-system directory that contains Send To menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo. |
-
-
-CSIDL_STARTMENU |
-The file-system directory that contains Start menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu. |
-
-
-CSIDL_STARTUP |
-The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. |
-
-
-CSIDL_TEMPLATES |
-The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates. |
-
-
-HOMEPATH |
-Same as the standard environment variable. |
-
-
-TEMP |
-The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp. |
-
-
-TMP |
-The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp. |
-
-
-USERPROFILE |
-Same as CSIDL_PROFILE. |
-
-
-USERSID |
-Represents the current user-account security identifier (SID). For example,
-S-1-5-21-1714567821-1326601894-715345443-1026. |
-
-
-
-
-
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Recognized Environment Variables (Windows 10)
+description: Learn how to use environment variables to identify folders that may be different on different computers.
+ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Recognized Environment Variables
+
+
+When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\<Username>\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file.
+
+## In This Topic
+
+
+- [Variables that are processed for the operating system and in the context of each user](#bkmk-1)
+
+- [Variables that are recognized only in the user context](#bkmk-2)
+
+## Variables that are processed for the operating system and in the context of each user
+
+
+You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`.
+
+
+
+
+
+
+
+
+
+
+
+ALLUSERSAPPDATA |
+Same as CSIDL_COMMON_APPDATA. |
+
+
+ALLUSERSPROFILE |
+Refers to %PROFILESFOLDER%\Public or %PROFILESFOLDER%\all users. |
+
+
+COMMONPROGRAMFILES |
+Same as CSIDL_PROGRAM_FILES_COMMON. |
+
+
+COMMONPROGRAMFILES(X86) |
+Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems. |
+
+
+CSIDL_COMMON_ADMINTOOLS |
+Version 10.0. The file-system directory that contains administrative tools for all users of the computer. |
+
+
+CSIDL_COMMON_ALTSTARTUP |
+The file-system directory that corresponds to the non-localized Startup program group for all users. |
+
+
+CSIDL_COMMON_APPDATA |
+The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData. |
+
+
+CSIDL_COMMON_DESKTOPDIRECTORY |
+The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop. |
+
+
+CSIDL_COMMON_DOCUMENTS |
+The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents. |
+
+
+CSIDL_COMMON_FAVORITES |
+The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites. |
+
+
+CSIDL_COMMON_MUSIC |
+The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music. |
+
+
+CSIDL_COMMON_PICTURES |
+The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures. |
+
+
+CSIDL_COMMON_PROGRAMS |
+The file-system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs. |
+
+
+CSIDL_COMMON_STARTMENU |
+The file-system directory that contains the programs and folders which appear on the Start menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu. |
+
+
+CSIDL_COMMON_STARTUP |
+The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup. |
+
+
+CSIDL_COMMON_TEMPLATES |
+The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates. |
+
+
+CSIDL_COMMON_VIDEO |
+The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos. |
+
+
+CSIDL_DEFAULT_APPDATA |
+Refers to the Appdata folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_LOCAL_APPDATA |
+Refers to the local Appdata folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_COOKIES |
+Refers to the Cookies folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_CONTACTS |
+Refers to the Contacts folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_DESKTOP |
+Refers to the Desktop folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_DOWNLOADS |
+Refers to the Downloads folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_FAVORITES |
+Refers to the Favorites folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_HISTORY |
+Refers to the History folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_INTERNET_CACHE |
+Refers to the Internet Cache folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_PERSONAL |
+Refers to the Personal folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_MYDOCUMENTS |
+Refers to the My Documents folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_MYPICTURES |
+Refers to the My Pictures folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_MYMUSIC |
+Refers to the My Music folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_MYVIDEO |
+Refers to the My Videos folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_RECENT |
+Refers to the Recent folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_SENDTO |
+Refers to the Send To folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_STARTMENU |
+Refers to the Start Menu folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_PROGRAMS |
+Refers to the Programs folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_STARTUP |
+Refers to the Startup folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_TEMPLATES |
+Refers to the Templates folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_DEFAULT_QUICKLAUNCH |
+Refers to the Quick Launch folder inside %DEFAULTUSERPROFILE%. |
+
+
+CSIDL_FONTS |
+A virtual folder containing fonts. A typical path is C:\Windows\Fonts. |
+
+
+CSIDL_PROGRAM_FILESX86 |
+The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86). |
+
+
+CSIDL_PROGRAM_FILES_COMMONX86 |
+A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common. |
+
+
+CSIDL_PROGRAM_FILES |
+The Program Files folder. A typical path is C:\Program Files. |
+
+
+CSIDL_PROGRAM_FILES_COMMON |
+A folder for components that are shared across applications. A typical path is C:\Program Files\Common. |
+
+
+CSIDL_RESOURCES |
+The file-system directory that contains resource data. A typical path is C:\Windows\Resources. |
+
+
+CSIDL_SYSTEM |
+The Windows System folder. A typical path is C:\Windows\System32. |
+
+
+CSIDL_WINDOWS |
+The Windows directory or system root. This corresponds to the %WINDIR% or %SYSTEMROOT% environment variables. A typical path is C:\Windows. |
+
+
+DEFAULTUSERPROFILE |
+Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile]. |
+
+
+PROFILESFOLDER |
+Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory]. |
+
+
+PROGRAMFILES |
+Same as CSIDL_PROGRAM_FILES. |
+
+
+PROGRAMFILES(X86) |
+Refers to the C:\Program Files (x86) folder on 64-bit systems. |
+
+
+SYSTEM |
+Refers to %WINDIR%\system32. |
+
+
+SYSTEM16 |
+Refers to %WINDIR%\system. |
+
+
+SYSTEM32 |
+Refers to %WINDIR%\system32. |
+
+
+SYSTEMPROFILE |
+Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath]. |
+
+
+SYSTEMROOT |
+Refers to the root of the system drive. |
+
+
+WINDIR |
+Refers to the Windows folder located on the system drive. |
+
+
+
+
+
+
+## Variables that are recognized only in the user context
+
+
+You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`.
+
+
+
+
+
+
+
+
+
+
+
+APPDATA |
+Same as CSIDL_APPDATA. |
+
+
+CSIDL_ADMINTOOLS |
+The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile. |
+
+
+CSIDL_ALTSTARTUP |
+The file-system directory that corresponds to the user's non-localized Startup program group. |
+
+
+CSIDL_APPDATA |
+The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming. |
+
+
+CSIDL_BITBUCKET |
+The virtual folder that contains the objects in the user's Recycle Bin. |
+
+
+CSIDL_CDBURN_AREA |
+The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning. |
+
+
+CSIDL_CONNECTIONS |
+The virtual folder representing Network Connections that contains network and dial-up connections. |
+
+
+CSIDL_CONTACTS |
+This refers to the Contacts folder in %CSIDL_PROFILE%. |
+
+
+CSIDL_CONTROLS |
+The virtual folder that contains icons for the Control Panel items. |
+
+
+CSIDL_COOKIES |
+The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies. |
+
+
+CSIDL_DESKTOP |
+The virtual folder representing the Windows desktop. |
+
+
+CSIDL_DESKTOPDIRECTORY |
+The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop. |
+
+
+CSIDL_DRIVES |
+The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives. |
+
+
+CSIDL_FAVORITES |
+The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites. |
+
+
+CSIDL_HISTORY |
+The file-system directory that serves as a common repository for Internet history items. |
+
+
+CSIDL_INTERNET |
+A virtual folder for Internet Explorer. |
+
+
+CSIDL_INTERNET_CACHE |
+The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files |
+
+
+CSIDL_LOCAL_APPDATA |
+The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local. |
+
+
+CSIDL_MYDOCUMENTS |
+The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents. |
+
+
+CSIDL_MYMUSIC |
+The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music. |
+
+
+CSIDL_MYPICTURES |
+The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures. |
+
+
+CSIDL_MYVIDEO |
+The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos. |
+
+
+CSIDL_NETHOOD |
+A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts. |
+
+
+CSIDL_NETWORK |
+A virtual folder representing My Network Places, the root of the network namespace hierarchy. |
+
+
+CSIDL_PERSONAL |
+The virtual folder representing the My Documents desktop item. This is equivalent to CSIDL_MYDOCUMENTS.
+A typical path is C:\Documents and Settings\username\My Documents. |
+
+
+CSIDL_PLAYLISTS |
+The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists. |
+
+
+CSIDL_PRINTERS |
+The virtual folder that contains installed printers. |
+
+
+CSIDL_PRINTHOOD |
+The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts. |
+
+
+CSIDL_PROFILE |
+The user's profile folder. A typical path is C:\Users\Username. |
+
+
+CSIDL_PROGRAMS |
+The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs. |
+
+
+CSIDL_RECENT |
+The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent. |
+
+
+CSIDL_SENDTO |
+The file-system directory that contains Send To menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo. |
+
+
+CSIDL_STARTMENU |
+The file-system directory that contains Start menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu. |
+
+
+CSIDL_STARTUP |
+The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. |
+
+
+CSIDL_TEMPLATES |
+The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates. |
+
+
+HOMEPATH |
+Same as the standard environment variable. |
+
+
+TEMP |
+The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp. |
+
+
+TMP |
+The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp. |
+
+
+USERPROFILE |
+Same as CSIDL_PROFILE. |
+
+
+USERSID |
+Represents the current user-account security identifier (SID). For example,
+S-1-5-21-1714567821-1326601894-715345443-1026. |
+
+
+
+
+
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md
index c5bcd4193c..7e00f19577 100644
--- a/windows/deployment/usmt/usmt-reference.md
+++ b/windows/deployment/usmt/usmt-reference.md
@@ -1,77 +1,78 @@
----
-title: User State Migration Toolkit (USMT) Reference (Windows 10)
-description: User State Migration Toolkit (USMT) Reference
-ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Toolkit (USMT) Reference
-
-
-## In This Section
-
-
-
-
-
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
-
-[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
-
-[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-
-
-
-
-
-
-
-
-
+---
+title: User State Migration Toolkit (USMT) Reference (Windows 10)
+description: Use this User State Migration Toolkit (USMT) article to learn details about USMT, like operating system, hardware, and software requirements, and user prerequisites.
+ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# User State Migration Toolkit (USMT) Reference
+
+
+## In This Section
+
+
+
+
+
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
index 22f64e513e..facc5fef91 100644
--- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
@@ -1,6 +1,6 @@
---
title: Reroute Files and Settings (Windows 10)
-description: Reroute Files and Settings
+description: Learn how to create a custom .xml file and specify this file name on both the ScanState and LoadState commandlines to reroute files and settings.
ms.assetid: 905e6a24-922c-4549-9732-60fa11862a6c
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md
index eaaa49a5d4..4866b61aaf 100644
--- a/windows/deployment/usmt/usmt-resources.md
+++ b/windows/deployment/usmt/usmt-resources.md
@@ -1,50 +1,51 @@
----
-title: USMT Resources (Windows 10)
-description: USMT Resources
-ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# USMT Resources
-
-
-## USMT Online Resources
-
-
-- [ADK Release Notes](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx)
-
-- Microsoft Visual Studio
-
- - You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®.
-
- For more information about how to use the schema with your XML authoring environment, see the environment’s documentation.
-
-- [Ask the Directory Services Team blog](https://go.microsoft.com/fwlink/p/?LinkId=226365)
-
-- Forums:
-
- - [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=226386)
-
- - [Configuration Manager Operating System Deployment](https://go.microsoft.com/fwlink/p/?LinkId=226388)
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
-
-
-
-
-
-
-
-
-
+---
+title: USMT Resources (Windows 10)
+description: Learn about User State Migration Tool (USMT) online resources, including Microsoft Visual Studio and forums.
+ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# USMT Resources
+
+
+## USMT Online Resources
+
+
+- [ADK Release Notes](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx)
+
+- Microsoft Visual Studio
+
+ - You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®.
+
+ For more information about how to use the schema with your XML authoring environment, see the environment’s documentation.
+
+- [Ask the Directory Services Team blog](https://go.microsoft.com/fwlink/p/?LinkId=226365)
+
+- Forums:
+
+ - [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=226386)
+
+ - [Configuration Manager Operating System Deployment](https://go.microsoft.com/fwlink/p/?LinkId=226388)
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-return-codes.md b/windows/deployment/usmt/usmt-return-codes.md
index c137197a5c..ba8e6da7c1 100644
--- a/windows/deployment/usmt/usmt-return-codes.md
+++ b/windows/deployment/usmt/usmt-return-codes.md
@@ -1,786 +1,787 @@
----
-title: Return Codes (Windows 10)
-description: Return Codes
-ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Return Codes
-
-
-This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error.
-
-Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md).
-
-## In This Topic
-
-
-[USMT Return Codes](#bkmk-returncodes)
-
-[USMT Error Messages](#bkmk-errormessages)
-
-[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors)
-
-## USMT Return Codes
-
-
-If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps.
-
-Return codes are grouped into the following broad categories that describe their area of error reporting:
-
-Success or User Cancel
-
-Invalid Command Lines
-
-Setup and Initialization
-
-Non-fatal Errors
-
-Fatal Errors
-
-As a best practice, we recommend that you set verbosity level to 5, **/v**:5, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger.
-
-## USMT Error Messages
-
-
-Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received.
-
-You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=147060).
-
-## Troubleshooting Return Codes and Error Messages
-
-
-The following table lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-0 |
-USMT_SUCCESS |
-Successful run |
-Not applicable |
-Success or Cancel |
-
-
-1 |
-USMT_DISPLAY_HELP |
-Command line help requested |
-Not applicable |
-Success or Cancel |
-
-
-2 |
-USMT_STATUS_CANCELED |
-Gather was aborted because of an EFS file |
-Not applicable |
- |
-
-
- |
- |
-User chose to cancel (such as pressing CTRL+C) |
-Not applicable |
-Success or Cancel |
-
-
-3 |
-USMT_WOULD_HAVE_FAILED |
-At least one error was skipped as a result of /c |
-Review ScanState, LoadState, or UsmtUtils log for details about command-line errors. |
- |
-
-
-11 |
-USMT_INVALID_PARAMETERS |
-/all conflicts with /ui, /ue or /uel |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-/auto expects an optional parameter for the script folder |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-/encrypt can't be used with /nocompress |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-/encrypt requires /key or /keyfile |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-/genconfig can't be used with most other options |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-/genmigxml can't be used with most other options |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-/hardlink requires /nocompress |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-/key and /keyfile both specified |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-/key or /keyfile used without enabling encryption |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-/lae is only used with /lac |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-/listfiles cannot be used with /p |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-/offline requires a valid path to an XML file describing offline paths |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-/offlinewindir requires a valid path to offline windows folder |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-/offlinewinold requires a valid path to offline windows folder |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-A command was already specified |
-Verify that the command-line syntax is correct and that there are no duplicate commands. |
- |
-
-
- |
- |
-An option argument is missing |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-An option is specified more than once and is ambiguous |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed. |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-Command line arguments are required. Specify /? for options. |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-Command line option is not valid |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-EFS parameter specified is not valid for /efs |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-File argument is invalid for /genconfig |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-File argument is invalid for /genmigxml |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-Invalid space estimate path. Check the parameters and/or file system permissions |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-List file path argument is invalid for /listfiles |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-Retry argument must be an integer |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-Settings store argument specified is invalid |
-Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set. |
- |
-
-
- |
- |
-Specified encryption algorithm is not supported |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-The /efs:hardlink requires /hardlink |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7 |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-The store parameter is required but not specified |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-The source-to-target domain mapping is invalid for /md |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-The source-to-target user account mapping is invalid for /mu |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-Undefined or incomplete command line option |
-Review ScanState log or LoadState log for details about command-line errors. |
-Invalid Command Lines |
-
-
- |
- |
-Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-User exclusion argument is invalid |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08) |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-Volume shadow copy feature is not supported with a hardlink store |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
- |
- |
-Wait delay argument must be an integer |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
-12 |
-USMT_ERROR_OPTION_PARAM_TOO_LARGE |
-Command line arguments cannot exceed 256 characters |
-Review ScanState log or LoadState log for details about command-line errors. |
-Invalid Command Lines |
-
-
- |
- |
-Specified settings store path exceeds the maximum allowed length of 256 characters |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
-13 |
-USMT_INIT_LOGFILE_FAILED |
-Log path argument is invalid for /l |
-When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct. |
-Invalid Command Lines |
-
-
-14 |
-USMT_ERROR_USE_LAC |
-Unable to create a local account because /lac was not specified |
-When creating local accounts, the command-line options /lac and /lae should be used. |
-Invalid Command Lines |
-
-
-26 |
-USMT_INIT_ERROR |
-Multiple Windows installations found |
-Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid. |
-Setup and Initialization |
-
-
- |
- |
-Software malfunction or unknown exception |
-Check all loaded .xml files for errors, common error when using /I to load the Config.xml file. |
- |
-
-
- |
- |
-Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries |
-Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping. |
- |
-
-
-27 |
-USMT_INVALID_STORE_LOCATION |
-A store path can't be used because an existing store exists; specify /o to overwrite |
-Specify /o to overwrite an existing intermediate or migration store. |
-Setup and Initialization |
-
-
- |
- |
-A store path is missing or has incomplete data |
-Make sure that the store path is accessible and that the proper permission levels are set. |
- |
-
-
- |
- |
-An error occurred during store creation |
-Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store. |
- |
-
-
- |
- |
-An inappropriate device such as a floppy disk was specified for the store |
-Make sure that the store path is accessible and that the proper permission levels are set. |
- |
-
-
- |
- |
-Invalid store path; check the store parameter and/or file system permissions |
-Invalid store path; check the store parameter and/or file system permissions |
- |
-
-
- |
- |
-The file layout and/or file content is not recognized as a valid store |
-Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store. |
- |
-
-
- |
- |
-The store path holds a store incompatible with the current USMT version |
-Make sure that the store path is accessible and that the proper permission levels are set. |
- |
-
-
- |
- |
-The store save location is read-only or does not support a requested storage option |
-Make sure that the store path is accessible and that the proper permission levels are set. |
- |
-
-
-28 |
-USMT_UNABLE_GET_SCRIPTFILES |
-Script file is invalid for /i |
-Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file. |
-Setup and Initialization |
-
-
- |
- |
-Unable to find a script file specified by /i |
-Verify the location of your script files, and ensure that the command-line options are correct. |
- |
-
-
-29 |
-USMT_FAILED_MIGSTARTUP |
-A minimum of 250 MB of free space is required for temporary files |
-Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable USMT_WORKING_DIR=<path> to redirect the temporary files working directory. |
-Setup and Initialization |
-
-
- |
- |
-Another process is preventing migration; only one migration tool can run at a time |
-Check the ScanState log file for migration .xml file errors. |
- |
-
-
- |
- |
-Failed to start main processing, look in log for system errors or check the installation |
-Check the ScanState log file for migration .xml file errors. |
- |
-
-
- |
- |
-Migration failed because of an XML error; look in the log for specific details |
-Check the ScanState log file for migration .xml file errors. |
- |
-
-
- |
- |
-Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table |
-Check the ScanState log file for migration .xml file errors. |
- |
-
-
-31 |
-USMT_UNABLE_FINDMIGUNITS |
-An error occurred during the discover phase; the log should have more specific information |
-Check the ScanState log file for migration .xml file errors. |
-Setup and Initialization |
-
-
-32 |
-USMT_FAILED_SETMIGRATIONTYPE |
-An error occurred processing the migration system |
-Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line. |
-Setup and Initialization |
-
-
-33 |
-USMT_UNABLE_READKEY |
-Error accessing the file specified by the /keyfile parameter |
-Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line. |
-Setup and Initialization |
-
-
- |
- |
-The encryption key must have at least one character |
-Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line. |
- |
-
-
-34 |
-USMT_ERROR_INSUFFICIENT_RIGHTS |
-Directory removal requires elevated privileges |
-Log on as Administrator, and run with elevated privileges. |
-Setup and Initialization |
-
-
- |
- |
-No rights to create user profiles; log in as Administrator; run with elevated privileges |
-Log on as Administrator, and run with elevated privileges. |
- |
-
-
- |
- |
-No rights to read or delete user profiles; log in as Administrator, run with elevated privileges |
-Log on as Administrator, and run with elevated privileges. |
- |
-
-
-35 |
-USMT_UNABLE_DELETE_STORE |
-A reboot is required to remove the store |
-Reboot to delete any files that could not be deleted when the command was executed. |
-Setup and Initialization |
-
-
- |
- |
-A store path can't be used because it contains data that could not be overwritten |
-A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use USMTUtils /rd command to delete the store. |
- |
-
-
- |
- |
-There was an error removing the store |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
-36 |
-USMT_ERROR_UNSUPPORTED_PLATFORM |
-Compliance check failure; please check the logs for details |
-Investigate whether there is an active temporary profile on the system. |
-Setup and Initialization |
-
-
- |
- |
-Use of /offline is not supported during apply |
-The /offline command was not used while running in the Windows Preinstallation Environment (WinPE). |
- |
-
-
- |
- |
-Use /offline to run gather on this platform |
-The /offline command was not used while running in WinPE. |
- |
-
-
-37 |
-USMT_ERROR_NO_INVALID_KEY |
-The store holds encrypted data but the correct encryption key was not provided |
-Verify that you have included the correct encryption /key or /keyfile. |
-Setup and Initialization |
-
-
-38 |
-USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE |
-An error occurred during store access |
-Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set. |
-Setup and Initialization |
-
-
-39 |
-USMT_UNABLE_TO_READ_CONFIG_FILE |
-Error reading Config.xml |
-Review ScanState log or LoadState log for details about command-line errors in the Config.xml file. |
-Setup and Initialization |
-
-
- |
- |
-File argument is invalid for /config |
-Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line. |
- |
-
-
-40 |
-USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG |
-Error writing to the progress log |
-The Progress log could not be created. Verify that the location is valid and that you have write access. |
-Setup and Initialization |
-
-
- |
- |
-Progress log argument is invalid for /progress |
-The Progress log could not be created. Verify that the location is valid and that you have write access. |
- |
-
-
-41 |
-USMT_PREFLIGHT_FILE_CREATION_FAILED |
-Can't overwrite existing file |
-The Progress log could not be created. Verify that the location is valid and that you have write access. |
-Setup and Initialization |
-
-
- |
- |
-Invalid space estimate path. Check the parameters and/or file system permissions |
-Review ScanState log or LoadState log for details about command-line errors. |
- |
-
-
-42 |
-USMT_ERROR_CORRUPTED_STORE |
-The store contains one or more corrupted files |
-Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that are not corrupted, see Extract Files from a Compressed USMT Migration Store. |
- |
-
-
-61 |
-USMT_MIGRATION_STOPPED_NONFATAL |
-Processing stopped due to an I/O error |
-USMT exited but can continue with the /c command-line option, with the optional configurable <ErrorControl> section or by using the /vsc command-line option. |
-Non-fatal Errors |
-
-
-71 |
-USMT_INIT_OPERATING_ENVIRONMENT_FAILED |
-A Windows Win32 API error occurred |
-Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. |
-Fatal Errors |
-
-
- |
- |
-An error occurred when attempting to initialize the diagnostic mechanisms such as the log |
-Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. |
- |
-
-
- |
- |
-Failed to record diagnostic information |
-Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. |
- |
-
-
- |
- |
-Unable to start. Make sure you are running USMT with elevated privileges |
-Exit USMT and log in again with elevated privileges. |
- |
-
-
-72 |
-USMT_UNABLE_DOMIGRATION |
-An error occurred closing the store |
-Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
-Fatal Errors |
-
-
- |
- |
-An error occurred in the apply process |
-Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
- |
-
-
- |
- |
-An error occurred in the gather process |
-Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
- |
-
-
- |
- |
-Out of disk space while writing the store |
-Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
- |
-
-
- |
- |
-Out of temporary disk space on the local system |
-Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
- |
-
-
-
-
-
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-
-[Log Files](usmt-log-files.md)
-
-
-
-
-
-
-
-
-
+---
+title: Return Codes (Windows 10)
+description: Learn about User State Migration Tool (USMT) 10.0 return codes and error messages. Also view a list of USMT return codes and their associated migration steps.
+ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Return Codes
+
+
+This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error.
+
+Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md).
+
+## In This Topic
+
+
+[USMT Return Codes](#bkmk-returncodes)
+
+[USMT Error Messages](#bkmk-errormessages)
+
+[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors)
+
+## USMT Return Codes
+
+
+If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps.
+
+Return codes are grouped into the following broad categories that describe their area of error reporting:
+
+Success or User Cancel
+
+Invalid Command Lines
+
+Setup and Initialization
+
+Non-fatal Errors
+
+Fatal Errors
+
+As a best practice, we recommend that you set verbosity level to 5, **/v**:5, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger.
+
+## USMT Error Messages
+
+
+Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received.
+
+You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=147060).
+
+## Troubleshooting Return Codes and Error Messages
+
+
+The following table lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+0 |
+USMT_SUCCESS |
+Successful run |
+Not applicable |
+Success or Cancel |
+
+
+1 |
+USMT_DISPLAY_HELP |
+Command line help requested |
+Not applicable |
+Success or Cancel |
+
+
+2 |
+USMT_STATUS_CANCELED |
+Gather was aborted because of an EFS file |
+Not applicable |
+ |
+
+
+ |
+ |
+User chose to cancel (such as pressing CTRL+C) |
+Not applicable |
+Success or Cancel |
+
+
+3 |
+USMT_WOULD_HAVE_FAILED |
+At least one error was skipped as a result of /c |
+Review ScanState, LoadState, or UsmtUtils log for details about command-line errors. |
+ |
+
+
+11 |
+USMT_INVALID_PARAMETERS |
+/all conflicts with /ui, /ue or /uel |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+/auto expects an optional parameter for the script folder |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+/encrypt can't be used with /nocompress |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+/encrypt requires /key or /keyfile |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+/genconfig can't be used with most other options |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+/genmigxml can't be used with most other options |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+/hardlink requires /nocompress |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+/key and /keyfile both specified |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+/key or /keyfile used without enabling encryption |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+/lae is only used with /lac |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+/listfiles cannot be used with /p |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+/offline requires a valid path to an XML file describing offline paths |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+/offlinewindir requires a valid path to offline windows folder |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+/offlinewinold requires a valid path to offline windows folder |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+A command was already specified |
+Verify that the command-line syntax is correct and that there are no duplicate commands. |
+ |
+
+
+ |
+ |
+An option argument is missing |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+An option is specified more than once and is ambiguous |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed. |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+Command line arguments are required. Specify /? for options. |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+Command line option is not valid |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+EFS parameter specified is not valid for /efs |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+File argument is invalid for /genconfig |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+File argument is invalid for /genmigxml |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+Invalid space estimate path. Check the parameters and/or file system permissions |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+List file path argument is invalid for /listfiles |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+Retry argument must be an integer |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+Settings store argument specified is invalid |
+Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set. |
+ |
+
+
+ |
+ |
+Specified encryption algorithm is not supported |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+The /efs:hardlink requires /hardlink |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7 |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+The store parameter is required but not specified |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+The source-to-target domain mapping is invalid for /md |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+The source-to-target user account mapping is invalid for /mu |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+Undefined or incomplete command line option |
+Review ScanState log or LoadState log for details about command-line errors. |
+Invalid Command Lines |
+
+
+ |
+ |
+Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+User exclusion argument is invalid |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08) |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+Volume shadow copy feature is not supported with a hardlink store |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+ |
+ |
+Wait delay argument must be an integer |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+12 |
+USMT_ERROR_OPTION_PARAM_TOO_LARGE |
+Command line arguments cannot exceed 256 characters |
+Review ScanState log or LoadState log for details about command-line errors. |
+Invalid Command Lines |
+
+
+ |
+ |
+Specified settings store path exceeds the maximum allowed length of 256 characters |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+13 |
+USMT_INIT_LOGFILE_FAILED |
+Log path argument is invalid for /l |
+When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct. |
+Invalid Command Lines |
+
+
+14 |
+USMT_ERROR_USE_LAC |
+Unable to create a local account because /lac was not specified |
+When creating local accounts, the command-line options /lac and /lae should be used. |
+Invalid Command Lines |
+
+
+26 |
+USMT_INIT_ERROR |
+Multiple Windows installations found |
+Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid. |
+Setup and Initialization |
+
+
+ |
+ |
+Software malfunction or unknown exception |
+Check all loaded .xml files for errors, common error when using /I to load the Config.xml file. |
+ |
+
+
+ |
+ |
+Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries |
+Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping. |
+ |
+
+
+27 |
+USMT_INVALID_STORE_LOCATION |
+A store path can't be used because an existing store exists; specify /o to overwrite |
+Specify /o to overwrite an existing intermediate or migration store. |
+Setup and Initialization |
+
+
+ |
+ |
+A store path is missing or has incomplete data |
+Make sure that the store path is accessible and that the proper permission levels are set. |
+ |
+
+
+ |
+ |
+An error occurred during store creation |
+Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store. |
+ |
+
+
+ |
+ |
+An inappropriate device such as a floppy disk was specified for the store |
+Make sure that the store path is accessible and that the proper permission levels are set. |
+ |
+
+
+ |
+ |
+Invalid store path; check the store parameter and/or file system permissions |
+Invalid store path; check the store parameter and/or file system permissions |
+ |
+
+
+ |
+ |
+The file layout and/or file content is not recognized as a valid store |
+Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store. |
+ |
+
+
+ |
+ |
+The store path holds a store incompatible with the current USMT version |
+Make sure that the store path is accessible and that the proper permission levels are set. |
+ |
+
+
+ |
+ |
+The store save location is read-only or does not support a requested storage option |
+Make sure that the store path is accessible and that the proper permission levels are set. |
+ |
+
+
+28 |
+USMT_UNABLE_GET_SCRIPTFILES |
+Script file is invalid for /i |
+Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file. |
+Setup and Initialization |
+
+
+ |
+ |
+Unable to find a script file specified by /i |
+Verify the location of your script files, and ensure that the command-line options are correct. |
+ |
+
+
+29 |
+USMT_FAILED_MIGSTARTUP |
+A minimum of 250 MB of free space is required for temporary files |
+Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable USMT_WORKING_DIR=<path> to redirect the temporary files working directory. |
+Setup and Initialization |
+
+
+ |
+ |
+Another process is preventing migration; only one migration tool can run at a time |
+Check the ScanState log file for migration .xml file errors. |
+ |
+
+
+ |
+ |
+Failed to start main processing, look in log for system errors or check the installation |
+Check the ScanState log file for migration .xml file errors. |
+ |
+
+
+ |
+ |
+Migration failed because of an XML error; look in the log for specific details |
+Check the ScanState log file for migration .xml file errors. |
+ |
+
+
+ |
+ |
+Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table |
+Check the ScanState log file for migration .xml file errors. |
+ |
+
+
+31 |
+USMT_UNABLE_FINDMIGUNITS |
+An error occurred during the discover phase; the log should have more specific information |
+Check the ScanState log file for migration .xml file errors. |
+Setup and Initialization |
+
+
+32 |
+USMT_FAILED_SETMIGRATIONTYPE |
+An error occurred processing the migration system |
+Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line. |
+Setup and Initialization |
+
+
+33 |
+USMT_UNABLE_READKEY |
+Error accessing the file specified by the /keyfile parameter |
+Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line. |
+Setup and Initialization |
+
+
+ |
+ |
+The encryption key must have at least one character |
+Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line. |
+ |
+
+
+34 |
+USMT_ERROR_INSUFFICIENT_RIGHTS |
+Directory removal requires elevated privileges |
+Log on as Administrator, and run with elevated privileges. |
+Setup and Initialization |
+
+
+ |
+ |
+No rights to create user profiles; log in as Administrator; run with elevated privileges |
+Log on as Administrator, and run with elevated privileges. |
+ |
+
+
+ |
+ |
+No rights to read or delete user profiles; log in as Administrator, run with elevated privileges |
+Log on as Administrator, and run with elevated privileges. |
+ |
+
+
+35 |
+USMT_UNABLE_DELETE_STORE |
+A reboot is required to remove the store |
+Reboot to delete any files that could not be deleted when the command was executed. |
+Setup and Initialization |
+
+
+ |
+ |
+A store path can't be used because it contains data that could not be overwritten |
+A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use USMTUtils /rd command to delete the store. |
+ |
+
+
+ |
+ |
+There was an error removing the store |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+36 |
+USMT_ERROR_UNSUPPORTED_PLATFORM |
+Compliance check failure; please check the logs for details |
+Investigate whether there is an active temporary profile on the system. |
+Setup and Initialization |
+
+
+ |
+ |
+Use of /offline is not supported during apply |
+The /offline command was not used while running in the Windows Preinstallation Environment (WinPE). |
+ |
+
+
+ |
+ |
+Use /offline to run gather on this platform |
+The /offline command was not used while running in WinPE. |
+ |
+
+
+37 |
+USMT_ERROR_NO_INVALID_KEY |
+The store holds encrypted data but the correct encryption key was not provided |
+Verify that you have included the correct encryption /key or /keyfile. |
+Setup and Initialization |
+
+
+38 |
+USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE |
+An error occurred during store access |
+Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set. |
+Setup and Initialization |
+
+
+39 |
+USMT_UNABLE_TO_READ_CONFIG_FILE |
+Error reading Config.xml |
+Review ScanState log or LoadState log for details about command-line errors in the Config.xml file. |
+Setup and Initialization |
+
+
+ |
+ |
+File argument is invalid for /config |
+Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line. |
+ |
+
+
+40 |
+USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG |
+Error writing to the progress log |
+The Progress log could not be created. Verify that the location is valid and that you have write access. |
+Setup and Initialization |
+
+
+ |
+ |
+Progress log argument is invalid for /progress |
+The Progress log could not be created. Verify that the location is valid and that you have write access. |
+ |
+
+
+41 |
+USMT_PREFLIGHT_FILE_CREATION_FAILED |
+Can't overwrite existing file |
+The Progress log could not be created. Verify that the location is valid and that you have write access. |
+Setup and Initialization |
+
+
+ |
+ |
+Invalid space estimate path. Check the parameters and/or file system permissions |
+Review ScanState log or LoadState log for details about command-line errors. |
+ |
+
+
+42 |
+USMT_ERROR_CORRUPTED_STORE |
+The store contains one or more corrupted files |
+Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that are not corrupted, see Extract Files from a Compressed USMT Migration Store. |
+ |
+
+
+61 |
+USMT_MIGRATION_STOPPED_NONFATAL |
+Processing stopped due to an I/O error |
+USMT exited but can continue with the /c command-line option, with the optional configurable <ErrorControl> section or by using the /vsc command-line option. |
+Non-fatal Errors |
+
+
+71 |
+USMT_INIT_OPERATING_ENVIRONMENT_FAILED |
+A Windows Win32 API error occurred |
+Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. |
+Fatal Errors |
+
+
+ |
+ |
+An error occurred when attempting to initialize the diagnostic mechanisms such as the log |
+Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. |
+ |
+
+
+ |
+ |
+Failed to record diagnostic information |
+Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. |
+ |
+
+
+ |
+ |
+Unable to start. Make sure you are running USMT with elevated privileges |
+Exit USMT and log in again with elevated privileges. |
+ |
+
+
+72 |
+USMT_UNABLE_DOMIGRATION |
+An error occurred closing the store |
+Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
+Fatal Errors |
+
+
+ |
+ |
+An error occurred in the apply process |
+Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
+ |
+
+
+ |
+ |
+An error occurred in the gather process |
+Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
+ |
+
+
+ |
+ |
+Out of disk space while writing the store |
+Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
+ |
+
+
+ |
+ |
+Out of temporary disk space on the local system |
+Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
+ |
+
+
+
+
+
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+[Log Files](usmt-log-files.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 83afe8628b..2a306d9af5 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -1,873 +1,874 @@
----
-title: ScanState Syntax (Windows 10)
-description: ScanState Syntax
-ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# ScanState Syntax
-
-
-The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store.
-
-## In This Topic
-
-
-[Before You Begin](#bkmk-beforeyoubegin)
-
-[Syntax](#bkmk-syntax)
-
-[Storage Options](#bkmk-storageoptions)
-
-[Migration Rule Options](#bkmk-migrationruleoptions)
-
-[Monitoring Options](#bkmk-monitoringoptions)
-
-[User Options](#bkmk-useroptions)
-
-[Encrypted File Options](#bkmk-efs)
-
-[Incompatible Command-Line Options](#bkmk-iclo)
-
-## Before You Begin
-
-
-Before you run the **ScanState** command, note the following:
-
-- To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials.
-
-- If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message.
-
-- For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md).
-
-- Unless otherwise noted, you can use each option only once when running a tool on the command line.
-
-- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration.
-
-- The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible.
-
-- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan.
-
-## Syntax
-
-
-This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator.
-
-The **ScanState** command's syntax is:
-
-scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\]
-
-For example:
-
-To create a Config.xml file in the current directory, use:
-
-`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13`
-
-To create an encrypted store using the Config.xml file and the default migration .xml files, use:
-
-`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"`
-
-## Storage Options
-
-
-
-
-
-
-
-
-
-
-
-
-StorePath |
-Indicates a folder where files and settings will be saved. Note that StorePath cannot be C:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location. |
-
-
-/apps |
-Scans the image for apps and includes them and their associated registry settings. |
-
-
-/ppkg [<FileName>] |
-Exports to a specific file location. |
-
-
-/o |
-Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the ScanState command will fail if the migration store already contains data. You cannot use this option more than once on a command line. |
-
-
-/vsc |
-This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the <ErrorControl> section.
-This option can be used only with the ScanState executable file and cannot be combined with the /hardlink option. |
-
-
-/hardlink |
-Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option. |
-
-
-/encrypt [{/key:<KeyString> | /keyfile:<file>]} |
-Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key in one of the following ways:
-
-/key:KeyString specifies the encryption key. If there is a space in KeyString, you will need to surround KeyString with quotation marks. /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key.
-We recommend that KeyString be at least eight characters long, but it cannot exceed 256 characters. The /key and /keyfile options cannot be used on the same command line. The /encrypt and /nocompress options cannot be used on the same command line.
-
- ImportantYou should use caution with this option, because anyone who has access to the ScanState command-line script will also have access to the encryption key.
-
-
-
-The following example shows the ScanState command and the /key option:
-scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /encrypt /key:mykey
|
-
-
-/encrypt:<EncryptionStrength> |
-The /encrypt option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see Migration Store Encryption. |
-
-
-/nocompress |
-Disables compression of data and saves the files to a hidden folder named "File" at StorePath\USMT. Compression is enabled by default. Combining the /nocompress option with the /hardlink option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the /nocompress option with the /hardlink option.
-The /nocompress and /encrypt options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the LoadState command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.
-For example:
-scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /nocompress
|
-
-
-
-
-
-
-## Run the ScanState Command on an Offline Windows System
-
-
-You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows.
-
-There are several benefits to running the **ScanState** command on an offline Windows image, including:
-
-- **Improved Performance.**
-
- Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly.
-
-- **Simplified end to end deployment process.**
-
- Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed.
-
-- **Improved success of migration.**
-
- The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system.
-
-- **Ability to recover an unbootable computer.**
-
- It might be possible to recover and migrate data from an unbootable computer.
-
-## Offline Migration Options
-
-
-
-
-
-
-
-
-
-
-
-
-/offline:"path to an offline.xml file" |
-This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration. |
-
-
-/offlinewindir:"path to a Windows directory" |
-This option specifies the offline Windows directory that the ScanState command gathers user state from. The offline directory can be Windows.old when you run the ScanState command in Windows or a Windows directory when you run the ScanState command in WinPE. |
-
-
-/offlinewinold:"Windows.old directory" |
-This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory. |
-
-
-
-
-
-
-## Migration Rule Options
-
-
-USMT provides the following options to specify what files you want to migrate.
-
-
-
-
-
-
-
-
-
-
-
-/i:[Path]FileName |
-(include)
-Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic. |
-
-
-/genconfig:[Path]FileName |
-(Generate Config.xml)
-Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.
-After you create this file, you will need to make use of it with the ScanState command using the /config option.
-The only options that you can specify with this option are the /i, /v, and /l options. You cannot specify StorePath, because the /genconfig option does not create a store. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.
-Examples:
- |
-
-
-/config:[Path</em>]FileName |
-Specifies the Config.xml file that the ScanState command should use to create the store. You cannot use this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.
-The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:
-scanstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log
-The following example migrates the files and settings to the destination computer using the Config.xml, MigDocs.xml, and MigApp.xml files:
-loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log
|
-
-
-/auto:path to script files |
-This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml /i:MigApp.xml /v:5. |
-
-
-/genmigxml:path to a file |
-This option specifies that the ScanState command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the ScanState command is running. |
-
-
-/targetwindows8 |
-Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:
-
-To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1. To create a migration store. Using the /targetwindows8 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows8 command-line option, some settings can be lost during the migration. |
-
-
-/targetwindows7 |
-Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:
-
-To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7. To create a migration store. Using the /targetwindows7 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows7 command-line option, some settings can be lost during the migration. |
-
-
-/localonly |
-Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the /localonly option is not specified, then the ScanState command will copy files from these removable or network drives into the store.
-Anything that is not considered a fixed drive by the OS will be excluded by /localonly. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see Exclude Files and Settings.
-The /localonly command-line option includes or excludes data in the migration as identified in the following table:
-
-
-
-
-
-
-
-
-
-
-Removable drives such as a USB flash drive |
-Excluded |
-
-
-Network drives |
-Excluded |
-
-
-Fixed drives |
-Included |
-
-
-
- |
-
-
-
-
-
-
-## Monitoring Options
-
-
-USMT provides several options that you can use to analyze problems that occur during migration.
-
-**Note**
-The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option.
-
-
-
-
-
-
-
-
-
-
-
-
-
-/listfiles:<FileName> |
-You can use the /listfiles command-line option with the ScanState command to generate a text file that lists all of the files included in the migration. |
-
-
-/l:[Path]FileName |
-Specifies the location and name of the ScanState log.
-You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can use the /v option to adjust the amount of output.
-If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:scan.log command. |
-
-
-/v:<VerbosityLevel> |
-(Verbosity)
-Enables verbose output in the ScanState log file. The default value is 0.
-You can set the VerbosityLevel to one of the following levels:
-
-
-
-
-
-
-
-
-
-
-0 |
-Only the default errors and warnings are enabled. |
-
-
-1 |
-Enables verbose output. |
-
-
-4 |
-Enables error and status output. |
-
-
-5 |
-Enables verbose and status output. |
-
-
-8 |
-Enables error output to a debugger. |
-
-
-9 |
-Enables verbose output to a debugger. |
-
-
-12 |
-Enables error and status output to a debugger. |
-
-
-13 |
-Enables verbose, status, and debugger output. |
-
-
-
-
-For example:
-scanstate \server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml
- |
-
-
-/progress:[Path</em>]FileName |
-Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.
-For example:
-scanstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log
|
-
-
-/c |
-When this option is specified, the ScanState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the ScanState command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the /c option, the ScanState command will exit on the first error.
-You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file. |
-
-
-/r:<TimesToRetry> |
-(Retry)
-Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.
-While storing the user state, the /r option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem. |
-
-
-/w:<SecondsBeforeRetry> |
-(Wait)
-Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second. |
-
-
-/p:<pathToFile> |
-When the ScanState command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:
-Scanstate.exe C:\MigrationLocation [additional parameters]
-/p:"C:\MigrationStoreSize.xml"
-For more information, see Estimate Migration Store Size.
-To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the /p option, without specifying "pathtoafile", in USMT. If you specify only the /p option, the storage space estimations are created in the same manner as with USMT3.x releases. |
-
-
-/? or /help |
-Displays Help at the command line. |
-
-
-
-
-
-
-## User Options
-
-
-By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md).
-
-
-
-
-
-
-
-
-
-
-
-/all |
-Migrates all of the users on the computer.
-USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options. |
-
-
-/ui:<DomainName>\<UserName>
-or
-/ui:<ComputerName>\<LocalUserName> |
-(User include)
-Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.
-
- NoteIf a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.
-
-
-
-For example:
-
-To include only User2 from the Fabrikam domain, type:
-/ue:*\* /ui:fabrikam\user2
-To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:
-/uel:30 /ui:fabrikam\*
-In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.
-
-For more examples, see the descriptions of the /ue and /ui options in this table. |
-
-
-/uel:<NumberOfDays>
-or
-/uel:<YYYY/MM/DD>
-or
-/uel:0 |
-(User exclude based on last logon)
-Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.
-You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.
-
- NoteThe /uel option is not valid in offline migrations.
-
-
-
-
-/uel:0 migrates any users who are currently logged on. /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days. /uel:1 migrates users whose account has been modified within the last 24 hours. /uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.
-For example:
-scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0
|
-
-
-/ue:<DomainName>\<UserName>
--or-
-
-/ue:<ComputerName>\<LocalUserName> |
-(User exclude)
-Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.
-For example:
-scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1
|
-
-
-
-
-
-
-## How to Use /ui and /ue
-
-
-The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users.
-
-
-
-
-
-
-
-
-
-
-
-Exclude the user named User One in the Fabrikam domain. |
-/ue:"fabrikam\user one"
|
-
-
-Exclude the user named User1 in the Fabrikam domain. |
-/ue:fabrikam\user1
|
-
-
-Exclude the local user named User1. |
-/ue:%computername%\user1
|
-
-
-Exclude all domain users. |
-/ue:Domain\*
|
-
-
-Exclude all local users. |
-/ue:%computername%\*
|
-
-
-Exclude users in all domains named User1, User2, and so on. |
-/ue:*\user*
|
-
-
-
-
-
-
-## Using the Options Together
-
-
-You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated.
-
-The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option.
-
-The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days.
-
-
-
-
-
-
-
-
-
-
-
-Include only User2 from the Fabrikam domain and exclude all other users. |
-/ue:*\* /ui:fabrikam\user2
|
-
-
-Include only the local user named User1 and exclude all other users. |
-/ue:*\* /ui:user1
|
-
-
-Include only the domain users from Contoso, except Contoso\User1. |
-This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:
-
-On the ScanState command line, type: /ue:*\* /ui:contoso\* On the LoadState command line, type: /ue:contoso\user1 |
-
-
-Include only local (non-domain) users. |
-/ue:*\* /ui:%computername%\*
|
-
-
-
-
-
-
-## Encrypted File Options
-
-
-You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior.
-
-For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
-
-**Note**
-EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files
-
-
-
-**Caution**
-Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
-
-
-
-
-
-
-
-
-
-
-
-
-
-/efs:hardlink |
-Creates a hard link to the EFS file instead of copying it. Use only with the /hardlink and the /nocompress options. |
-
-
-/efs:abort |
-Causes the ScanState command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default. |
-
-
-/efs:skip |
-Causes the ScanState command to ignore EFS files. |
-
-
-/efs:decryptcopy |
-Causes the ScanState command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the ScanState command succeeds, the file will be unencrypted in the migration store, and once you run the LoadState command, the file will be copied to the destination computer. |
-
-
-/efs:copyraw |
-Causes the ScanState command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an /efs option. Therefore you should specify the /efs:copyraw option with the ScanState command to migrate the encrypted file. Then, when you run the LoadState command, the encrypted file and the EFS certificate will be automatically migrated.
-For example:
-ScanState /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /efs:copyraw
-
- ImportantAll files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see Migrate EFS Files and Certificates.
-
-
- |
-
-
-
-
-
-
-## Incompatible Command-Line Options
-
-
-The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-/i |
- |
- |
- |
- |
-
-
-/o |
- |
- |
- |
- |
-
-
-/v |
- |
- |
- |
- |
-
-
-/nocompress |
- |
- |
-X |
-N/A |
-
-
-/localonly |
- |
- |
-X |
- |
-
-
-/key |
-X |
- |
-X |
- |
-
-
-/encrypt |
-Required* |
-X |
-X |
- |
-
-
-/keyfile |
-N/A |
- |
-X |
- |
-
-
-/l |
- |
- |
- |
- |
-
-
-/progress |
- |
- |
-X |
- |
-
-
-/r |
- |
- |
-X |
- |
-
-
-/w |
- |
- |
-X |
- |
-
-
-/c |
- |
- |
-X |
- |
-
-
-/p |
- |
- |
-X |
-N/A |
-
-
-/all |
- |
- |
-X |
- |
-
-
-/ui |
- |
- |
-X |
-X |
-
-
-/ue |
- |
- |
-X |
-X |
-
-
-/uel |
- |
- |
-X |
-X |
-
-
-/efs:<option> |
- |
- |
-X |
- |
-
-
-/genconfig |
- |
- |
-N/A |
- |
-
-
-/config |
- |
- |
-X |
- |
-
-
-<StorePath> |
- |
- |
-X |
- |
-
-
-
-
-
-
-**Note**
-You must specify either the /**key** or /**keyfile** option with the /**encrypt** option.
-
-
-
-## Related topics
-
-
-[XML Elements Library](usmt-xml-elements-library.md)
-
-
-
-
-
-
-
-
-
+---
+title: ScanState Syntax (Windows 10)
+description: The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store.
+ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# ScanState Syntax
+
+
+The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store.
+
+## In This Topic
+
+
+[Before You Begin](#bkmk-beforeyoubegin)
+
+[Syntax](#bkmk-syntax)
+
+[Storage Options](#bkmk-storageoptions)
+
+[Migration Rule Options](#bkmk-migrationruleoptions)
+
+[Monitoring Options](#bkmk-monitoringoptions)
+
+[User Options](#bkmk-useroptions)
+
+[Encrypted File Options](#bkmk-efs)
+
+[Incompatible Command-Line Options](#bkmk-iclo)
+
+## Before You Begin
+
+
+Before you run the **ScanState** command, note the following:
+
+- To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials.
+
+- If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message.
+
+- For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md).
+
+- Unless otherwise noted, you can use each option only once when running a tool on the command line.
+
+- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration.
+
+- The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible.
+
+- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan.
+
+## Syntax
+
+
+This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator.
+
+The **ScanState** command's syntax is:
+
+scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\]
+
+For example:
+
+To create a Config.xml file in the current directory, use:
+
+`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13`
+
+To create an encrypted store using the Config.xml file and the default migration .xml files, use:
+
+`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"`
+
+## Storage Options
+
+
+
+
+
+
+
+
+
+
+
+
+StorePath |
+Indicates a folder where files and settings will be saved. Note that StorePath cannot be C:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location. |
+
+
+/apps |
+Scans the image for apps and includes them and their associated registry settings. |
+
+
+/ppkg [<FileName>] |
+Exports to a specific file location. |
+
+
+/o |
+Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the ScanState command will fail if the migration store already contains data. You cannot use this option more than once on a command line. |
+
+
+/vsc |
+This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the <ErrorControl> section.
+This option can be used only with the ScanState executable file and cannot be combined with the /hardlink option. |
+
+
+/hardlink |
+Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option. |
+
+
+/encrypt [{/key:<KeyString> | /keyfile:<file>]} |
+Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key in one of the following ways:
+
+/key:KeyString specifies the encryption key. If there is a space in KeyString, you will need to surround KeyString with quotation marks. /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key.
+We recommend that KeyString be at least eight characters long, but it cannot exceed 256 characters. The /key and /keyfile options cannot be used on the same command line. The /encrypt and /nocompress options cannot be used on the same command line.
+
+ ImportantYou should use caution with this option, because anyone who has access to the ScanState command-line script will also have access to the encryption key.
+
+
+
+The following example shows the ScanState command and the /key option:
+scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /encrypt /key:mykey
|
+
+
+/encrypt:<EncryptionStrength> |
+The /encrypt option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see Migration Store Encryption. |
+
+
+/nocompress |
+Disables compression of data and saves the files to a hidden folder named "File" at StorePath\USMT. Compression is enabled by default. Combining the /nocompress option with the /hardlink option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the /nocompress option with the /hardlink option.
+The /nocompress and /encrypt options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the LoadState command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.
+For example:
+scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /nocompress
|
+
+
+
+
+
+
+## Run the ScanState Command on an Offline Windows System
+
+
+You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows.
+
+There are several benefits to running the **ScanState** command on an offline Windows image, including:
+
+- **Improved Performance.**
+
+ Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly.
+
+- **Simplified end to end deployment process.**
+
+ Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed.
+
+- **Improved success of migration.**
+
+ The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system.
+
+- **Ability to recover an unbootable computer.**
+
+ It might be possible to recover and migrate data from an unbootable computer.
+
+## Offline Migration Options
+
+
+
+
+
+
+
+
+
+
+
+
+/offline:"path to an offline.xml file" |
+This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration. |
+
+
+/offlinewindir:"path to a Windows directory" |
+This option specifies the offline Windows directory that the ScanState command gathers user state from. The offline directory can be Windows.old when you run the ScanState command in Windows or a Windows directory when you run the ScanState command in WinPE. |
+
+
+/offlinewinold:"Windows.old directory" |
+This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory. |
+
+
+
+
+
+
+## Migration Rule Options
+
+
+USMT provides the following options to specify what files you want to migrate.
+
+
+
+
+
+
+
+
+
+
+
+/i:[Path]FileName |
+(include)
+Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic. |
+
+
+/genconfig:[Path]FileName |
+(Generate Config.xml)
+Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.
+After you create this file, you will need to make use of it with the ScanState command using the /config option.
+The only options that you can specify with this option are the /i, /v, and /l options. You cannot specify StorePath, because the /genconfig option does not create a store. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.
+Examples:
+ |
+
+
+/config:[Path</em>]FileName |
+Specifies the Config.xml file that the ScanState command should use to create the store. You cannot use this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.
+The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:
+scanstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log
+The following example migrates the files and settings to the destination computer using the Config.xml, MigDocs.xml, and MigApp.xml files:
+loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log
|
+
+
+/auto:path to script files |
+This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml /i:MigApp.xml /v:5. |
+
+
+/genmigxml:path to a file |
+This option specifies that the ScanState command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the ScanState command is running. |
+
+
+/targetwindows8 |
+Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:
+
+To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1. To create a migration store. Using the /targetwindows8 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows8 command-line option, some settings can be lost during the migration. |
+
+
+/targetwindows7 |
+Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:
+
+To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7. To create a migration store. Using the /targetwindows7 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows7 command-line option, some settings can be lost during the migration. |
+
+
+/localonly |
+Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the /localonly option is not specified, then the ScanState command will copy files from these removable or network drives into the store.
+Anything that is not considered a fixed drive by the OS will be excluded by /localonly. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see Exclude Files and Settings.
+The /localonly command-line option includes or excludes data in the migration as identified in the following table:
+
+
+
+
+
+
+
+
+
+
+Removable drives such as a USB flash drive |
+Excluded |
+
+
+Network drives |
+Excluded |
+
+
+Fixed drives |
+Included |
+
+
+
+ |
+
+
+
+
+
+
+## Monitoring Options
+
+
+USMT provides several options that you can use to analyze problems that occur during migration.
+
+**Note**
+The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option.
+
+
+
+
+
+
+
+
+
+
+
+
+
+/listfiles:<FileName> |
+You can use the /listfiles command-line option with the ScanState command to generate a text file that lists all of the files included in the migration. |
+
+
+/l:[Path]FileName |
+Specifies the location and name of the ScanState log.
+You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can use the /v option to adjust the amount of output.
+If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:scan.log command. |
+
+
+/v:<VerbosityLevel> |
+(Verbosity)
+Enables verbose output in the ScanState log file. The default value is 0.
+You can set the VerbosityLevel to one of the following levels:
+
+
+
+
+
+
+
+
+
+
+0 |
+Only the default errors and warnings are enabled. |
+
+
+1 |
+Enables verbose output. |
+
+
+4 |
+Enables error and status output. |
+
+
+5 |
+Enables verbose and status output. |
+
+
+8 |
+Enables error output to a debugger. |
+
+
+9 |
+Enables verbose output to a debugger. |
+
+
+12 |
+Enables error and status output to a debugger. |
+
+
+13 |
+Enables verbose, status, and debugger output. |
+
+
+
+
+For example:
+scanstate \server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml
+ |
+
+
+/progress:[Path</em>]FileName |
+Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.
+For example:
+scanstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log
|
+
+
+/c |
+When this option is specified, the ScanState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the ScanState command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the /c option, the ScanState command will exit on the first error.
+You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file. |
+
+
+/r:<TimesToRetry> |
+(Retry)
+Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.
+While storing the user state, the /r option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem. |
+
+
+/w:<SecondsBeforeRetry> |
+(Wait)
+Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second. |
+
+
+/p:<pathToFile> |
+When the ScanState command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:
+Scanstate.exe C:\MigrationLocation [additional parameters]
+/p:"C:\MigrationStoreSize.xml"
+For more information, see Estimate Migration Store Size.
+To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the /p option, without specifying "pathtoafile", in USMT. If you specify only the /p option, the storage space estimations are created in the same manner as with USMT3.x releases. |
+
+
+/? or /help |
+Displays Help at the command line. |
+
+
+
+
+
+
+## User Options
+
+
+By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md).
+
+
+
+
+
+
+
+
+
+
+
+/all |
+Migrates all of the users on the computer.
+USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options. |
+
+
+/ui:<DomainName>\<UserName>
+or
+/ui:<ComputerName>\<LocalUserName> |
+(User include)
+Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.
+
+ NoteIf a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.
+
+
+
+For example:
+
+To include only User2 from the Fabrikam domain, type:
+/ue:*\* /ui:fabrikam\user2
+To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:
+/uel:30 /ui:fabrikam\*
+In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.
+
+For more examples, see the descriptions of the /ue and /ui options in this table. |
+
+
+/uel:<NumberOfDays>
+or
+/uel:<YYYY/MM/DD>
+or
+/uel:0 |
+(User exclude based on last logon)
+Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.
+You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.
+
+ NoteThe /uel option is not valid in offline migrations.
+
+
+
+
+/uel:0 migrates any users who are currently logged on. /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days. /uel:1 migrates users whose account has been modified within the last 24 hours. /uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.
+For example:
+scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0
|
+
+
+/ue:<DomainName>\<UserName>
+-or-
+
+/ue:<ComputerName>\<LocalUserName> |
+(User exclude)
+Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.
+For example:
+scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1
|
+
+
+
+
+
+
+## How to Use /ui and /ue
+
+
+The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users.
+
+
+
+
+
+
+
+
+
+
+
+Exclude the user named User One in the Fabrikam domain. |
+/ue:"fabrikam\user one"
|
+
+
+Exclude the user named User1 in the Fabrikam domain. |
+/ue:fabrikam\user1
|
+
+
+Exclude the local user named User1. |
+/ue:%computername%\user1
|
+
+
+Exclude all domain users. |
+/ue:Domain\*
|
+
+
+Exclude all local users. |
+/ue:%computername%\*
|
+
+
+Exclude users in all domains named User1, User2, and so on. |
+/ue:*\user*
|
+
+
+
+
+
+
+## Using the Options Together
+
+
+You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated.
+
+The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option.
+
+The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days.
+
+
+
+
+
+
+
+
+
+
+
+Include only User2 from the Fabrikam domain and exclude all other users. |
+/ue:*\* /ui:fabrikam\user2
|
+
+
+Include only the local user named User1 and exclude all other users. |
+/ue:*\* /ui:user1
|
+
+
+Include only the domain users from Contoso, except Contoso\User1. |
+This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:
+
+On the ScanState command line, type: /ue:*\* /ui:contoso\* On the LoadState command line, type: /ue:contoso\user1 |
+
+
+Include only local (non-domain) users. |
+/ue:*\* /ui:%computername%\*
|
+
+
+
+
+
+
+## Encrypted File Options
+
+
+You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior.
+
+For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
+
+**Note**
+EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files
+
+
+
+**Caution**
+Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
+
+
+
+
+
+
+
+
+
+
+
+
+
+/efs:hardlink |
+Creates a hard link to the EFS file instead of copying it. Use only with the /hardlink and the /nocompress options. |
+
+
+/efs:abort |
+Causes the ScanState command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default. |
+
+
+/efs:skip |
+Causes the ScanState command to ignore EFS files. |
+
+
+/efs:decryptcopy |
+Causes the ScanState command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the ScanState command succeeds, the file will be unencrypted in the migration store, and once you run the LoadState command, the file will be copied to the destination computer. |
+
+
+/efs:copyraw |
+Causes the ScanState command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an /efs option. Therefore you should specify the /efs:copyraw option with the ScanState command to migrate the encrypted file. Then, when you run the LoadState command, the encrypted file and the EFS certificate will be automatically migrated.
+For example:
+ScanState /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /efs:copyraw
+
+ ImportantAll files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see Migrate EFS Files and Certificates.
+
+
+ |
+
+
+
+
+
+
+## Incompatible Command-Line Options
+
+
+The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+/i |
+ |
+ |
+ |
+ |
+
+
+/o |
+ |
+ |
+ |
+ |
+
+
+/v |
+ |
+ |
+ |
+ |
+
+
+/nocompress |
+ |
+ |
+X |
+N/A |
+
+
+/localonly |
+ |
+ |
+X |
+ |
+
+
+/key |
+X |
+ |
+X |
+ |
+
+
+/encrypt |
+Required* |
+X |
+X |
+ |
+
+
+/keyfile |
+N/A |
+ |
+X |
+ |
+
+
+/l |
+ |
+ |
+ |
+ |
+
+
+/progress |
+ |
+ |
+X |
+ |
+
+
+/r |
+ |
+ |
+X |
+ |
+
+
+/w |
+ |
+ |
+X |
+ |
+
+
+/c |
+ |
+ |
+X |
+ |
+
+
+/p |
+ |
+ |
+X |
+N/A |
+
+
+/all |
+ |
+ |
+X |
+ |
+
+
+/ui |
+ |
+ |
+X |
+X |
+
+
+/ue |
+ |
+ |
+X |
+X |
+
+
+/uel |
+ |
+ |
+X |
+X |
+
+
+/efs:<option> |
+ |
+ |
+X |
+ |
+
+
+/genconfig |
+ |
+ |
+N/A |
+ |
+
+
+/config |
+ |
+ |
+X |
+ |
+
+
+<StorePath> |
+ |
+ |
+X |
+ |
+
+
+
+
+
+
+**Note**
+You must specify either the /**key** or /**keyfile** option with the /**encrypt** option.
+
+
+
+## Related topics
+
+
+[XML Elements Library](usmt-xml-elements-library.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md
index 183f7bc16e..564ab2c53c 100644
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@@ -1,6 +1,6 @@
---
title: Test Your Migration (Windows 10)
-description: Test Your Migration
+description: Learn about testing your migration plan in a controlled laboratory setting before you deploy it to your entire organization.
ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md
index 69321a476c..2e73d33887 100644
--- a/windows/deployment/usmt/usmt-topics.md
+++ b/windows/deployment/usmt/usmt-topics.md
@@ -1,30 +1,31 @@
----
-title: User State Migration Tool (USMT) Overview Topics (Windows 10)
-description: User State Migration Tool (USMT) Overview Topics
-ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) Overview Topics
-The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
-
-## In This Section
-
-|Topic |Description|
-|------|-----------|
-|[User State Migration Tool (USMT) Overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.|
-|[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.|
-|[Windows Upgrade and Migration Considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.|
-
-## Related topics
-- [User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
-- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-- [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+---
+title: User State Migration Tool (USMT) Overview Topics (Windows 10)
+description: Learn about User State Migration Tool (USMT) overview topics that describe USMT as a highly customizable user-profile migration experience for IT professionals.
+ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) Overview Topics
+The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
+
+## In This Section
+
+|Topic |Description|
+|------|-----------|
+|[User State Migration Tool (USMT) Overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.|
+|[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.|
+|[Windows Upgrade and Migration Considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.|
+
+## Related topics
+- [User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+- [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md
index 085f3892d2..1c629df5ec 100644
--- a/windows/deployment/usmt/usmt-troubleshooting.md
+++ b/windows/deployment/usmt/usmt-troubleshooting.md
@@ -1,73 +1,74 @@
----
-title: User State Migration Tool (USMT) Troubleshooting (Windows 10)
-description: User State Migration Tool (USMT) Troubleshooting
-ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) Troubleshooting
-
-
-The following table describes topics that address common User State Migration Tool (USMT) 10.0 issues and questions. These topics describe tools that you can use to troubleshoot issues that arise during your migration.
-
-## In This Section
-
-
-
-
-
-
-
-
-
-Common Issues |
-Find troubleshooting solutions for common problems in USMT. |
-
-
-Frequently Asked Questions |
-Find answers to questions about how to use USMT. |
-
-
-Log Files |
-Learn how to enable logging to help you troubleshoot issues in USMT. |
-
-
-Return Codes |
-Learn how to use return codes to identify problems in USMT. |
-
-
-USMT Resources |
-Find more information and support for using USMT. |
-
-
-
-
-
-
-## Related topics
-
-
-[USMT Best Practices](usmt-best-practices.md)
-
-[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
-
-[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
-
-[User State Migration Toolkit (USMT) Reference](usmt-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: User State Migration Tool (USMT) Troubleshooting (Windows 10)
+description: Learn about topics that address common User State Migration Tool (USMT) 10.0 issues and questions to assist in troubleshooting.
+ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) Troubleshooting
+
+
+The following table describes topics that address common User State Migration Tool (USMT) 10.0 issues and questions. These topics describe tools that you can use to troubleshoot issues that arise during your migration.
+
+## In This Section
+
+
+
+
+
+
+
+
+
+Common Issues |
+Find troubleshooting solutions for common problems in USMT. |
+
+
+Frequently Asked Questions |
+Find answers to questions about how to use USMT. |
+
+
+Log Files |
+Learn how to enable logging to help you troubleshoot issues in USMT. |
+
+
+Return Codes |
+Learn how to use return codes to identify problems in USMT. |
+
+
+USMT Resources |
+Find more information and support for using USMT. |
+
+
+
+
+
+
+## Related topics
+
+
+[USMT Best Practices](usmt-best-practices.md)
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+
+[User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md
index 4e9269a29d..d87666c8b6 100644
--- a/windows/deployment/usmt/usmt-utilities.md
+++ b/windows/deployment/usmt/usmt-utilities.md
@@ -1,351 +1,352 @@
----
-title: UsmtUtils Syntax (Windows 10)
-description: UsmtUtils Syntax
-ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# UsmtUtils Syntax
-
-
-This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities:
-
-- Improve your ability to determine cryptographic options for your migration.
-
-- Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock.
-
-- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted.
-
-- Extract files from the compressed migration store when you migrate files and settings to the destination computer.
-
-## In This Topic
-
-
-[Usmtutils.exe](#bkmk-usmtutils-exe)
-
-[Verify Options](#bkmk-verifyoptions)
-
-[Extract Options](#bkmk-extractoptions)
-
-## Usmtutils.exe
-
-
-The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options.
-
-The syntax for UsmtUtils.exe is:
-
-usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\] | /extract *<filepath>* *<destinationPath>* \[options\]\]
-
-
-
-
-
-
-
-
-
-
-
-/ec |
-Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the /encrypt command before you run the ScanState tool on the source computer. |
-
-
-/rd<storeDir> |
-Removes the directory path specified by the <storeDir> argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.
-For example:
-usmtutils /rd D:\MyHardLinkStore
|
-
-
-/y |
-Overrides the accept deletions prompt when used with the /rd option. When you use the /y option with the /rd option, you will not be prompted to accept the deletions before USMT deletes the directories. |
-
-
-/verify |
-Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.
-See Verify Options for syntax and options to use with /verify. |
-
-
-/extract |
-Recovers files from a compressed USMT migration store.
-See Extract Options for syntax and options to use with /extract. |
-
-
-
-
-
-
-## Verify Options
-
-
-Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md).
-
-The syntax for **/verify** is:
-
-usmtutils /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile>*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*<AlgID>*\] {/key:*<keystring>* | /keyfile:*<filename>*}\]
-
-
-
-
-
-
-
-
-
-
-
-<reportType> |
-Specifies whether to report on all files, corrupted files only, or the status of the catalog.
-
-Summary. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default. all. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the "CATALOG" of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns "OK" if the catalog file is intact and LoadState can open the migration store and "CORRUPTED" if the migration store is corrupted. failureonly. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store. Catalog. Returns only the status of the catalog file. |
-
-
-| /l:
- <logfilePath> |
-Specifies the location and name of the log file. |
-
-
-/v:<VerbosityLevel> |
-(Verbosity)
-Enables verbose output in the UsmtUtils log file. The default value is 0.
-You can set the VerbosityLevel to one of the following levels:
-
-
-
-
-
-
-
-
-
-
-0 |
-Only the default errors and warnings are enabled. |
-
-
-1 |
-Enables verbose output. |
-
-
-4 |
-Enables error and status output. |
-
-
-5 |
-Enables verbose and status output. |
-
-
-8 |
-Enables error output to a debugger. |
-
-
-9 |
-Enables verbose output to a debugger. |
-
-
-12 |
-Enables error and status output to a debugger. |
-
-
-13 |
-Enables verbose, status, and debugger output. |
-
-
-
- |
-
-
-/decrypt<AlgID>/:<KeyString>
-or
-/decrypt<AlgID>/:<“Key String”>
-or
-/decrypt:<AlgID>/keyfile:<FileName> |
-Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a /key or /keyfile option as follows:
-
-<AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.
-<AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112. /key:<KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks. /keyfile: <FileName> specifies the location and name of a text (.txt) file that contains the encryption key.
-For more information about supported encryption algorithms, see Migration Store Encryption |
-
-
-
-
-
-
-Some examples of **/verify** commands:
-
-- `usmtutils /verify D:\MyMigrationStore\store.mig`
-
-- `usmtutils /verify:catalog D:\MyMigrationStore\store.mig`
-
-- `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
-
-- `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt`
-
-## Extract Options
-
-
-Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
-
-The syntax for **/extract** is:
-
-/extract *<filePath>* *<destinationPath>* \[/i:*<includePattern>*\] \[/e: *<excludePattern>*\] \[/l: *<logfile>*\] \[/v: *VerbosityLevel>*\] \[/decrypt\[:*<AlgID>*\] {key: *<keystring>* | /keyfile: *<filename>*}\] \[/o\]
-
-
-
-
-
-
-
-
-
-
-
-<filePath> |
-Path to the USMT migration store.
-For example:
-D:\MyMigrationStore\USMT\store.mig
|
-
-
-<destinationPath> |
-Path to the folder where the tool puts the individual files. |
-
-
-/i:<includePattern> |
-Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns. |
-
-
-/e:<excludePattern> |
-Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns. |
-
-
-/l:<logfilePath> |
-Specifies the location and name of the log file. |
-
-
-/v:<VerbosityLevel> |
-(Verbosity)
-Enables verbose output in the UsmtUtils log file. The default value is 0.
-You can set the VerbosityLevel to one of the following levels:
-
-
-
-
-
-
-
-
-
-
-0 |
-Only the default errors and warnings are enabled. |
-
-
-1 |
-Enables verbose output. |
-
-
-4 |
-Enables error and status output. |
-
-
-5 |
-Enables verbose and status output. |
-
-
-8 |
-Enables error output to a debugger. |
-
-
-9 |
-Enables verbose output to a debugger. |
-
-
-12 |
-Enables error and status output to a debugger. |
-
-
-13 |
-Enables verbose, status, and debugger output. |
-
-
-
- |
-
-
-/decrypt<AlgID>/key:<KeyString>
-or
-/decrypt<AlgID>/:<“Key String”>
-or
-/decrypt:<AlgID>/keyfile:<FileName> |
-Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a /key or /keyfile option as follows:
-
-<AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.
-<AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112. /key: <KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks. /keyfile:<FileName> specifies a text (.txt) file that contains the encryption key
-For more information about supported encryption algorithms, see Migration Store Encryption. |
-
-
-/o |
-Overwrites existing output files. |
-
-
-
-
-
-
-Some examples of **/extract** commands:
-
-- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore`
-
-- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt`
-
-- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt`
-
-- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o`
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
-
-[Return Codes](usmt-return-codes.md)
-
-
-
-
-
-
-
-
-
+---
+title: UsmtUtils Syntax (Windows 10)
+description: Learn about the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface.
+ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# UsmtUtils Syntax
+
+
+This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities:
+
+- Improve your ability to determine cryptographic options for your migration.
+
+- Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock.
+
+- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted.
+
+- Extract files from the compressed migration store when you migrate files and settings to the destination computer.
+
+## In This Topic
+
+
+[Usmtutils.exe](#bkmk-usmtutils-exe)
+
+[Verify Options](#bkmk-verifyoptions)
+
+[Extract Options](#bkmk-extractoptions)
+
+## Usmtutils.exe
+
+
+The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options.
+
+The syntax for UsmtUtils.exe is:
+
+usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\] | /extract *<filepath>* *<destinationPath>* \[options\]\]
+
+
+
+
+
+
+
+
+
+
+
+/ec |
+Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the /encrypt command before you run the ScanState tool on the source computer. |
+
+
+/rd<storeDir> |
+Removes the directory path specified by the <storeDir> argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.
+For example:
+usmtutils /rd D:\MyHardLinkStore
|
+
+
+/y |
+Overrides the accept deletions prompt when used with the /rd option. When you use the /y option with the /rd option, you will not be prompted to accept the deletions before USMT deletes the directories. |
+
+
+/verify |
+Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.
+See Verify Options for syntax and options to use with /verify. |
+
+
+/extract |
+Recovers files from a compressed USMT migration store.
+See Extract Options for syntax and options to use with /extract. |
+
+
+
+
+
+
+## Verify Options
+
+
+Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md).
+
+The syntax for **/verify** is:
+
+usmtutils /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile>*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*<AlgID>*\] {/key:*<keystring>* | /keyfile:*<filename>*}\]
+
+
+
+
+
+
+
+
+
+
+
+<reportType> |
+Specifies whether to report on all files, corrupted files only, or the status of the catalog.
+
+Summary. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default. all. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the "CATALOG" of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns "OK" if the catalog file is intact and LoadState can open the migration store and "CORRUPTED" if the migration store is corrupted. failureonly. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store. Catalog. Returns only the status of the catalog file. |
+
+
+| /l:
+ <logfilePath> |
+Specifies the location and name of the log file. |
+
+
+/v:<VerbosityLevel> |
+(Verbosity)
+Enables verbose output in the UsmtUtils log file. The default value is 0.
+You can set the VerbosityLevel to one of the following levels:
+
+
+
+
+
+
+
+
+
+
+0 |
+Only the default errors and warnings are enabled. |
+
+
+1 |
+Enables verbose output. |
+
+
+4 |
+Enables error and status output. |
+
+
+5 |
+Enables verbose and status output. |
+
+
+8 |
+Enables error output to a debugger. |
+
+
+9 |
+Enables verbose output to a debugger. |
+
+
+12 |
+Enables error and status output to a debugger. |
+
+
+13 |
+Enables verbose, status, and debugger output. |
+
+
+
+ |
+
+
+/decrypt<AlgID>/:<KeyString>
+or
+/decrypt<AlgID>/:<“Key String”>
+or
+/decrypt:<AlgID>/keyfile:<FileName> |
+Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a /key or /keyfile option as follows:
+
+<AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.
+<AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112. /key:<KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks. /keyfile: <FileName> specifies the location and name of a text (.txt) file that contains the encryption key.
+For more information about supported encryption algorithms, see Migration Store Encryption |
+
+
+
+
+
+
+Some examples of **/verify** commands:
+
+- `usmtutils /verify D:\MyMigrationStore\store.mig`
+
+- `usmtutils /verify:catalog D:\MyMigrationStore\store.mig`
+
+- `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
+
+- `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt`
+
+## Extract Options
+
+
+Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
+
+The syntax for **/extract** is:
+
+/extract *<filePath>* *<destinationPath>* \[/i:*<includePattern>*\] \[/e: *<excludePattern>*\] \[/l: *<logfile>*\] \[/v: *VerbosityLevel>*\] \[/decrypt\[:*<AlgID>*\] {key: *<keystring>* | /keyfile: *<filename>*}\] \[/o\]
+
+
+
+
+
+
+
+
+
+
+
+<filePath> |
+Path to the USMT migration store.
+For example:
+D:\MyMigrationStore\USMT\store.mig
|
+
+
+<destinationPath> |
+Path to the folder where the tool puts the individual files. |
+
+
+/i:<includePattern> |
+Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns. |
+
+
+/e:<excludePattern> |
+Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns. |
+
+
+/l:<logfilePath> |
+Specifies the location and name of the log file. |
+
+
+/v:<VerbosityLevel> |
+(Verbosity)
+Enables verbose output in the UsmtUtils log file. The default value is 0.
+You can set the VerbosityLevel to one of the following levels:
+
+
+
+
+
+
+
+
+
+
+0 |
+Only the default errors and warnings are enabled. |
+
+
+1 |
+Enables verbose output. |
+
+
+4 |
+Enables error and status output. |
+
+
+5 |
+Enables verbose and status output. |
+
+
+8 |
+Enables error output to a debugger. |
+
+
+9 |
+Enables verbose output to a debugger. |
+
+
+12 |
+Enables error and status output to a debugger. |
+
+
+13 |
+Enables verbose, status, and debugger output. |
+
+
+
+ |
+
+
+/decrypt<AlgID>/key:<KeyString>
+or
+/decrypt<AlgID>/:<“Key String”>
+or
+/decrypt:<AlgID>/keyfile:<FileName> |
+Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a /key or /keyfile option as follows:
+
+<AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.
+<AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112. /key: <KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks. /keyfile:<FileName> specifies a text (.txt) file that contains the encryption key
+For more information about supported encryption algorithms, see Migration Store Encryption. |
+
+
+/o |
+Overwrites existing output files. |
+
+
+
+
+
+
+Some examples of **/extract** commands:
+
+- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore`
+
+- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt`
+
+- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt`
+
+- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o`
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
+
+[Return Codes](usmt-return-codes.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index 4fc36c33bc..2152530861 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -1,429 +1,430 @@
----
-title: What does USMT migrate (Windows 10)
-description: What does USMT migrate
-ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 09/12/2017
-ms.topic: article
----
-
-# What does USMT migrate?
-
-
-## In this topic
-
-
-- [Default migration scripts](#bkmk-defaultmigscripts)
-
-- [User Data](#bkmk-3)
-
-- [Operating-system components](#bkmk-4)
-
-- [Supported applications](#bkmk-2)
-
-- [What USMT does not migrate](#no)
-
-## Default migration scripts
-
-
-The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts:
-
-- **MigApp.XML.** Rules to migrate application settings.
-
-- **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files.
-
-- **MigUser.XML.** Rules to migrate user profiles and user data.
-
- MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration.
-
- The following data does not migrate with MigUser.xml:
-
- - Files outside the user profile that don’t match one of the file extensions in MigUser.xml.
-
- - Access control lists (ACLs) for folders outside the user profile.
-
-## User data
-
-
-This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs.
-
-- **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following:
-
- My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites.
-
- >[!IMPORTANT]
- >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
-
-- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8:
-
- - Shared Documents
-
- - Shared Video
-
- - Shared Music
-
- - Shared desktop files
-
- - Shared Pictures
-
- - Shared Start menu
-
- - Shared Favorites
-
-- **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects and then migrates files with any of the following file extensions:
-
- **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.**
-
- **Note**
- The asterisk (\*) stands for zero or more characters.
-
-
-
-- **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration.
-
-**Important**
-To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`.
-
-
-
-## Operating-system components
-
-
-USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8
-
-The following components are migrated by default using the manifest files:
-
-- Accessibility settings
-
-- Address book
-
-- Command-prompt settings
-
-- \*Desktop wallpaper
-
-- EFS files
-
-- Favorites
-
-- Folder options
-
-- Fonts
-
-- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required.
-
-- \*Windows Internet Explorer® settings
-
-- Microsoft® Open Database Connectivity (ODBC) settings
-
-- Mouse and keyboard settings
-
-- Network drive mapping
-
-- \*Network printer mapping
-
-- \*Offline files
-
-- \*Phone and modem options
-
-- RAS connection and phone book (.pbk) files
-
-- \*Regional settings
-
-- Remote Access
-
-- \*Taskbar settings
-
-- User personal certificates (all)
-
-- Windows Mail.
-
-- \*Windows Media Player
-
-- Windows Rights Management
-
-\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md).
-
-**Important**
-This list may not be complete. There may be additional components that are migrated.
-
-
-
-**Note**
-Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool.
-
-
-
-## Supported applications
-
-
-Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers.
-
-**Note**
-The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office.
-
-
-
-**Note**
-USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate.
-
-
-
-When you specify the MigApp.xml file, USMT migrates the settings for the following applications:
-
-
-
-
-
-
-
-
-
-
-
-Adobe Acrobat Reader |
-9 |
-
-
-AOL Instant Messenger |
-6.8 |
-
-
-Adobe Creative Suite |
-2 |
-
-
-Adobe Photoshop CS |
-8, 9 |
-
-
-Adobe ImageReady CS |
- |
-
-
-Apple iTunes |
-6, 7, 8 |
-
-
-Apple QuickTime Player |
-5, 6, 7 |
-
-
-Apple Safari |
-3.1.2 |
-
-
-Google Chrome |
-beta |
-
-
-Google Picasa |
-3 |
-
-
-Google Talk |
-beta |
-
-
-IBM Lotus 1-2-3 |
-9 |
-
-
-IBM Lotus Notes |
-6,7, 8 |
-
-
-IBM Lotus Organizer |
-5 |
-
-
-IBM Lotus WordPro |
-9.9 |
-
-
-Intuit Quicken Deluxe |
-2009 |
-
-
-Money Plus Business |
-2008 |
-
-
-Money Plus Home |
-2008 |
-
-
-Mozilla Firefox |
-3 |
-
-
-Microsoft Office |
-2003, 2007, 2010 |
-
-
-Microsoft Office Access® |
-2003, 2007, 2010 |
-
-
-Microsoft Office Excel® |
-2003, 2007, 2010 |
-
-
-Microsoft Office FrontPage® |
-2003, 2007, 2010 |
-
-
-Microsoft Office OneNote® |
-2003, 2007, 2010 |
-
-
-Microsoft Office Outlook® |
-2003, 2007, 2010 |
-
-
-Microsoft Office PowerPoint® |
-2003, 2007, 2010 |
-
-
-Microsoft Office Publisher |
-2003, 2007, 2010 |
-
-
-Microsoft Office Word |
-2003, 2007, 2010 |
-
-
-Opera Software Opera |
-9.5 |
-
-
-Microsoft Outlook Express |
-(only mailbox file) |
-
-
-Microsoft Project |
-2003, 2007 |
-
-
-Microsoft Office Visio® |
-2003, 2007 |
-
-
-RealPlayer Basic |
-11 |
-
-
-Sage Peachtree |
-2009 |
-
-
-Skype |
-3.8 |
-
-
-Windows Live Mail |
-12, 14 |
-
-
-Windows Live Messenger |
-8.5, 14 |
-
-
-Windows Live MovieMaker |
-14 |
-
-
-Windows Live Photo Gallery |
-12, 14 |
-
-
-Windows Live Writer |
-12, 14 |
-
-
-Windows Mail |
-(Windows 7 and 8) |
-
-
-Microsoft Works |
-9 |
-
-
-Yahoo Messenger |
-9 |
-
-
-Microsoft Zune™ Software |
-3 |
-
-
-
-
-
-
-## What USMT does not migrate
-
-
-The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md).
-
-### Application settings
-
-USMT does not migrate the following application settings:
-
-- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version.
-
-- Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate.
-
-- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system.
-
-- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when:
-
- - You change the default installation location on 32-bit destination computers.
-
- - You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”.
-
-### Operating-System settings
-
-USMT does not migrate the following operating-system settings.
-
-- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files.
-
-- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer.
-
-- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer.
-
-- Customized icons for shortcuts may not migrate.
-
-- Taskbar settings, when the source computer is running Windows XP.
-
-You should also note the following:
-
-- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**.
-
-- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
-
-### Start menu layout
-
-Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
-
-## Related topics
-
-
-[Plan your migration](usmt-plan-your-migration.md)
-
-
-
-
-
-
-
-
-
+---
+title: What does USMT migrate (Windows 10)
+description: Learn how User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language.
+ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 09/12/2017
+ms.topic: article
+---
+
+# What does USMT migrate?
+
+
+## In this topic
+
+
+- [Default migration scripts](#bkmk-defaultmigscripts)
+
+- [User Data](#bkmk-3)
+
+- [Operating-system components](#bkmk-4)
+
+- [Supported applications](#bkmk-2)
+
+- [What USMT does not migrate](#no)
+
+## Default migration scripts
+
+
+The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts:
+
+- **MigApp.XML.** Rules to migrate application settings.
+
+- **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files.
+
+- **MigUser.XML.** Rules to migrate user profiles and user data.
+
+ MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration.
+
+ The following data does not migrate with MigUser.xml:
+
+ - Files outside the user profile that don’t match one of the file extensions in MigUser.xml.
+
+ - Access control lists (ACLs) for folders outside the user profile.
+
+## User data
+
+
+This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs.
+
+- **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following:
+
+ My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites.
+
+ >[!IMPORTANT]
+ >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
+
+- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8:
+
+ - Shared Documents
+
+ - Shared Video
+
+ - Shared Music
+
+ - Shared desktop files
+
+ - Shared Pictures
+
+ - Shared Start menu
+
+ - Shared Favorites
+
+- **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects and then migrates files with any of the following file extensions:
+
+ **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.**
+
+ **Note**
+ The asterisk (\*) stands for zero or more characters.
+
+
+
+- **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration.
+
+**Important**
+To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`.
+
+
+
+## Operating-system components
+
+
+USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8
+
+The following components are migrated by default using the manifest files:
+
+- Accessibility settings
+
+- Address book
+
+- Command-prompt settings
+
+- \*Desktop wallpaper
+
+- EFS files
+
+- Favorites
+
+- Folder options
+
+- Fonts
+
+- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required.
+
+- \*Windows Internet Explorer® settings
+
+- Microsoft® Open Database Connectivity (ODBC) settings
+
+- Mouse and keyboard settings
+
+- Network drive mapping
+
+- \*Network printer mapping
+
+- \*Offline files
+
+- \*Phone and modem options
+
+- RAS connection and phone book (.pbk) files
+
+- \*Regional settings
+
+- Remote Access
+
+- \*Taskbar settings
+
+- User personal certificates (all)
+
+- Windows Mail.
+
+- \*Windows Media Player
+
+- Windows Rights Management
+
+\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md).
+
+**Important**
+This list may not be complete. There may be additional components that are migrated.
+
+
+
+**Note**
+Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool.
+
+
+
+## Supported applications
+
+
+Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers.
+
+**Note**
+The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office.
+
+
+
+**Note**
+USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate.
+
+
+
+When you specify the MigApp.xml file, USMT migrates the settings for the following applications:
+
+
+
+
+
+
+
+
+
+
+
+Adobe Acrobat Reader |
+9 |
+
+
+AOL Instant Messenger |
+6.8 |
+
+
+Adobe Creative Suite |
+2 |
+
+
+Adobe Photoshop CS |
+8, 9 |
+
+
+Adobe ImageReady CS |
+ |
+
+
+Apple iTunes |
+6, 7, 8 |
+
+
+Apple QuickTime Player |
+5, 6, 7 |
+
+
+Apple Safari |
+3.1.2 |
+
+
+Google Chrome |
+beta |
+
+
+Google Picasa |
+3 |
+
+
+Google Talk |
+beta |
+
+
+IBM Lotus 1-2-3 |
+9 |
+
+
+IBM Lotus Notes |
+6,7, 8 |
+
+
+IBM Lotus Organizer |
+5 |
+
+
+IBM Lotus WordPro |
+9.9 |
+
+
+Intuit Quicken Deluxe |
+2009 |
+
+
+Money Plus Business |
+2008 |
+
+
+Money Plus Home |
+2008 |
+
+
+Mozilla Firefox |
+3 |
+
+
+Microsoft Office |
+2003, 2007, 2010 |
+
+
+Microsoft Office Access® |
+2003, 2007, 2010 |
+
+
+Microsoft Office Excel® |
+2003, 2007, 2010 |
+
+
+Microsoft Office FrontPage® |
+2003, 2007, 2010 |
+
+
+Microsoft Office OneNote® |
+2003, 2007, 2010 |
+
+
+Microsoft Office Outlook® |
+2003, 2007, 2010 |
+
+
+Microsoft Office PowerPoint® |
+2003, 2007, 2010 |
+
+
+Microsoft Office Publisher |
+2003, 2007, 2010 |
+
+
+Microsoft Office Word |
+2003, 2007, 2010 |
+
+
+Opera Software Opera |
+9.5 |
+
+
+Microsoft Outlook Express |
+(only mailbox file) |
+
+
+Microsoft Project |
+2003, 2007 |
+
+
+Microsoft Office Visio® |
+2003, 2007 |
+
+
+RealPlayer Basic |
+11 |
+
+
+Sage Peachtree |
+2009 |
+
+
+Skype |
+3.8 |
+
+
+Windows Live Mail |
+12, 14 |
+
+
+Windows Live Messenger |
+8.5, 14 |
+
+
+Windows Live MovieMaker |
+14 |
+
+
+Windows Live Photo Gallery |
+12, 14 |
+
+
+Windows Live Writer |
+12, 14 |
+
+
+Windows Mail |
+(Windows 7 and 8) |
+
+
+Microsoft Works |
+9 |
+
+
+Yahoo Messenger |
+9 |
+
+
+Microsoft Zune™ Software |
+3 |
+
+
+
+
+
+
+## What USMT does not migrate
+
+
+The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md).
+
+### Application settings
+
+USMT does not migrate the following application settings:
+
+- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version.
+
+- Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate.
+
+- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system.
+
+- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when:
+
+ - You change the default installation location on 32-bit destination computers.
+
+ - You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”.
+
+### Operating-System settings
+
+USMT does not migrate the following operating-system settings.
+
+- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files.
+
+- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer.
+
+- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer.
+
+- Customized icons for shortcuts may not migrate.
+
+- Taskbar settings, when the source computer is running Windows XP.
+
+You should also note the following:
+
+- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**.
+
+- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+### Start menu layout
+
+Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
+
+## Related topics
+
+
+[Plan your migration](usmt-plan-your-migration.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md
index bfbd4e2c61..c05b8c1535 100644
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@@ -1,6 +1,6 @@
---
title: XML Elements Library (Windows 10)
-description: XML Elements Library
+description: Learn about the XML elements and helper functions that you can employ to author migration .xml files to use with User State Migration Tool (USMT).
ms.assetid: f5af0f6d-c3bf-4a4c-a0ca-9db7985f954f
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md
index ba0467192f..ec943180e6 100644
--- a/windows/deployment/usmt/usmt-xml-reference.md
+++ b/windows/deployment/usmt/usmt-xml-reference.md
@@ -1,6 +1,6 @@
---
title: USMT XML Reference (Windows 10)
-description: Work with and customize the migration XML files using USMT XML Reference for Windows 10.
+description: Learn about working with and customizing the migration XML files using User State Migration Tool (USMT) XML Reference for Windows 10.
ms.assetid: fb946975-0fee-4ec0-b3ef-7c34945ee96f
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md
index aeae8b54ae..f5afeaa069 100644
--- a/windows/deployment/usmt/xml-file-requirements.md
+++ b/windows/deployment/usmt/xml-file-requirements.md
@@ -1,6 +1,6 @@
---
title: XML File Requirements (Windows 10)
-description: XML File Requirements
+description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration urlid.
ms.assetid: 4b567b50-c50a-4a4f-8684-151fe3f8275f
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 62a9dc2999..5b4f53e98a 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -3,8 +3,9 @@ title: Configure VDA for Windows 10 Subscription Activation
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
-description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA
+description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario.
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,7 +13,6 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro
-author: greg-lindsay
ms.topic: article
ms.collection: M365-modern-desktop
---
diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
index cd12f07346..5e20b62132 100644
--- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
@@ -1,6 +1,6 @@
---
title: Activate by Proxy an Active Directory Forest (Windows 10)
-description: Activate by Proxy an Active Directory Forest
+description: Learn how to use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest.
ms.assetid: 6475fc87-a6f7-4fa8-b0aa-de19f2dea7e5
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md
index 06362064ff..007c3a0ae3 100644
--- a/windows/deployment/volume-activation/activate-forest-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-vamt.md
@@ -1,50 +1,51 @@
----
-title: Activate an Active Directory Forest Online (Windows 10)
-description: Activate an Active Directory Forest Online
-ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Activate an Active Directory Forest Online
-
-You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain.
-
-**Important**
-ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
-
-## Requirements
-
-Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
-- VAMT is installed on a host computer that has Internet access.
-- VAMT has administrative permissions to the Active Directory domain.
-- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node.
-
-**To perform an online Active Directory forest activation**
-
-1. Open VAMT.
-2. In the left-side pane, click the **Active Directory-Based Activation** node.
-3. In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box.
-4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest.
-5. If required, enter a new Active Directory-Based Activation Object name
-
- **Important**
- If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
-
-6. Click **Install Key**.
-7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action.
-
-The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane.
-
-## Related topics
-
-- [Scenario 1: Online Activation](scenario-online-activation-vamt.md)
-- [Add and Remove Computers](add-remove-computers-vamt.md)
+---
+title: Activate an Active Directory Forest Online (Windows 10)
+description: Use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest online.
+ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Activate an Active Directory Forest Online
+
+You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain.
+
+**Important**
+ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
+
+## Requirements
+
+Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
+- VAMT is installed on a host computer that has Internet access.
+- VAMT has administrative permissions to the Active Directory domain.
+- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node.
+
+**To perform an online Active Directory forest activation**
+
+1. Open VAMT.
+2. In the left-side pane, click the **Active Directory-Based Activation** node.
+3. In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box.
+4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest.
+5. If required, enter a new Active Directory-Based Activation Object name
+
+ **Important**
+ If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
+
+6. Click **Install Key**.
+7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action.
+
+The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane.
+
+## Related topics
+
+- [Scenario 1: Online Activation](scenario-online-activation-vamt.md)
+- [Add and Remove Computers](add-remove-computers-vamt.md)
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index f2d59868c4..124078e760 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -4,7 +4,7 @@ ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac
ms.reviewer:
manager: laurawi
ms.author: greglin
-description:
+description: How to activate using Key Management Service in Windows 10.
keywords: vamt, volume activation, activation, windows activation
ms.prod: w10
ms.mktglfcycl: deploy
@@ -45,14 +45,16 @@ Installing a KMS host key on a computer running Windows 10 allows you to activa
Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services.
-**Configure KMS in Windows 10**
+**Configure KMS in Windows 10**
-To activate by using the telephone, use the slmgr.vbs script.
-
-1. Run **slmgr.vbs /dti** and confirm the installation ID.
-2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
-3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
-4. Run **slmgr.vbs /atp \**.
+To activate , use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
+- To install the KMS key, type `slmgr.vbs /ipk `.
+- To activate online, type `slmgr.vbs/ato`.
+- To activate by telephone , follow these steps:
+ 1. Run `slmgr.vbs /dti` and confirm the installation ID.
+ 2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
+ 3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
+ 4. Run `slmgr.vbs /atp \`.
For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032).
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index 0664a272c5..b88d65def4 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -1,127 +1,128 @@
----
-title: Activate clients running Windows 10 (Windows 10)
-description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
-ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: vamt, volume activation, activation, windows activation
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Activate clients running Windows 10
-
-**Applies to**
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
-**Looking for retail activation?**
-
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-
-After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works.
-Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer.
-If activation or reactivation is required, the following sequence occurs:
-1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals.
-2. If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK.
-3. The computer tries to activate against Microsoft servers if it is configured with a MAK.
-
-If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart.
-
-## How Key Management Service works
-
-KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
-
-### Key Management Service activation thresholds
-
-You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met.
-
-A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more.
-When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met.
-
-In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated.
-
-### Activation count cache
-
-To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
-However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days.
-The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
-
-### Key Management Service connectivity
-
-KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements.
-
-### Key Management Service activation renewal
-
-KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again.
-
-### Publication of the Key Management Service
-
-The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
-
-### Client discovery of the Key Management Service
-
-By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
-Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters.
-If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
-By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
-
-### Domain Name System server configuration
-
-The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
-The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records.
-
-### Activating the first Key Management Service host
-
-KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
-
-### Activating subsequent Key Management Service hosts
-
-Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
-
-## How Multiple Activation Key works
-
-A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
-
-You can activate computers by using a MAK in two ways:
-- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
-
- 
-
- **Figure 16**. MAK independent activation
-- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
-
- 
-
- **Figure 17**. MAK proxy activation with the VAMT
-
-A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold.
-
-You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment.
-
-### Multiple Activation Key architecture and activation
-
-MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet.
-In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID.
-
-## Activating as a standard user
-
-Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.”
-
-## See also
-
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
-
-
+---
+title: Activate clients running Windows 10 (Windows 10)
+description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
+ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: vamt, volume activation, activation, windows activation
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Activate clients running Windows 10
+
+**Applies to**
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works.
+Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer.
+If activation or reactivation is required, the following sequence occurs:
+1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals.
+2. If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK.
+3. The computer tries to activate against Microsoft servers if it is configured with a MAK.
+
+If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart.
+
+## How Key Management Service works
+
+KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
+
+### Key Management Service activation thresholds
+
+You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met.
+
+A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more.
+When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met.
+
+In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated.
+
+### Activation count cache
+
+To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
+However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days.
+The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
+
+### Key Management Service connectivity
+
+KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements.
+
+### Key Management Service activation renewal
+
+KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again.
+
+### Publication of the Key Management Service
+
+The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
+
+### Client discovery of the Key Management Service
+
+By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
+Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters.
+If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
+By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
+
+### Domain Name System server configuration
+
+The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
+The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records.
+
+### Activating the first Key Management Service host
+
+KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
+
+### Activating subsequent Key Management Service hosts
+
+Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
+
+## How Multiple Activation Key works
+
+A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
+
+You can activate computers by using a MAK in two ways:
+- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
+
+ 
+
+ **Figure 16**. MAK independent activation
+- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
+
+ 
+
+ **Figure 17**. MAK proxy activation with the VAMT
+
+A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold.
+
+You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment.
+
+### Multiple Activation Key architecture and activation
+
+MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet.
+In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID.
+
+## Activating as a standard user
+
+Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.”
+
+## See also
+
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+
diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md
index bc02aaba30..fe607d6482 100644
--- a/windows/deployment/volume-activation/add-manage-products-vamt.md
+++ b/windows/deployment/volume-activation/add-manage-products-vamt.md
@@ -1,6 +1,6 @@
---
title: Add and Manage Products (Windows 10)
-description: Add and manage computers with the Volume Activation Management Tool (VAMT).
+description: Add client computers into the Volume Activation Management Tool (VAMT). After you add the computers, you can manage the products that are installed on your network.
ms.assetid: a48fbc23-917d-40f7-985c-e49702c05e51
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
index fc7b9b051d..dc8aedf5f2 100644
--- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
@@ -1,39 +1,40 @@
----
-title: Add and Remove a Product Key (Windows 10)
-description: Add and Remove a Product Key
-ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Add and Remove a Product Key
-
-Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database.
-
-## To Add a Product Key
-
-1. Open VAMT.
-2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu.
-3. Click **Add product keys** to open the **Add Product Keys** dialog box.
-4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys:
- - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**.
- - To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
-
- **Note**
- If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
-
-## Remove a Product Key
-
-- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network.
-
-## Related topics
-
-- [Manage Product Keys](manage-product-keys-vamt.md)
+---
+title: Add and Remove a Product Key (Windows 10)
+description: Add a product key to the Volume Activation Management Tool (VAMT) database. Also, learn how to remove the key from the database.
+ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Add and Remove a Product Key
+
+Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database.
+
+## To Add a Product Key
+
+1. Open VAMT.
+2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu.
+3. Click **Add product keys** to open the **Add Product Keys** dialog box.
+4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys:
+ - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**.
+ - To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
+
+ **Note**
+ If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
+
+## Remove a Product Key
+
+- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network.
+
+## Related topics
+
+- [Manage Product Keys](manage-product-keys-vamt.md)
diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
index d56ff58a30..19d405b786 100644
--- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -1,71 +1,72 @@
----
-title: Appendix Information sent to Microsoft during activation (Windows 10)
-ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description:
-keywords: vamt, volume activation, activation, windows activation
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Appendix: Information sent to Microsoft during activation
-**Applies to**
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
-**Looking for retail activation?**
-
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-
-When you activate a computer running Windows 10, the following information is sent to Microsoft:
-
-- The Microsoft product code (a five-digit code that identifies the Windows product you are activating)
-- A channel ID or site code that identifies how the Windows product was originally obtained
-
- For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer.
-
-- The date of installation and whether the installation was successful
-- Information that helps confirm that your Windows product key has not been altered
-- Computer make and model
-- Version information for the operating system and software
-- Region and language settings
-- A unique number called a *globally unique identifier*, which is assigned to your computer
-- Product key (hashed) and product ID
-- BIOS name, revision number, and revision date
-- Volume serial number (hashed) of the hard disk drive
-- The result of the activation check
-
- This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled:
-
- - The activation exploit’s identifier
- - The activation exploit’s current state, such as cleaned or quarantined
- - Computer manufacturer’s identification
- - The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit
-- The name and a hash of the contents of your computer’s startup instructions file
-- If your Windows license is on a subscription basis, information about how your subscription works
-
-Standard computer information is also sent, but your computer’s IP address is only retained temporarily.
-
-## Use of information
-
-Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers.
-For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879).
-
-## See also
-
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
-
-
+---
+title: Appendix Information sent to Microsoft during activation (Windows 10)
+ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description:
+keywords: vamt, volume activation, activation, windows activation
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Appendix: Information sent to Microsoft during activation
+**Applies to**
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+When you activate a computer running Windows 10, the following information is sent to Microsoft:
+
+- The Microsoft product code (a five-digit code that identifies the Windows product you are activating)
+- A channel ID or site code that identifies how the Windows product was originally obtained
+
+ For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer.
+
+- The date of installation and whether the installation was successful
+- Information that helps confirm that your Windows product key has not been altered
+- Computer make and model
+- Version information for the operating system and software
+- Region and language settings
+- A unique number called a *globally unique identifier*, which is assigned to your computer
+- Product key (hashed) and product ID
+- BIOS name, revision number, and revision date
+- Volume serial number (hashed) of the hard disk drive
+- The result of the activation check
+
+ This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled:
+
+ - The activation exploit’s identifier
+ - The activation exploit’s current state, such as cleaned or quarantined
+ - Computer manufacturer’s identification
+ - The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit
+- The name and a hash of the contents of your computer’s startup instructions file
+- If your Windows license is on a subscription basis, information about how your subscription works
+
+Standard computer information is also sent, but your computer’s IP address is only retained temporarily.
+
+## Use of information
+
+Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers.
+For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879).
+
+## See also
+
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index 08cca37792..f4e102124a 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -1,6 +1,6 @@
---
title: Configure Client Computers (Windows 10)
-description: Configure Client Computers
+description: Learn how to configure client computers to enable the Volume Activation Management Tool (VAMT) to function correctly.
ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md
index 5b77d96564..502813e80e 100644
--- a/windows/deployment/volume-activation/import-export-vamt-data.md
+++ b/windows/deployment/volume-activation/import-export-vamt-data.md
@@ -1,51 +1,52 @@
----
-title: Import and Export VAMT Data (Windows 10)
-description: Import and Export VAMT Data
-ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Import and Export VAMT Data
-
-You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data.
-You can import data or export data during the following scenarios:
-- Import and merge data from previous versions of VAMT.
-- Export data to use to perform proxy activations.
-
-**Warning**
-Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported.
-
-## Import VAMT Data
-
-**To import data into VAMT**
-1. Open VAMT.
-2. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box.
-3. In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**.
-4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully.
-
-## Export VAMT Data
-
-Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file:
-1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products.
-2. If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export.
-3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box.
-4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file.
-5. Under **Export options**, select one of the following data-type options:
- - Export products and product keys
- - Export products only
- - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked.
-6. If you have selected products to export, select the **Export selected product rows only** check box.
-7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully.
-
-## Related topics
-
-- [Perform Proxy Activation](proxy-activation-vamt.md)
+---
+title: Import and Export VAMT Data (Windows 10)
+description: Learn how to use the Volume Activation Management Tool (VAMT) to import product-activation data from a .cilx or .cil file into SQL Server.
+ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Import and Export VAMT Data
+
+You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data.
+You can import data or export data during the following scenarios:
+- Import and merge data from previous versions of VAMT.
+- Export data to use to perform proxy activations.
+
+**Warning**
+Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported.
+
+## Import VAMT Data
+
+**To import data into VAMT**
+1. Open VAMT.
+2. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box.
+3. In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**.
+4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully.
+
+## Export VAMT Data
+
+Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file:
+1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products.
+2. If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export.
+3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box.
+4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file.
+5. Under **Export options**, select one of the following data-type options:
+ - Export products and product keys
+ - Export products only
+ - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked.
+6. If you have selected products to export, select the **Export selected product rows only** check box.
+7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully.
+
+## Related topics
+
+- [Perform Proxy Activation](proxy-activation-vamt.md)
diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md
index dc1c9eaa35..f4cff8a4da 100644
--- a/windows/deployment/volume-activation/install-configure-vamt.md
+++ b/windows/deployment/volume-activation/install-configure-vamt.md
@@ -1,34 +1,35 @@
----
-title: Install and Configure VAMT (Windows 10)
-description: Install and Configure VAMT
-ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Install and Configure VAMT
-
-This section describes how to install and configure the Volume Activation Management Tool (VAMT).
-
-## In this Section
-
-|Topic |Description |
-|------|------------|
-|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. |
-|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. |
-|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. |
-
-## Related topics
-
-- [Introduction to VAMT](introduction-vamt.md)
-
-
+---
+title: Install and Configure VAMT (Windows 10)
+description: Learn how to install and configure the Volume Activation Management Tool (VAMT), and learn where to find information about the process.
+ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Install and Configure VAMT
+
+This section describes how to install and configure the Volume Activation Management Tool (VAMT).
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. |
+|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. |
+|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. |
+
+## Related topics
+
+- [Introduction to VAMT](introduction-vamt.md)
+
+
diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
index 3fe43074c1..c0458d4963 100644
--- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md
+++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
@@ -1,43 +1,44 @@
----
-title: Install a KMS Client Key (Windows 10)
-description: Install a KMS Client Key
-ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Install a KMS Client Key
-
-You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation.
-
-**Note**
-By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products.
-
-**To install a KMS Client key**
-1. Open VAMT.
-2. In the left-side pane click **Products** to open the product list view in the center pane.
-3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-5. Click **Filter**. VAMT displays the filtered list in the center pane.
-6. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
-7. The **Install Product Key** dialog box displays the keys that are available to be installed.
-8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**.
-
- VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
-
- The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
-
-## Related topics
-
-- [Perform KMS Activation](kms-activation-vamt.md)
+---
+title: Install a KMS Client Key (Windows 10)
+description: Learn to use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys.
+ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Install a KMS Client Key
+
+You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation.
+
+**Note**
+By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products.
+
+**To install a KMS Client key**
+1. Open VAMT.
+2. In the left-side pane click **Products** to open the product list view in the center pane.
+3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+5. Click **Filter**. VAMT displays the filtered list in the center pane.
+6. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+7. The **Install Product Key** dialog box displays the keys that are available to be installed.
+8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**.
+
+ VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+ The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
+
+## Related topics
+
+- [Perform KMS Activation](kms-activation-vamt.md)
diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md
index 96908f97d1..d83feb6226 100644
--- a/windows/deployment/volume-activation/install-product-key-vamt.md
+++ b/windows/deployment/volume-activation/install-product-key-vamt.md
@@ -1,45 +1,46 @@
----
-title: Install a Product Key (Windows 10)
-description: Install a Product Key
-ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Install a Product Key
-
-You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
-
-**To install a Product key**
-1. Open VAMT.
-2. In the left-side pane, click the product that you want to install keys onto.
-3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-5. Click **Filter**.
-6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
-7. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
-8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time.
-9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
-
- The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
-
- **Note**
- Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right
- Volume License Key for Windows](https://go.microsoft.com/fwlink/p/?linkid=238382).
-
-## Related topics
-
-- [Manage Product Keys](manage-product-keys-vamt.md)
-
-
+---
+title: Install a Product Key (Windows 10)
+description: Learn to use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
+ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Install a Product Key
+
+You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
+
+**To install a Product key**
+1. Open VAMT.
+2. In the left-side pane, click the product that you want to install keys onto.
+3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+5. Click **Filter**.
+6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+7. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time.
+9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+ The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
+
+ **Note**
+ Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right
+ Volume License Key for Windows](https://go.microsoft.com/fwlink/p/?linkid=238382).
+
+## Related topics
+
+- [Manage Product Keys](manage-product-keys-vamt.md)
+
+
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 27951497ec..6b18acd8ae 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -1,6 +1,6 @@
---
title: Install VAMT (Windows 10)
-description: Install VAMT
+description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index 791d49e497..5152af65fe 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -1,66 +1,67 @@
----
-title: Introduction to VAMT (Windows 10)
-description: Introduction to VAMT
-ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Introduction to VAMT
-
-The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
-
-**Note**
-VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
-
-## In this Topic
-- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
-- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
-- [Enterprise Environment](#bkmk-enterpriseenvironment)
-- [VAMT User Interface](#bkmk-userinterface)
-
-## Managing Multiple Activation Key (MAK) and Retail Activation
-
-You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
-- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
-- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
-
-## Managing Key Management Service (KMS) Activation
-
-In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
-VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
-
-## Enterprise Environment
-
-VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
-
-
-
-In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
-The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
-
-## VAMT User Interface
-
-The following screenshot shows the VAMT graphical user interface.
-
-
-
-VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
-- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
-- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
-- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
-- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
-- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
-
-## Related topics
-- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
-
-
+---
+title: Introduction to VAMT (Windows 10)
+description: VAMT enables administrators to automate and centrally manage the Windows, Microsoft Office, and select other Microsoft products volume and retail activation process.
+ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Introduction to VAMT
+
+The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
+
+**Note**
+VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
+
+## In this Topic
+- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
+- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
+- [Enterprise Environment](#bkmk-enterpriseenvironment)
+- [VAMT User Interface](#bkmk-userinterface)
+
+## Managing Multiple Activation Key (MAK) and Retail Activation
+
+You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
+- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
+- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
+
+## Managing Key Management Service (KMS) Activation
+
+In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
+VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
+
+## Enterprise Environment
+
+VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
+
+
+
+In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
+The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
+
+## VAMT User Interface
+
+The following screenshot shows the VAMT graphical user interface.
+
+
+
+VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
+- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
+- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
+- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
+- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
+- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
+
+## Related topics
+- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
+
+
diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md
index 318cd0cb65..e1e2f2151e 100644
--- a/windows/deployment/volume-activation/manage-activations-vamt.md
+++ b/windows/deployment/volume-activation/manage-activations-vamt.md
@@ -1,33 +1,34 @@
----
-title: Manage Activations (Windows 10)
-description: Manage Activations
-ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Manage Activations
-
-This section describes how to activate a client computer, by using a variety of activation methods.
-
-## In this Section
-
-|Topic |Description |
-|------|------------|
-|[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. |
-|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. |
-|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). |
-|[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. |
-|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. |
-|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. |
-
-
-
+---
+title: Manage Activations (Windows 10)
+description: Learn how to manage activations and how to activate a client computer by using a variety of activation methods.
+ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Manage Activations
+
+This section describes how to activate a client computer, by using a variety of activation methods.
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. |
+|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. |
+|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). |
+|[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. |
+|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. |
+|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. |
+
+
+
diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md
index bedd50af8f..1eb0380671 100644
--- a/windows/deployment/volume-activation/manage-product-keys-vamt.md
+++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md
@@ -1,29 +1,30 @@
----
-title: Manage Product Keys (Windows 10)
-description: Manage Product Keys
-ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Manage Product Keys
-
-This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database.
-## In this Section
-
-|Topic |Description |
-|------|------------|
-|[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. |
-|[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. |
-|[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. |
-
-
-
+---
+title: Manage Product Keys (Windows 10)
+description: In this article, learn how to add and remove a product key from the Volume Activation Management Tool (VAMT).
+ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Manage Product Keys
+
+This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database.
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. |
+|[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. |
+|[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. |
+
+
+
diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md
index 7d068975cd..6f2f8b2dd0 100644
--- a/windows/deployment/volume-activation/manage-vamt-data.md
+++ b/windows/deployment/volume-activation/manage-vamt-data.md
@@ -1,25 +1,26 @@
----
-title: Manage VAMT Data (Windows 10)
-description: Manage VAMT Data
-ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Manage VAMT Data
-
-This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
-
-## In this Section
-|Topic |Description |
-|------|------------|
-|[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. |
-|[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. |
+---
+title: Manage VAMT Data (Windows 10)
+description: Learn how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
+ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Manage VAMT Data
+
+This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
+
+## In this Section
+|Topic |Description |
+|------|------------|
+|[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. |
+|[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. |
diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md
index ea131b996d..143855e843 100644
--- a/windows/deployment/volume-activation/monitor-activation-client.md
+++ b/windows/deployment/volume-activation/monitor-activation-client.md
@@ -1,44 +1,45 @@
----
-title: Monitor activation (Windows 10)
-ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description:
-keywords: vamt, volume activation, activation, windows activation
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.topic: article
----
-
-# Monitor activation
-
-**Applies to**
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
-**Looking for retail activation?**
-
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-
-You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include:
-- Using the Volume Licensing Service Center website to track use of MAK keys.
-- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).)
-- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)
-- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290).
-- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager.
-- See [Troubleshooting activation error codes](https://docs.microsoft.com/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS).
-- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section.
-
-## See also
-
-[Volume Activation for Windows 10](volume-activation-windows-10.md)
+---
+title: Monitor activation (Windows 10)
+ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description:
+keywords: vamt, volume activation, activation, windows activation
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.topic: article
+---
+
+# Monitor activation
+
+**Applies to**
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include:
+- Using the Volume Licensing Service Center website to track use of MAK keys.
+- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).)
+- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)
+- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290).
+- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager.
+- See [Troubleshooting activation error codes](https://docs.microsoft.com/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS).
+- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section.
+
+## See also
+
+[Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md
index 45f237024f..96d0e8abdd 100644
--- a/windows/deployment/volume-activation/online-activation-vamt.md
+++ b/windows/deployment/volume-activation/online-activation-vamt.md
@@ -1,55 +1,56 @@
----
-title: Perform Online Activation (Windows 10)
-description: Perform Online Activation
-ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Perform Online Activation
-
-You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key.
-
-## Requirements
-
-Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
-- VAMT is installed on a central computer that has network access to all client computers.
-- Both the VAMT host and client computers have Internet access.
-- The products that you want to activate are added to VAMT.
-- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
-
-The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking
-**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
-
-## To Perform an Online Activation
-
-**To perform an online activation**
-1. Open VAMT.
-2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-4. Click **Filter**. VAMT displays the filtered list in the center pane.
-5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
-6. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button.
-7. Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
-8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
-
- The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
-
- **Note**
- Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation.
-
- **Note**
- You can use online activation to select products that have different key types and activate the products at the same time.
-
-## Related topics
-- [Manage Activations](manage-activations-vamt.md)
+---
+title: Perform Online Activation (Windows 10)
+description: Learn how to use the Volume Activation Management Tool (VAMT) to enable client products to be activated online.
+ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Perform Online Activation
+
+You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key.
+
+## Requirements
+
+Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
+- VAMT is installed on a central computer that has network access to all client computers.
+- Both the VAMT host and client computers have Internet access.
+- The products that you want to activate are added to VAMT.
+- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking
+**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
+
+## To Perform an Online Activation
+
+**To perform an online activation**
+1. Open VAMT.
+2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+4. Click **Filter**. VAMT displays the filtered list in the center pane.
+5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+6. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button.
+7. Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
+8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+ The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
+
+ **Note**
+ Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation.
+
+ **Note**
+ You can use online activation to select products that have different key types and activate the products at the same time.
+
+## Related topics
+- [Manage Activations](manage-activations-vamt.md)
diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md
index 65dd923d7e..ce8b8c1e39 100644
--- a/windows/deployment/volume-activation/remove-products-vamt.md
+++ b/windows/deployment/volume-activation/remove-products-vamt.md
@@ -1,35 +1,36 @@
----
-title: Remove Products (Windows 10)
-description: Remove Products
-ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Remove Products
-
-To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane.
-
-**To delete one or more products**
-1. Click a product node in the left-side pane.
-2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-4. Click **Filter**. VAMT displays the filtered list in the center pane.
-5. Select the products you want to delete.
-6. Click **Delete** in the **Selected Items** menu in the right-side pane.
-7. On the **Confirm Delete Selected Products** dialog box, click **OK**.
-
-## Related topics
-- [Add and Manage Products](add-manage-products-vamt.md)
-
-
+---
+title: Remove Products (Windows 10)
+description: Learn how you must delete products from the product list view so you can remove products from the Volume Activation Management Tool (VAMT).
+ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Remove Products
+
+To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane.
+
+**To delete one or more products**
+1. Click a product node in the left-side pane.
+2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+4. Click **Filter**. VAMT displays the filtered list in the center pane.
+5. Select the products you want to delete.
+6. Click **Delete** in the **Selected Items** menu in the right-side pane.
+7. On the **Confirm Delete Selected Products** dialog box, click **OK**.
+
+## Related topics
+- [Add and Manage Products](add-manage-products-vamt.md)
+
+
diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
index 34263037b3..400b2ad2e1 100644
--- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
@@ -1,48 +1,49 @@
----
-title: Scenario 3 KMS Client Activation (Windows 10)
-description: Scenario 3 KMS Client Activation
-ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Scenario 3: KMS Client Activation
-
-In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
-
-The procedure that is described below assumes the following:
-- The KMS Service is enabled and available to all KMS clients.
-- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information.
-
-## Activate KMS Clients
-
-1. Open VAMT.
-2. To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
-3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options:
- - **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead.
- - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain.
- - **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host.
-4. In the left-side pane, in the **Products** node, click the product that you want to activate.
-5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-7. Click **Filter**. VAMT displays the filtered list in the center pane.
-8. Select the products that you want to activate.
-9. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
-10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
-
-The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
-
-## Related topics
-- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
-
-
+---
+title: Scenario 3 KMS Client Activation (Windows 10)
+description: Learn how to use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs).
+ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Scenario 3: KMS Client Activation
+
+In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
+
+The procedure that is described below assumes the following:
+- The KMS Service is enabled and available to all KMS clients.
+- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information.
+
+## Activate KMS Clients
+
+1. Open VAMT.
+2. To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
+3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options:
+ - **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead.
+ - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain.
+ - **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host.
+4. In the left-side pane, in the **Products** node, click the product that you want to activate.
+5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+7. Click **Filter**. VAMT displays the filtered list in the center pane.
+8. Select the products that you want to activate.
+9. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
+10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
+
+## Related topics
+- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
+
+
diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
index 3c52c27790..f46556cdae 100644
--- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
@@ -1,6 +1,6 @@
---
title: Scenario 2 Proxy Activation (Windows 10)
-description: Scenario 2 Proxy Activation
+description: Use the Volume Activation Management Tool (VAMT) to activate products that are installed on workgroup computers in an isolated lab environment.
ms.assetid: ed5a8a56-d9aa-4895-918f-dd1898cb2c1a
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md
index 038839adb4..1e3cd0e815 100644
--- a/windows/deployment/volume-activation/update-product-status-vamt.md
+++ b/windows/deployment/volume-activation/update-product-status-vamt.md
@@ -1,38 +1,39 @@
----
-title: Update Product Status (Windows 10)
-description: Update Product Status
-ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Update Product Status
-
-After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database.
-To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
-
-**Note**
-The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated.
-
-## Update the license status of a product
-
-1. Open VAMT.
-2. In the **Products** list, select one or more products that need to have their status updated.
-3. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer.
-4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
-
- VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
-
- **Note**
- If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view.
-
-## Related topics
-- [Add and Manage Products](add-manage-products-vamt.md)
+---
+title: Update Product Status (Windows 10)
+description: Learn how to use the Update license status function to add the products that are installed on the computers.
+ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Update Product Status
+
+After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database.
+To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+**Note**
+The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated.
+
+## Update the license status of a product
+
+1. Open VAMT.
+2. In the **Products** list, select one or more products that need to have their status updated.
+3. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer.
+4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
+
+ VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
+
+ **Note**
+ If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view.
+
+## Related topics
+- [Add and Manage Products](add-manage-products-vamt.md)
diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
index 092f297bb9..7389bcd273 100644
--- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
+++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
@@ -1,6 +1,6 @@
---
title: Use VAMT in Windows PowerShell (Windows 10)
-description: Use VAMT in Windows PowerShell
+description: Learn how to use Volume Activation Management Tool (VAMT) PowerShell cmdlets to perform the same functions as the Vamt.exe command-line tool.
ms.assetid: 13e0ceec-d827-4681-a5c3-8704349e3ba9
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md
index e9c0da934f..2ee3dbbb3d 100644
--- a/windows/deployment/volume-activation/vamt-requirements.md
+++ b/windows/deployment/volume-activation/vamt-requirements.md
@@ -1,46 +1,47 @@
----
-title: VAMT Requirements (Windows 10)
-description: VAMT Requirements
-ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# VAMT Requirements
-
-This topic includes info about the product key and system requirements for VAMT.
-
-## Product Key Requirements
-
-The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys.
-
-|Product key type |Where to obtain |
-|-----------------|----------------|
-|- Multiple Activation Key (MAK)
- Key Management Service (KMS) host key (CSVLK)
- KMS client setup keys (GVLK)
|Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). |
-|Retail product keys |Obtained at time of product purchase. |
-
-## System Requirements
-
-The following table lists the system requirements for the VAMT host computer.
-
-| Item | Minimum system requirement |
-| ---- | ---------------------------|
-| Computer and Processor | 1 GHz x86 or x64 processor |
-| Memory | 1 GB RAM for x86 or 2 GB RAM for x64 |
-| Hard Disk | 16 GB available hard disk space for x86 or 20 GB for x64 |
-| External Drive | Removable media (Optional) |
-| Display | 1024x768 or higher resolution monitor |
-| Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS |
-| Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. |
-| Additional Requirements | - Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
- PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).
- If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
|
-
-## Related topics
-- [Install and Configure VAMT](install-configure-vamt.md)
+---
+title: VAMT Requirements (Windows 10)
+description: In this article, learn about the product key and system requierements for Volume Activation Management Tool (VAMT).
+ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# VAMT Requirements
+
+This topic includes info about the product key and system requirements for VAMT.
+
+## Product Key Requirements
+
+The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys.
+
+|Product key type |Where to obtain |
+|-----------------|----------------|
+|- Multiple Activation Key (MAK)
- Key Management Service (KMS) host key (CSVLK)
- KMS client setup keys (GVLK)
|Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). |
+|Retail product keys |Obtained at time of product purchase. |
+
+## System Requirements
+
+The following table lists the system requirements for the VAMT host computer.
+
+| Item | Minimum system requirement |
+| ---- | ---------------------------|
+| Computer and Processor | 1 GHz x86 or x64 processor |
+| Memory | 1 GB RAM for x86 or 2 GB RAM for x64 |
+| Hard Disk | 16 GB available hard disk space for x86 or 20 GB for x64 |
+| External Drive | Removable media (Optional) |
+| Display | 1024x768 or higher resolution monitor |
+| Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS |
+| Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. |
+| Additional Requirements | - Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
- PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).
- If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
|
+
+## Related topics
+- [Install and Configure VAMT](install-configure-vamt.md)
diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md
index ae1576bb5f..ef45dc1c96 100644
--- a/windows/deployment/volume-activation/vamt-step-by-step.md
+++ b/windows/deployment/volume-activation/vamt-step-by-step.md
@@ -1,32 +1,33 @@
----
-title: VAMT Step-by-Step Scenarios (Windows 10)
-description: VAMT Step-by-Step Scenarios
-ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# VAMT Step-by-Step Scenarios
-
-This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started.
-
-## In this Section
-
-|Topic |Description |
-|------|------------|
-|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. |
-|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. |
-|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
-
-## Related topics
-- [Introduction to VAMT](introduction-vamt.md)
-
-
+---
+title: VAMT Step-by-Step Scenarios (Windows 10)
+description: Learn step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments.
+ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# VAMT Step-by-Step Scenarios
+
+This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started.
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. |
+|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. |
+|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
+
+## Related topics
+- [Introduction to VAMT](introduction-vamt.md)
+
+
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index 3ae808a4af..99b5479318 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -12,7 +12,6 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 80dc7ea0eb..61d5af710d 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -5,6 +5,7 @@ ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
keywords: upgrade, in-place, configuration, deploy
ms.prod: w10
@@ -12,7 +13,6 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md
index 31c2c53103..2321163bd1 100644
--- a/windows/deployment/windows-10-deployment-tools-reference.md
+++ b/windows/deployment/windows-10-deployment-tools-reference.md
@@ -1,21 +1,21 @@
---
title: Windows 10 deployment tools reference
-description: Learn about the tools available to deploy Windows 10.
+description: Learn about the tools available to deploy Windows 10, like Volume Activation Management Tool (VAMT) and User State Migration Tool (USMT).
ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.date: 07/12/2017
ms.topic: article
---
-# Windows 10 deployment tools
+# Windows 10 deployment tools reference
Learn about the tools available to deploy Windows 10.
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
index a71caf0006..33f7b49f5e 100644
--- a/windows/deployment/windows-10-deployment-tools.md
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -5,12 +5,12 @@ ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.date: 10/16/2017
ms.topic: article
---
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index c36f0c2cdc..d362478ccc 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -13,7 +13,6 @@ manager: laurawi
ms.audience: itpro
author: greg-lindsay
audience: itpro
-author: greg-lindsay
ms.collection: M365-modern-desktop
ms.topic: article
---
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index 24743735e8..38a56db227 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -9,10 +9,10 @@ ms.date: 10/20/2017
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md
index dfa95cf6e1..7f9f5e72ad 100644
--- a/windows/deployment/windows-10-missing-fonts.md
+++ b/windows/deployment/windows-10-missing-fonts.md
@@ -1,103 +1,104 @@
----
-title: How to install fonts missing after upgrading to Windows 10
-description: Some of the fonts are missing from the system after you upgrade to Windows 10.
-keywords: deploy, upgrade, FoD, optional feature
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: itpro
author: greg-lindsay
-ms.audience: itpro
author: greg-lindsay
-ms.date: 10/31/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-# How to install fonts that are missing after upgrading to Windows 10
-
-> Applies to: Windows 10
-
-When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows 10. If you install a fresh instance of Windows 10, or upgrade an older version of Windows to Windows 10, these optional features are not enabled by default. As a result, these fonts appear to be missing from the system.
-
-If you have documents created using the missing fonts, these documents might display differently on Windows 10.
-
-For example, if you have an English (or French, German, or Spanish) version of Windows 10 installed, you might notice that fonts such as the following are appear to be missing:
-
-- Gautami
-- Meiryo
-- Narkism/Batang
-- BatangChe
-- Dotum
-- DotumChe
-- Gulim
-- GulimChe
-- Gungsuh
-- GungsuhChe
-
-If you want to use these fonts, you can enable the optional feature to add these back to your system. Be aware that this is a permanent change in behavior for Windows 10, and it will remain this way in future releases.
-
-## Installing language-associated features via language settings:
-
-If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. You do this the Settings app.
-
-For example, here are the steps to install the fonts associated with the Hebrew language:
-
-1. Click **Start > Settings**.
-2. In Settings, click **Time & language**, and then click **Region & language**.
-3. If Hebrew is not included in the list of languages, click the plus sign (**+**) to add a language.
-4. Find Hebrew, and then click it to add it to your language list.
-
-Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This should only take a few minutes.
-
-> Note: The optional features are installed by Windows Update. This means you need to be online for the Windows Update service to work.
-
-## Install optional fonts manually without changing language settings:
-
-If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings.
-
-For example, here are the steps to install the fonts associated with the Hebrew language without adding the Hebrew language itself to your language preferences:
-
-1. Click **Start > Settings**.
-2. In Settings, click **Apps**, click **Apps & features**, and then click **Manage optional features**.
-
-3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, click the plus sign (**+**) to add a feature.
-4. Select **Hebrew Supplemental Fonts** in the list, and then click **Install**.
-
-> Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work.
-
-## Fonts included in optional font features
-
-Here is a comprehensive list of the font families in each of the optional features. Some font families might include multiple fonts for different weights and styles.
-
-- Arabic Script Supplemental Fonts: Aldhabi, Andalus, Arabic Typesetting, Microsoft Uighur, Sakkal Majalla, Simplified Arabic, Traditional Arabic, Urdu Typesetting
-- Bangla Script Supplemental Fonts: Shonar Bangla, Vrinda
-- Canadian Aboriginal Syllabics Supplemental Fonts: Euphemia
-- Cherokee Supplemental Fonts: Plantagenet Cherokee
-- Chinese (Simplified) Supplemental Fonts: DengXian, FangSong, KaiTi, SimHei
-- Chinese (Traditional) Supplemental Fonts: DFKai-SB, MingLiU, MingLiU_HKSCS, PMingLiU
-- Devanagari Supplemental Fonts: Aparajita, Kokila, Mangal, Sanskrit Text, Utsaah
-- Ethiopic Supplemental Fonts: Nyala
-- Gujarati Supplemental Fonts: Shruti
-- Gurmukhi Supplemental Fonts: Raavi
-- Hebrew Supplemental Fonts: Aharoni Bold, David, FrankRuehl, Gisha, Levanim MT, Miriam, Miriam Fixed, Narkism, Rod
-- Japanese Supplemental Fonts: Meiryo, Meiryo UI, MS Gothic, MS PGothic, MS UI Gothic, MS Mincho, MS PMincho, Yu Mincho
-- Kannada Supplemental Fonts: Tunga
-- Khmer Supplemental Fonts: DaunPenh, Khmer UI, MoolBoran
-- Korean Supplemental Fonts: Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe
-- Lao Supplemental Fonts: DokChampa, Lao UI
-- Malayalam Supplemental Fonts: Karthika
-- Odia Supplemental Fonts: Kalinga
-- Pan-European Supplemental Fonts: Arial Nova, Georgia Pro, Gill Sans Nova, Neue Haas Grotesk, Rockwell Nova, Verdana Pro
-- Sinhala Supplemental Fonts: Iskoola Pota
-- Syriac Supplemental Fonts: Estrangelo Edessa
-- Tamil Supplemental Fonts: Latha, Vijaya
-- Telugu Supplemental Fonts: Gautami, Vani
-- Thai Supplemental Fonts: Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DilleniaUPC, EucrosiaUPC, FreesiaUPC, IrisUPC, JasmineUPC, KodchiangUPC, Leelawadee, LilyUPC
-
-## Related Topics
-
-[Download the list of all available language FODs](https://download.microsoft.com/download/0/A/A/0AA4342D-3933-4216-A90D-3BA8392FB1D1/Windows%2010%201703%20FOD%20to%20LP%20Mapping%20Table.xlsx)
-
-[Features On Demand V2 (Capabilities)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities#span-idrelatedtopicsspanrelated-topics)
-
-[Add Language Packs to Windows](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
+---
+title: How to install fonts missing after upgrading to Windows 10
+description: Some of the fonts are missing from the system after you upgrade to Windows 10.
+keywords: deploy, upgrade, FoD, optional feature
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.audience: itpro
+ms.date: 10/31/2017
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+# How to install fonts that are missing after upgrading to Windows 10
+
+> Applies to: Windows 10
+
+When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows 10. If you install a fresh instance of Windows 10, or upgrade an older version of Windows to Windows 10, these optional features are not enabled by default. As a result, these fonts appear to be missing from the system.
+
+If you have documents created using the missing fonts, these documents might display differently on Windows 10.
+
+For example, if you have an English (or French, German, or Spanish) version of Windows 10 installed, you might notice that fonts such as the following are appear to be missing:
+
+- Gautami
+- Meiryo
+- Narkism/Batang
+- BatangChe
+- Dotum
+- DotumChe
+- Gulim
+- GulimChe
+- Gungsuh
+- GungsuhChe
+
+If you want to use these fonts, you can enable the optional feature to add these back to your system. Be aware that this is a permanent change in behavior for Windows 10, and it will remain this way in future releases.
+
+## Installing language-associated features via language settings:
+
+If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. You do this the Settings app.
+
+For example, here are the steps to install the fonts associated with the Hebrew language:
+
+1. Click **Start > Settings**.
+2. In Settings, click **Time & language**, and then click **Region & language**.
+3. If Hebrew is not included in the list of languages, click the plus sign (**+**) to add a language.
+4. Find Hebrew, and then click it to add it to your language list.
+
+Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This should only take a few minutes.
+
+> Note: The optional features are installed by Windows Update. This means you need to be online for the Windows Update service to work.
+
+## Install optional fonts manually without changing language settings:
+
+If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings.
+
+For example, here are the steps to install the fonts associated with the Hebrew language without adding the Hebrew language itself to your language preferences:
+
+1. Click **Start > Settings**.
+2. In Settings, click **Apps**, click **Apps & features**, and then click **Manage optional features**.
+
+3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, click the plus sign (**+**) to add a feature.
+4. Select **Hebrew Supplemental Fonts** in the list, and then click **Install**.
+
+> Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work.
+
+## Fonts included in optional font features
+
+Here is a comprehensive list of the font families in each of the optional features. Some font families might include multiple fonts for different weights and styles.
+
+- Arabic Script Supplemental Fonts: Aldhabi, Andalus, Arabic Typesetting, Microsoft Uighur, Sakkal Majalla, Simplified Arabic, Traditional Arabic, Urdu Typesetting
+- Bangla Script Supplemental Fonts: Shonar Bangla, Vrinda
+- Canadian Aboriginal Syllabics Supplemental Fonts: Euphemia
+- Cherokee Supplemental Fonts: Plantagenet Cherokee
+- Chinese (Simplified) Supplemental Fonts: DengXian, FangSong, KaiTi, SimHei
+- Chinese (Traditional) Supplemental Fonts: DFKai-SB, MingLiU, MingLiU_HKSCS, PMingLiU
+- Devanagari Supplemental Fonts: Aparajita, Kokila, Mangal, Sanskrit Text, Utsaah
+- Ethiopic Supplemental Fonts: Nyala
+- Gujarati Supplemental Fonts: Shruti
+- Gurmukhi Supplemental Fonts: Raavi
+- Hebrew Supplemental Fonts: Aharoni Bold, David, FrankRuehl, Gisha, Levanim MT, Miriam, Miriam Fixed, Narkism, Rod
+- Japanese Supplemental Fonts: Meiryo, Meiryo UI, MS Gothic, MS PGothic, MS UI Gothic, MS Mincho, MS PMincho, Yu Mincho
+- Kannada Supplemental Fonts: Tunga
+- Khmer Supplemental Fonts: DaunPenh, Khmer UI, MoolBoran
+- Korean Supplemental Fonts: Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe
+- Lao Supplemental Fonts: DokChampa, Lao UI
+- Malayalam Supplemental Fonts: Karthika
+- Odia Supplemental Fonts: Kalinga
+- Pan-European Supplemental Fonts: Arial Nova, Georgia Pro, Gill Sans Nova, Neue Haas Grotesk, Rockwell Nova, Verdana Pro
+- Sinhala Supplemental Fonts: Iskoola Pota
+- Syriac Supplemental Fonts: Estrangelo Edessa
+- Tamil Supplemental Fonts: Latha, Vijaya
+- Telugu Supplemental Fonts: Gautami, Vani
+- Thai Supplemental Fonts: Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DilleniaUPC, EucrosiaUPC, FreesiaUPC, IrisUPC, JasmineUPC, KodchiangUPC, Leelawadee, LilyUPC
+
+## Related Topics
+
+[Download the list of all available language FODs](https://download.microsoft.com/download/0/A/A/0AA4342D-3933-4216-A90D-3BA8392FB1D1/Windows%2010%201703%20FOD%20to%20LP%20Mapping%20Table.xlsx)
+
+[Features On Demand V2 (Capabilities)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities#span-idrelatedtopicsspanrelated-topics)
+
+[Add Language Packs to Windows](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index a9ffbb1c73..c10e477cff 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -11,9 +11,9 @@ ms.date: 10/11/2017
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index ba8078e40c..67a95f1168 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -10,9 +10,9 @@ ms.localizationpriority: medium
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index e86a065bf5..6b3110a329 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -3,6 +3,7 @@ title: Configure a test lab to deploy Windows 10
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
ms.prod: w10
@@ -12,7 +13,6 @@ ms.pagetype: deploy
keywords: deployment, automate, tools, configure, mdt, sccm
ms.localizationpriority: medium
audience: itpro
-author: greg-lindsay
ms.topic: article
---
@@ -22,7 +22,12 @@ ms.topic: article
- Windows 10
-This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
+This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources.
+
+> [!NOTE]
+> Microsoft also offers a pre-configured lab using an evaluation version of Configuration Manager. For more information, see [Windows and Office deployment and management lab kit](/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab).
+
+This lab guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
- [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
@@ -144,7 +149,7 @@ Hardware requirements are displayed below:
The lab architecture is summarized in the following diagram:
-
+
- Computer 1 is configured to host four VMs on a private, PoC network.
- Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
@@ -218,7 +223,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
>Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
- 
+ 
@@ -443,7 +448,7 @@ Notes:
3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
@@ -476,7 +481,7 @@ Notes:
5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
@@ -500,7 +505,7 @@ Notes:
3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
@@ -815,7 +820,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
- 
+ 
>If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
@@ -873,7 +878,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
See the following example:
- 
+ 
19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
index 412dceea4f..bd8b4b1db5 100644
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -1,90 +1,91 @@
----
-title: Switch to Windows 10 Pro/Enterprise from S mode
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
-keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.prod: w10
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Switch to Windows 10 Pro or Enterprise from S mode
-
-We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later.
-
-
-A number of other transformations are possible depending on which version and edition of Windows 10 you are starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means:
-
-
-
-
-| If a device is running this version of Windows 10 | and this edition of Windows 10 | then you can switch or convert it to this edition of Windows 10 by these methods: | | |
-|-------------|---------------------|-----------------------------------|-------------------------------|--------------------------------------------|
-| | | **Store for Education** (switch/convert all devices in your tenant) | **Microsoft Store** (switch/convert one device at a time) | **Intune** (switch/convert any number of devices selected by admin) |
-| **Windows 10, version 1709** | Pro in S mode | Pro EDU | Pro | Not by this method |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home | Not by any method | Not by any method | Not by any method |
-| | | | | |
-| **Windows 10, version 1803** | Pro in S mode | Pro EDU in S mode | Pro | Not by this method |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home in S mode | Not by any method | Home | Not by this method |
-| | Home | Not by any method | Not by any method | Not by any method |
-| | | | | |
-| **Windows 10, version 1809** | Pro in S mode | Pro EDU in S mode | Pro | Pro |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home in S mode | Not by any method | Home | Home |
-| | Home | Not by any method | Not by any method | Not by any method |
-
-
-Use the following information to switch to Windows 10 Pro through the Microsoft Store.
-> [!IMPORTANT]
-> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
-
-## Switch one device through the Microsoft Store
-Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device.
-
-Note these differences affecting switching modes in various releases of Windows 10:
-
-- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible.
-- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**.
-- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
-
-
-1. Sign into the Microsoft Store using your Microsoft account.
-2. Search for "S mode".
-3. In the offer, select **Buy**, **Get**, or **Learn more.**
-
-You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
-
-## Switch one or more devices by using Microsoft Intune
-
-Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE - this gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
-
-1. Start Microsoft Intune.
-2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**.
-3. Follow the instructions to complete the switch.
-
-
-## Block users from switching
-
-You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10.
-To set this, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
-
-## S mode management with CSPs
-
-In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](https://docs.microsoft.com/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode).
-
-
-## Related topics
-
-[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)
-[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/intune/what-is-intune)
+---
+title: Switch to Windows 10 Pro/Enterprise from S mode
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
+keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Switch to Windows 10 Pro or Enterprise from S mode
+
+We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later.
+
+
+A number of other transformations are possible depending on which version and edition of Windows 10 you are starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means:
+
+
+
+
+| If a device is running this version of Windows 10 | and this edition of Windows 10 | then you can switch or convert it to this edition of Windows 10 by these methods: | | |
+|-------------|---------------------|-----------------------------------|-------------------------------|--------------------------------------------|
+| | | **Store for Education** (switch/convert all devices in your tenant) | **Microsoft Store** (switch/convert one device at a time) | **Intune** (switch/convert any number of devices selected by admin) |
+| **Windows 10, version 1709** | Pro in S mode | Pro EDU | Pro | Not by this method |
+| | Pro | Pro EDU | Not by any method | Not by any method |
+| | Home | Not by any method | Not by any method | Not by any method |
+| | | | | |
+| **Windows 10, version 1803** | Pro in S mode | Pro EDU in S mode | Pro | Not by this method |
+| | Pro | Pro EDU | Not by any method | Not by any method |
+| | Home in S mode | Not by any method | Home | Not by this method |
+| | Home | Not by any method | Not by any method | Not by any method |
+| | | | | |
+| **Windows 10, version 1809** | Pro in S mode | Pro EDU in S mode | Pro | Pro |
+| | Pro | Pro EDU | Not by any method | Not by any method |
+| | Home in S mode | Not by any method | Home | Home |
+| | Home | Not by any method | Not by any method | Not by any method |
+
+
+Use the following information to switch to Windows 10 Pro through the Microsoft Store.
+> [!IMPORTANT]
+> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
+
+## Switch one device through the Microsoft Store
+Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device.
+
+Note these differences affecting switching modes in various releases of Windows 10:
+
+- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible.
+- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**.
+- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
+
+
+1. Sign into the Microsoft Store using your Microsoft account.
+2. Search for "S mode".
+3. In the offer, select **Buy**, **Get**, or **Learn more.**
+
+You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
+
+## Switch one or more devices by using Microsoft Intune
+
+Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE - this gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
+
+1. Start Microsoft Intune.
+2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**.
+3. Follow the instructions to complete the switch.
+
+
+## Block users from switching
+
+You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10.
+To set this, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
+
+## S mode management with CSPs
+
+In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](https://docs.microsoft.com/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode).
+
+
+## Related topics
+
+[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
+[Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)
+[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/intune/what-is-intune)
diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md
index 861ef1b1ad..d8d6f47273 100644
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@@ -1,97 +1,98 @@
----
-title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10)
-description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
-ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Windows ADK for Windows 10 scenarios for IT Pros
-
-
-The [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx).
-
-In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](https://msdn.microsoft.com/library/windows/hardware/dn938361.aspx).
-
-Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
-
-### Create a Windows image using command-line tools
-
-[DISM](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx) is used to mount and service Windows images.
-
-Here are some things you can do with DISM:
-
-- [Mount an offline image](https://msdn.microsoft.com/library/windows/hardware/dn938321.aspx)
-- [Add drivers to an offline image](https://msdn.microsoft.com/library/windows/hardware/dn898469.aspx)
-- [Enable or disable Windows features](https://msdn.microsoft.com/library/windows/hardware/dn898567.aspx)
-- [Add or remove packages](https://msdn.microsoft.com/library/windows/hardware/dn898481.aspx)
-- [Add language packs](https://msdn.microsoft.com/library/windows/hardware/dn898470.aspx)
-- [Add Universal Windows apps](https://msdn.microsoft.com/library/windows/hardware/dn898600.aspx)
-- [Upgrade the Windows edition](https://msdn.microsoft.com/library/windows/hardware/dn898500.aspx)
-
-[Sysprep](https://msdn.microsoft.com/library/windows/hardware/dn938335.aspx) prepares a Windows installation for imaging and allows you to capture a customized installation.
-
-Here are some things you can do with Sysprep:
-
-- [Generalize a Windows installation](https://msdn.microsoft.com/library/windows/hardware/dn938334.aspx)
-- [Customize the default user profile](https://msdn.microsoft.com/library/windows/hardware/dn898521.aspx)
-- [Use answer files](https://msdn.microsoft.com/library/windows/hardware/dn938346.aspx)
-
-[Windows PE (WinPE)](https://msdn.microsoft.com/library/windows/hardware/dn938389.aspx) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
-
-Here are ways you can create a WinPE image:
-
-- [Create a bootable USB drive](https://msdn.microsoft.com/library/windows/hardware/dn938386.aspx)
-- [Create a Boot CD, DVD, ISO, or VHD](https://msdn.microsoft.com/library/windows/hardware/dn938385.aspx)
-
-[Windows Recovery Environment (Windows RE)](https://msdn.microsoft.com/library/windows/hardware/dn938364.aspx) is a recovery environment that can repair common operating system problems.
-
-Here are some things you can do with Windows RE:
-
-- [Customize Windows RE](https://msdn.microsoft.com/library/windows/hardware/dn898523.aspx)
-- [Push-button reset](https://msdn.microsoft.com/library/windows/hardware/dn938307.aspx)
-
-[Windows System Image Manager (Windows SIM)](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx) helps you create answer files that change Windows settings and run scripts during installation.
-
-Here are some things you can do with Windows SIM:
-
-- [Create answer file](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx)
-- [Add a driver path to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915062.aspx)
-- [Add a package to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915066.aspx)
-- [Add a custom command to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915058.aspx)
-
-For a list of settings you can change, see [Unattended Windows Setup Reference](https://msdn.microsoft.com/library/windows/hardware/dn923277.aspx) on the MSDN Hardware Dev Center.
-
-### Create a Windows image using Windows ICD
-
-Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image.
-
-Here are some things you can do with Windows ICD:
-
-- [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx)
-- [Export a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916110.aspx)
-- [Build and deploy an image for Windows 10 for desktop editions](https://msdn.microsoft.com/library/windows/hardware/dn916105.aspx)
-
-### IT Pro Windows deployment tools
-
-There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet:
-
-- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
-- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10)
+description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
+ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Windows ADK for Windows 10 scenarios for IT Pros
+
+
+The [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx).
+
+In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](https://msdn.microsoft.com/library/windows/hardware/dn938361.aspx).
+
+Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
+
+### Create a Windows image using command-line tools
+
+[DISM](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx) is used to mount and service Windows images.
+
+Here are some things you can do with DISM:
+
+- [Mount an offline image](https://msdn.microsoft.com/library/windows/hardware/dn938321.aspx)
+- [Add drivers to an offline image](https://msdn.microsoft.com/library/windows/hardware/dn898469.aspx)
+- [Enable or disable Windows features](https://msdn.microsoft.com/library/windows/hardware/dn898567.aspx)
+- [Add or remove packages](https://msdn.microsoft.com/library/windows/hardware/dn898481.aspx)
+- [Add language packs](https://msdn.microsoft.com/library/windows/hardware/dn898470.aspx)
+- [Add Universal Windows apps](https://msdn.microsoft.com/library/windows/hardware/dn898600.aspx)
+- [Upgrade the Windows edition](https://msdn.microsoft.com/library/windows/hardware/dn898500.aspx)
+
+[Sysprep](https://msdn.microsoft.com/library/windows/hardware/dn938335.aspx) prepares a Windows installation for imaging and allows you to capture a customized installation.
+
+Here are some things you can do with Sysprep:
+
+- [Generalize a Windows installation](https://msdn.microsoft.com/library/windows/hardware/dn938334.aspx)
+- [Customize the default user profile](https://msdn.microsoft.com/library/windows/hardware/dn898521.aspx)
+- [Use answer files](https://msdn.microsoft.com/library/windows/hardware/dn938346.aspx)
+
+[Windows PE (WinPE)](https://msdn.microsoft.com/library/windows/hardware/dn938389.aspx) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
+
+Here are ways you can create a WinPE image:
+
+- [Create a bootable USB drive](https://msdn.microsoft.com/library/windows/hardware/dn938386.aspx)
+- [Create a Boot CD, DVD, ISO, or VHD](https://msdn.microsoft.com/library/windows/hardware/dn938385.aspx)
+
+[Windows Recovery Environment (Windows RE)](https://msdn.microsoft.com/library/windows/hardware/dn938364.aspx) is a recovery environment that can repair common operating system problems.
+
+Here are some things you can do with Windows RE:
+
+- [Customize Windows RE](https://msdn.microsoft.com/library/windows/hardware/dn898523.aspx)
+- [Push-button reset](https://msdn.microsoft.com/library/windows/hardware/dn938307.aspx)
+
+[Windows System Image Manager (Windows SIM)](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx) helps you create answer files that change Windows settings and run scripts during installation.
+
+Here are some things you can do with Windows SIM:
+
+- [Create answer file](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx)
+- [Add a driver path to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915062.aspx)
+- [Add a package to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915066.aspx)
+- [Add a custom command to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915058.aspx)
+
+For a list of settings you can change, see [Unattended Windows Setup Reference](https://msdn.microsoft.com/library/windows/hardware/dn923277.aspx) on the MSDN Hardware Dev Center.
+
+### Create a Windows image using Windows ICD
+
+Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image.
+
+Here are some things you can do with Windows ICD:
+
+- [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx)
+- [Export a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916110.aspx)
+- [Build and deploy an image for Windows 10 for desktop editions](https://msdn.microsoft.com/library/windows/hardware/dn916105.aspx)
+
+### IT Pro Windows deployment tools
+
+There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet:
+
+- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
+- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index a9089d86bc..91aaa460e8 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -5,13 +5,13 @@ ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
index 92f03d2111..ba34b2d47b 100644
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -96,6 +96,7 @@ The following methodology was used to derive these network endpoints:
|||TLS v1.2|*g.live.com|
|||HTTPS|oneclient.sfx.ms|
|||HTTPS| logincdn.msauth.net|
+|||HTTP| windows.policies.live.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLS v1.2|settings-win.data.microsoft.com|
|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
@@ -117,6 +118,7 @@ The following methodology was used to derive these network endpoints:
|||HTTP|*.windowsupdate.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTP|*.delivery.mp.microsoft.com|
|||HTTPS/TLS v1.2|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS/TLS v1.2|tsfe.trafficshaping.dsp.mp.microsoft.com|
## Other Windows 10 editions
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index 01990ccba5..5c4ad7c28d 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -71,7 +71,6 @@ The following methodology was used to derive these network endpoints:
|||HTTPS|*licensing.mp.microsoft.com|
|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2|*maps.windows.com|
-|| The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTP|fs.microsoft.com*|
|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2|*login.live.com|
|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com|
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
index 357c78dd10..9e2a244111 100644
--- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -12,7 +12,7 @@ ms.author: v-hakima
manager: obezeajo
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 7/22/2020
+ms.date: 08/18/2020
---
# Windows 10, version 1909, connection endpoints for non-Enterprise editions
@@ -83,6 +83,7 @@ The following methodology was used to derive the network endpoints:
|*.blob.core.windows.net|HTTP/TLS v1.2|Windows Telemetry
|storage.live.com|HTTP/TLS v1.2|OneDrive
|skydrivesync.policies.live.net|TLS v1.2|OneDrive
+|dm2302.settings.live.net|HTTP|OneDrive
|slscr.update.microsoft.com|HTTPS/TLS V1.2|Windows Update
|tile-service.weather.microsoft.com|HTTP|Used for the Weather app
|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTP|This endpoint is used for content regulation
@@ -98,7 +99,7 @@ The following methodology was used to derive the network endpoints:
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|*.prod.do.dsp.mp.microsoft.com|HTTP/TLS v1.2|Windows Update
-|api.onedrive.com|HTTP|One Drive
+|api.onedrive.com|HTTP|OneDrive
|smartscreen-prod.microsoft.com|HTTP|Used for Windows Defender SmartScreen reporting and notifications
|nav.smartscreen.microsoft.com|HTTPS/TLS v1.2|Windows Defender
|*.update.microsoft.com|HTTP|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store
@@ -151,8 +152,9 @@ The following methodology was used to derive the network endpoints:
|www.bing.com|HTTPS/TLS v1.2|Cortana and Live Tiles
|www.msftconnecttest.com|HTTP|Network Connection Status Indicator (NCSI)
|outlook.office365.com|HTTP|Microsoft Office
-|storage.live.com|HTTP/TLS v1.2|One Drive
-|skydrivesync.policies.live.net|TLS v1.2|One Drive
+|storage.live.com|HTTP/TLS v1.2|OneDrive
+|skydrivesync.policies.live.net|TLS v1.2|OneDrive
+|windows.policies.live.net|HTTP|OneDrive
## Windows 10 Education
@@ -166,7 +168,7 @@ The following methodology was used to derive the network endpoints:
|dmd.metaservices.microsoft.com|HTTP|Device metadata
|Inference.location.live.net|TLS v1.2|Location
|oneclient.sfx.ms|HTTPS|OneDrive
-|storage.live.com|HTTP/TLS v1.2|One Drive
+|storage.live.com|HTTP/TLS v1.2|OneDrive
|skydrivesync.policies.live.net|TLS v1.2|OneDrive
|slscr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
|fe2cr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index dabc7f749b..2ae163cea6 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -470,7 +470,7 @@ Each default local account in Active Directory has a number of account settings
Account is trusted for delegation |
-Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously. |
+Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously. |
Account is sensitive and cannot be delegated |
@@ -480,7 +480,7 @@ Each default local account in Active Directory has a number of account settings
Use DES encryption types for this account |
Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).
- NoteDES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.
+ NoteDES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.
@@ -656,8 +656,8 @@ In this procedure, the workstations are dedicated to domain administrators. By s
- Windows Update Setting |
- Configuration |
+ Windows Update Setting |
+ Configuration |
Allow Automatic Updates immediate installation |
diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md
index 1ef5a24b40..3ad985610a 100644
--- a/windows/security/identity-protection/access-control/dynamic-access-control.md
+++ b/windows/security/identity-protection/access-control/dynamic-access-control.md
@@ -1,6 +1,6 @@
---
title: Dynamic Access Control Overview (Windows 10)
-description: Dynamic Access Control Overview
+description: Learn about Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 7e7c2236cd..56e4f2edf2 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -297,9 +297,9 @@ The following table shows the Group Policy and registry settings that are used t
-No. |
-Setting |
-Detailed Description |
+No. |
+Setting |
+Detailed Description |
|
@@ -334,7 +334,7 @@ The following table shows the Group Policy and registry settings that are used t
3 |
Registry key |
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
|
@@ -444,9 +444,9 @@ The following table shows the Group Policy settings that are used to deny networ
-No. |
-Setting |
-Detailed Description |
+No. |
+Setting |
+Detailed Description |
|
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index b4bbe78a9d..0ff8876a89 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -27,7 +27,7 @@ ms.custom:
## Enable Windows Defender Credential Guard
-Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
+Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](dg-readiness-tool.md). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
@@ -36,9 +36,13 @@ The same set of procedures used to enable Windows Defender Credential Guard on p
You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed.
1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**.
+
2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
+
3. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
+
4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
+
5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) for more details.
@@ -49,8 +53,10 @@ To enforce processing of the group policy, you can run ```gpupdate /force```.
### Enable Windows Defender Credential Guard by using Intune
-1. From **Home** click **Microsoft Intune**
-2. Click **Device configuration**
+1. From **Home**, click **Microsoft Intune**.
+
+2. Click **Device configuration**.
+
3. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**.
> [!NOTE]
@@ -66,6 +72,7 @@ Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows
If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
+
> [!NOTE]
> If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
@@ -73,22 +80,31 @@ You can do this by using either the Control Panel or the Deployment Image Servic
**Add the virtualization-based security features by using Programs and Features**
1. Open the Programs and Features control panel.
+
2. Click **Turn Windows feature on or off**.
+
3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
+
4. Select the **Isolated User Mode** check box at the top level of the feature selection.
+
5. Click **OK**.
**Add the virtualization-based security features to an offline image by using DISM**
1. Open an elevated command prompt.
+
2. Add the Hyper-V Hypervisor by running the following command:
- ```
+
+ ```console
dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
```
+
3. Add the Isolated User Mode feature by running the following command:
- ```
+
+ ```console
dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
```
+
> [!NOTE]
> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
@@ -100,11 +116,13 @@ You can do this by using either the Control Panel or the Deployment Image Servic
1. Open Registry Editor.
2. Enable virtualization-based security:
+
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
- Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
- Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
3. Enable Windows Defender Credential Guard:
+
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
- Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
@@ -120,9 +138,10 @@ You can do this by using either the Control Panel or the Deployment Image Servic
You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-```
+```console
DG_Readiness_Tool.ps1 -Enable -AutoReboot
```
+
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
@@ -134,7 +153,9 @@ DG_Readiness_Tool.ps1 -Enable -AutoReboot
You can view System Information to check that Windows Defender Credential Guard is running on a PC.
1. Click **Start**, type **msinfo32.exe**, and then click **System Information**.
+
2. Click **System Summary**.
+
3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Configured**.
Here's an example:
@@ -143,9 +164,10 @@ You can view System Information to check that Windows Defender Credential Guard
You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-```
+```console
DG_Readiness_Tool_v3.6.ps1 -Ready
```
+
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
@@ -165,7 +187,7 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
- **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.
- - You can use Windows Powershell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated Powershell window and run the following command:
+ - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command:
```powershell
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
@@ -195,7 +217,7 @@ To disable Windows Defender Credential Guard, you can use the following set of p
4. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
- ``` syntax
+ ```console
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
@@ -232,9 +254,10 @@ For more info on virtualization-based security and HVCI, see [Enable virtualizat
You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-```
+```console
DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
```
+
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
@@ -243,7 +266,7 @@ DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
From the host, you can disable Windows Defender Credential Guard for a virtual machine:
-``` PowerShell
+```powershell
Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
```
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 7f5c4ffe62..25d125585e 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -98,7 +98,7 @@ The following tables describe baseline protections, plus protections for improve
| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
+| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
> [!IMPORTANT]
> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
@@ -133,5 +133,5 @@ The following table lists qualifications for Windows 10, version 1703, which are
| Protections for Improved Security | Description | Security Benefits
|---|---|---|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required for in non-volatile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required for in non-volatile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. | • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index ae96f09ed1..e609c9469d 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -657,7 +657,7 @@ function PrintHardwareReq
{
LogAndConsole "###########################################################################"
LogAndConsole "OS and Hardware requirements for enabling Device Guard and Credential Guard"
- LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home"
+ LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education and Enterprise IoT"
LogAndConsole " 2. Hardware: Recent hardware that supports virtualization extension with SLAT"
LogAndConsole "To learn more please visit: https://aka.ms/dgwhcr"
LogAndConsole "########################################################################### `n"
@@ -735,7 +735,7 @@ function CheckOSSKU
$osname = $((gwmi win32_operatingsystem).Name).ToLower()
$_SKUSupported = 0
Log "OSNAME:$osname"
- $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home")
+ $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server")
$HLKAllowed = @("microsoft windows 10 pro")
foreach ($SKUent in $SKUarray)
{
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index eff4754797..8a678b6ff4 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -11,7 +11,6 @@ ms.collection: M365-identity-device-management
ms.topic: article
ms.prod: w10
ms.technology: windows
-ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
ms.date: 07/27/2017
diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
index 4579829e90..7cf7eeccbf 100644
--- a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
+++ b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
@@ -1,6 +1,6 @@
---
title: WebAuthn APIs
-description: Enabling password-less authentication for your sites and apps
+description: Learn how to use WebAuthn APIs to enable password-less authentication for your sites and apps.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 916d1cf629..215c86beea 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,6 +1,6 @@
---
title: Multifactor Unlock
-description: Multifactor Unlock
+description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 7189408b7b..13c1e99b51 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Deployment Guide
-description: A guide to Windows Hello for Business deployment
+description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 300a074c68..01f18214de 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -98,6 +98,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
| 0x801C03F0 | There is no key registered for the user. |
| 0x801C03F1 | There is no UPN in the token. |
| 0x801C044C | There is no core window for the current thread. |
+| 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request AAD token for provisioning. Unable to enroll a device to use a PIN for login. |
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md
index fca4b7eaa6..babc49afc3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Frequently Asked Questions
-description: Windows Hello for Business FAQ
+description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index 015331499c..0a52de0945 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -1,6 +1,6 @@
---
title: Dual Enrollment
-description: Dual Enrollment
+description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, dual enrollment,
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 33a9c450e1..f6a0ebc776 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -1,6 +1,6 @@
---
title: Pin Reset
-description: Pin Reset
+description: Learn how Microsoft PIN reset services enables you to help users recover who have forgotten their PIN.
keywords: identity, PIN, Hello, passport, WHFB, hybrid, cert-trust, device, reset
ms.prod: w10
ms.mktglfcycl: deploy
@@ -84,7 +84,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
1. In the **Custom OMA-URI Settings** blade, Click **Add**.
1. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2.
1. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
-1. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile.
+1. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile.
#### Assign the PIN Reset Device configuration profile using Microsoft Intune
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 981587e970..e1cf05225a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,6 +1,6 @@
---
title: Remote Desktop
-description: Remote Desktop
+description: Learn how Windows Hello for Business supports using a certificate deployed to a WHFB container to a remote desktop to a server or another device.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
index d9832ef853..d35d4dea64 100644
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ b/windows/security/identity-protection/hello-for-business/hello-features.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Features
-description: Windows Hello for Business Features
+description: Consider additional features you can use after your organization deploys Windows Hello for Business.
ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
ms.reviewer:
keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged credentials
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index f220db21f6..0fb161ccb5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -17,7 +17,7 @@ ms.reviewer:
---
# Windows Hello for Business Provisioning
-Applies to:
+Applies to:
- Windows 10
Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on:
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index ae11903279..8df0ef33bb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -187,7 +187,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
-4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash).
+4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash).
5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**.
6. Type **.crl** at the end of the text in **Location**. Click **OK**.
@@ -225,7 +225,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
Validate your new CRL distribution point is working.
-1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL.
+1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL.
### Reissue domain controller certificates
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index c2550cdfa7..e5664fdeb0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Trust New Installation (Windows Hello for Business)
-description: Windows Hello for Business Hybrid baseline deployment
+description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust depoyments rely on.
keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index ea04aadb72..2857501f75 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -1,6 +1,6 @@
---
title: Hybrid Certificate Trust Deployment (Windows Hello for Business)
-description: Hybrid Certificate Trust Deployment Overview
+description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 9d05788513..c9ea9e18f9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -1,6 +1,6 @@
---
title: Hybrid Windows Hello for Business Provisioning (Windows Hello for Business)
-description: Provisioning for hybrid certificate trust deployments of Windows Hello for Businesss.
+description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Businesss.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 7c4e019e6d..8a785dcf5f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -46,13 +46,22 @@ By default, the Active Directory Certificate Authority provides and publishes th
Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs.
- **Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
+
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
+
8. Close the console.
#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
@@ -66,13 +75,21 @@ The auto-enrollment feature in Windows enables you to effortlessly replace these
Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
+
4. Click the **Superseded Templates** tab. Click **Add**.
+
5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**.
+
6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
+
7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**.
+
8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
+
9. Click **OK** and close the **Certificate Templates** console.
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
@@ -95,33 +112,54 @@ Approximately 60 days prior to enrollment agent certificate's expiration, the AD
Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority Management** console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
-6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
- **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
+
+6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
+
+ > [!NOTE]
+ > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
8. On the **Security** tab, click **Add**.
+
9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**.
+
10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**.
-11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
+11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
12. Close the console.
-#### Creating an Enrollment Agent certificate for typical Service Acconts
+#### Creating an Enrollment Agent certificate for typical Service Accounts
Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
+
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
+
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**.
+
9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
10. Close the console.
### Creating Windows Hello for Business authentication certificate template
@@ -131,28 +169,68 @@ During Windows Hello for Business provisioning, the Windows 10, version 1703 cli
Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
- **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
-6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
+5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
+
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
+
+6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
+
8. On the **Issuance Requirements** tab, select the **This number of authorized signatures** check box. Type **1** in the text box.
- * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
+
+ Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
+
9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
+
10. On the **Request Handling** tab, select the **Renew with same key** check box.
+
11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
+
12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
+
13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template.
+
14. Click on the **Apply** to save changes and close the console.
#### Mark the template as the Windows Hello Sign-in template
Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials.
+
1. Open an elevated command prompt.
+
2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
+If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example:
+
+```console
+CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication
+
+Old Value:
+msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888)
+CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
+CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
+TEMPLATE_SERVER_VER_WINBLUE< [!NOTE]
> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
@@ -165,11 +243,17 @@ The certificate authority may only issue certificates for certificate templates
#### Publish Certificate Templates to the Certificate Authority
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+
1. Open the **Certificate Authority** management console.
+
2. Expand the parent node from the navigation pane.
+
3. Click **Certificate Templates** in the navigation pane.
+
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
-5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+
+5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+
6. Close the console.
@@ -182,9 +266,13 @@ The newly created domain controller authentication certificate template supersed
Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Expand the parent node from the navigation pane.
+
3. Click **Certificate Templates** in the navigation pane.
+
4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
+
5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
@@ -214,4 +302,3 @@ Sign-in to the certificate authority or management workstation with _Enterprise
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business settings: PKI (*You are here*)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index fba1fd76f8..2f6f72752a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -1,6 +1,6 @@
---
title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business)
-description: Configuring Windows Hello for Business settings in hybrid certificate trust deployment.
+description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 3cb290695f..51e6922080 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Key Trust New Installation
-description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business, for systems with no previous installations.
+description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations.
keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 5a7e9bb20a..fa3b1d7a97 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -1,6 +1,6 @@
---
title: Hybrid Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
-description: Prerequisites for hybrid Windows Hello for Business deployments using key trust.
+description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index 1f4f6b976d..63743f3ea2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -1,6 +1,6 @@
---
title: Hybrid Key Trust Deployment (Windows Hello for Business)
-description: Hybrid Key Trust Deployment Overview
+description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 85992e20d5..73e8b956b7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -1,6 +1,6 @@
---
title: Hybrid Windows Hello for Business key trust Provisioning (Windows Hello for Business)
-description: Provisioning for hybrid key trust deployments of Windows Hello for Business.
+description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 440ab1ea70..d7355b0c32 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -74,9 +74,12 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
+> [!NOTE]
+> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows 10 device settings to enable Windows Hello for Business in Intune](https://docs.microsoft.com/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization#policy-conflicts-from-multiple-policy-sources)
+
#### Enable Windows Hello for Business
-The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
+The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index cb6105c66b..51d246f3f4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -8,7 +8,6 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
audience: ITPro
-author: mikestephens-MS
ms.author: dolmont
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 4e95da0531..373339ebcd 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -58,7 +58,7 @@ Use the following table to compare different Remote Desktop connection security
| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server |
| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
| **Helps prevent** | N/A | - Pass-the-Hash
- Use of a credential after disconnection
| - Pass-the-Hash
- Use of domain identity during connection
|
-| **Credentials supported from the remote desktop client device** | - Signed on credentials
- Supplied credentials
- Saved credentials
| - Signed on credentials only |
- Signed on credentials
- Supplied credentials
- Saved credentials
|
+| **Credentials supported from the remote desktop client device** | - Signed on credentials
- Supplied credentials
- Saved credentials
| - Signed on credentials only |
- Signed on credentials
- Supplied credentials
- Saved credentials
|
| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host’s identity**. |
| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account |
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 4a92507705..560f4b240c 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -270,7 +270,7 @@ To better understand each component, review the table below:
-The slider will never turn UAC completely off. If you set it to Never notify, it will:
+The slider will never turn UAC completely off. If you set it to Never notify, it will:
- Keep the UAC service running.
- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 15ea04101f..9c9011d7ad 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -14,7 +14,6 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
-ms.localizationpriority: medium
ms.date: 07/27/2017
---
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 3d0fdc211e..19df534358 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -62,8 +62,7 @@ The following is a sample Native VPN profile. This blob would fall under the Pro
- Eap
- Eap
+ Eap
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 96fc9bd8c2..405ffb126f 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -252,11 +252,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
-Name |
-Parameters |
+Name |
+Parameters |
-Add-BitLockerKeyProtector |
+Add-BitLockerKeyProtector |
-ADAccountOrGroup
-ADAccountOrGroupProtector
-Confirm
@@ -278,26 +278,26 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
-WhatIf |
-Backup-BitLockerKeyProtector |
+Backup-BitLockerKeyProtector |
-Confirm
-KeyProtectorId
-MountPoint
-WhatIf |
-Disable-BitLocker |
+Disable-BitLocker |
-Confirm
-MountPoint
-WhatIf |
-Disable-BitLockerAutoUnlock |
+Disable-BitLockerAutoUnlock |
-Confirm
-MountPoint
-WhatIf |
-Enable-BitLocker |
+Enable-BitLocker |
-AdAccountOrGroup
-AdAccountOrGroupProtector
-Confirm
@@ -322,44 +322,44 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
-WhatIf |
-Enable-BitLockerAutoUnlock |
+Enable-BitLockerAutoUnlock |
-Confirm
-MountPoint
-WhatIf |
-Get-BitLockerVolume |
+Get-BitLockerVolume |
-MountPoint |
-Lock-BitLocker |
+Lock-BitLocker |
-Confirm
-ForceDismount
-MountPoint
-WhatIf |
-Remove-BitLockerKeyProtector |
+Remove-BitLockerKeyProtector |
-Confirm
-KeyProtectorId
-MountPoint
-WhatIf |
-Resume-BitLocker |
+Resume-BitLocker |
-Confirm
-MountPoint
-WhatIf |
-Suspend-BitLocker |
+Suspend-BitLocker |
-Confirm
-MountPoint
-RebootCount
-WhatIf |
-Unlock-BitLocker |
+Unlock-BitLocker |
-AdAccountOrGroup
-Confirm
-MountPoint
@@ -374,7 +374,7 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLocker volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
-Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
+Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
> **Note:** In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 436ef15fe7..be8ab9ed7b 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -106,39 +106,39 @@ This policy setting allows users on devices that are compliant with Modern Stand
|
-Policy description |
+Policy description |
With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices. |
-Introduced |
+Introduced |
Windows 10, version 1703 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
This setting overrides the Require startup PIN with TPM option of the Require additional authentication at startup policy on compliant hardware.
|
-When enabled |
+When enabled |
Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication. |
-When disabled or not configured |
+When disabled or not configured |
The options of the Require additional authentication at startup policy apply. |
-Reference
+Reference
The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby.
But visually impaired users have no audible way to know when to enter a PIN.
@@ -156,37 +156,37 @@ This policy is used in addition to the BitLocker Drive Encryption Network Unlock
-Policy description |
+Policy description |
With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors. |
-When disabled or not configured |
+When disabled or not configured |
Clients cannot create and use Network Key Protectors |
-Reference
+Reference
To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create network key protectors to automatically unlock by using Network Unlock.
@@ -205,39 +205,39 @@ This policy setting is used to control which unlock options are available for op
-Policy description |
+Policy description |
With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
If one authentication method is required, the other methods cannot be allowed.
-Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled. |
+Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-When enabled |
+When enabled |
Users can configure advanced startup options in the BitLocker Setup Wizard. |
-When disabled or not configured |
+When disabled or not configured |
Users can configure only basic options on computers with a TPM.
Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs. |
-Reference
+Reference
If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive.
@@ -282,31 +282,31 @@ This policy setting permits the use of enhanced PINs when you use an unlock meth
-Policy description |
+Policy description |
With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected. |
-When disabled or not configured |
+When disabled or not configured |
Enhanced PINs will not be used. |
@@ -330,37 +330,37 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
-Policy description |
+Policy description |
With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits. |
-When disabled or not configured |
+When disabled or not configured |
Users can configure a startup PIN of any length between 6 and 20 digits. |
-Reference
+Reference
This policy setting is applied when you turn on BitLocker.
The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
@@ -413,31 +413,31 @@ This policy setting allows you to configure whether standard users are allowed t
-Policy description |
+Policy description |
With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
Standard users are not allowed to change BitLocker PINs or passwords. |
-When disabled or not configured |
+When disabled or not configured |
Standard users are permitted to change BitLocker PINs or passwords. |
@@ -459,37 +459,37 @@ This policy controls how non-TPM based systems utilize the password protector. U
-Policy description |
+Policy description |
With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
Passwords cannot be used if FIPS-compliance is enabled.
- NoteThe System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
+ NoteThe System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
|
-When enabled |
-Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select Require complexity. |
+When enabled |
+Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select Require complexity. |
-When disabled or not configured |
+When disabled or not configured |
The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur. |
@@ -522,37 +522,37 @@ This policy setting is used to control what unlock options are available for com
-Policy description |
+Policy description |
With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts. |
-Introduced |
+Introduced |
Windows Server 2008 and Windows Vista |
-Drive type |
+Drive type |
Operating system drives (Windows Server 2008 and Windows Vista) |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
If you choose to require an additional authentication method, other authentication methods cannot be allowed. |
-When enabled |
+When enabled |
The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM. |
-When disabled or not configured |
+When disabled or not configured |
The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured. |
-Reference
+Reference
On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN.
@@ -586,41 +586,41 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
-Policy description |
+Policy description |
With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Fixed data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-Conflicts |
-To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates. |
+Conflicts |
+To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates. |
-When enabled |
-Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box. |
+When enabled |
+Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box. |
-When disabled |
+When disabled |
Users cannot use smart cards to authenticate their access to BitLocker-protected fixed data drives. |
-When not configured |
+When not configured |
Smart cards can be used to authenticate user access to a BitLocker-protected drive. |
-Reference
+Reference
>**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.
@@ -635,41 +635,41 @@ This policy setting is used to require, allow, or deny the use of passwords with
-Policy description |
+Policy description |
With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Fixed data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-Conflicts |
-To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled. |
+Conflicts |
+To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled. |
-When enabled |
-Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity. |
+When enabled |
+Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity. |
-When disabled |
+When disabled |
The user is not allowed to use a password. |
-When not configured |
+When not configured |
Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters. |
-Reference
+Reference
When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled.
@@ -699,41 +699,41 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
-Policy description |
+Policy description |
With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Removable data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
-To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates. |
+Conflicts |
+To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates. |
-When enabled |
-Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box. |
+When enabled |
+Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box. |
-When disabled or not configured |
+When disabled or not configured |
Users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives. |
-When not configured |
+When not configured |
Smart cards are available to authenticate user access to a BitLocker-protected removable data drive. |
-Reference
+Reference
>**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
@@ -748,41 +748,41 @@ This policy setting is used to require, allow, or deny the use of passwords with
-Policy description |
+Policy description |
With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Removable data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
-To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled. |
+Conflicts |
+To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled. |
-When enabled |
-Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity. |
+When enabled |
+Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity. |
-When disabled |
+When disabled |
The user is not allowed to use a password. |
-When not configured |
+When not configured |
Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters. |
-Reference
+Reference
If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled.
@@ -812,37 +812,37 @@ This policy setting is used to determine what certificate to use with BitLocker.
-Policy description |
+Policy description |
With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Fixed and removable data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-Conflicts |
+Conflicts |
None |
-When enabled |
-The object identifier that is specified in the Object identifier setting must match the object identifier in the smart card certificate. |
+When enabled |
+The object identifier that is specified in the Object identifier setting must match the object identifier in the smart card certificate. |
-When disabled or not configured |
+When disabled or not configured |
The default object identifier is used. |
-Reference
+Reference
This policy setting is applied when you turn on BitLocker.
@@ -863,37 +863,37 @@ This policy setting allows users to enable authentication options that require u
-Policy description |
+Policy description |
With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drive |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
Devices must have an alternative means of preboot input (such as an attached USB keyboard). |
-When disabled or not configured |
+When disabled or not configured |
The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password. |
-Reference
+Reference
The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
@@ -918,37 +918,37 @@ This policy setting is used to require encryption of fixed drives prior to grant
-Policy description |
+Policy description |
With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Fixed data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-Conflicts |
+Conflicts |
See the Reference section for a description of conflicts. |
-When enabled |
+When enabled |
All fixed data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access. |
-When disabled or not configured |
+When disabled or not configured |
All fixed data drives on the computer are mounted with Read and Write access. |
-Reference
+Reference
This policy setting is applied when you turn on BitLocker.
@@ -973,37 +973,37 @@ This policy setting is used to require that removable drives are encrypted prior
-Policy description |
+Policy description |
With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Removable data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
+Conflicts |
See the Reference section for a description of conflicts. |
-When enabled |
+When enabled |
All removable data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access. |
-When disabled or not configured |
+When disabled or not configured |
All removable data drives on the computer are mounted with Read and Write access. |
-Reference
+Reference
If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it is checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting.
@@ -1026,41 +1026,41 @@ This policy setting is used to prevent users from turning BitLocker on or off on
-Policy description |
+Policy description |
With this policy setting, you can control the use of BitLocker on removable data drives. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Removable data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can select property settings that control how users can configure BitLocker. |
-When disabled |
+When disabled |
Users cannot use BitLocker on removable data drives. |
-When not configured |
+When not configured |
Users can use BitLocker on removable data drives. |
-Reference
+Reference
This policy setting is applied when you turn on BitLocker.
@@ -1082,37 +1082,37 @@ This policy setting is used to control the encryption method and cipher strength
-Policy description |
+Policy description |
With this policy setting, you can control the encryption method and strength for drives. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
All drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives. |
-When disabled or not configured |
+When disabled or not configured |
Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy. |
-Reference
+Reference
The values of this policy determine the strength of the cipher that BitLocker uses for encryption.
Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128).
@@ -1138,42 +1138,42 @@ This policy controls how BitLocker reacts to systems that are equipped with encr
-Policy description |
+Policy description |
With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Fixed data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-When disabled |
+When disabled |
BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-When not configured |
+When not configured |
BitLocker software-based encryption is used irrespective of hardware-based encryption ability.
|
-Reference
+Reference
>**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
@@ -1193,41 +1193,41 @@ This policy controls how BitLocker reacts when encrypted drives are used as oper
-Policy description |
+Policy description |
With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-When disabled |
+When disabled |
BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-When not configured |
+When not configured |
BitLocker software-based encryption is used irrespective of hardware-based encryption ability. |
-Reference
+Reference
If hardware-based encryption is not available, BitLocker software-based encryption is used instead.
@@ -1249,41 +1249,41 @@ This policy controls how BitLocker reacts to encrypted drives when they are used
-Policy description |
+Policy description |
With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Removable data drive |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-When disabled |
+When disabled |
BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-When not configured |
+When not configured |
BitLocker software-based encryption is used irrespective of hardware-based encryption ability. |
-Reference
+Reference
If hardware-based encryption is not available, BitLocker software-based encryption is used instead.
@@ -1305,37 +1305,37 @@ This policy controls whether fixed data drives utilize Used Space Only encryptio
-Policy description |
+Policy description |
With this policy setting, you can configure the encryption type that is used by BitLocker. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Fixed data drive |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-When disabled or not configured |
+When disabled or not configured |
The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
-Reference
+Reference
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
@@ -1354,37 +1354,37 @@ This policy controls whether operating system drives utilize Full encryption or
-Policy description |
+Policy description |
With this policy setting, you can configure the encryption type that is used by BitLocker. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drive |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-When disabled or not configured |
+When disabled or not configured |
The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
-Reference
+Reference
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
@@ -1403,37 +1403,37 @@ This policy controls whether fixed data drives utilize Full encryption or Used S
-Policy description |
+Policy description |
With this policy setting, you can configure the encryption type that is used by BitLocker. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Removable data drive |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-When disabled or not configured |
+When disabled or not configured |
The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
-Reference
+Reference
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
@@ -1452,38 +1452,38 @@ This policy setting is used to configure recovery methods for operating system d
-Policy description |
+Policy description |
With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting. |
+Conflicts |
+You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
+When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting. |
-When enabled |
+When enabled |
You can control the methods that are available to users to recover data from BitLocker-protected operating system drives. |
-When disabled or not configured |
+When disabled or not configured |
The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
-Reference
+Reference
This policy setting is applied when you turn on BitLocker.
@@ -1513,37 +1513,37 @@ This policy setting is used to configure recovery methods for BitLocker-protecte
-Policy description |
+Policy description |
With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options. |
-Introduced |
+Introduced |
Windows Server 2008 and Windows Vista |
-Drive type |
+Drive type |
Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-Conflicts |
-This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error. |
+Conflicts |
+This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error. |
-When enabled |
+When enabled |
You can configure the options that the Bitlocker Setup Wizard displays to users for recovering BitLocker encrypted data. |
-When disabled or not configured |
+When disabled or not configured |
The BitLocker Setup Wizard presents users with ways to store recovery options. |
-Reference
+Reference
This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker.
@@ -1567,37 +1567,37 @@ This policy setting is used to configure the storage of BitLocker recovery infor
-Policy description |
+Policy description |
With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information. |
-Introduced |
+Introduced |
Windows Server 2008 and Windows Vista |
-Drive type |
+Drive type |
Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista. |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer. |
-When disabled or not configured |
+When disabled or not configured |
BitLocker recovery information is not backed up to AD DS. |
-Reference
+Reference
This policy is only applicable to computers running Windows Server 2008 or Windows Vista.
@@ -1625,37 +1625,37 @@ This policy setting is used to configure the default folder for recovery passwor
-Policy description |
+Policy description |
With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password. |
-Introduced |
+Introduced |
Windows Vista |
-Drive type |
+Drive type |
All drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view. |
-When disabled or not configured |
+When disabled or not configured |
The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder. |
-Reference
+Reference
This policy setting is applied when you turn on BitLocker.
@@ -1672,38 +1672,38 @@ This policy setting is used to configure recovery methods for fixed data drives.
-Policy description |
+Policy description |
With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Fixed data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting. |
+Conflicts |
+You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
+When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting. |
-When enabled |
+When enabled |
You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives. |
-When disabled or not configured |
+When disabled or not configured |
The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
-Reference
+Reference
This policy setting is applied when you turn on BitLocker.
@@ -1733,38 +1733,38 @@ This policy setting is used to configure recovery methods for removable data dri
-Policy description |
+Policy description |
With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Removable data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting. |
+Conflicts |
+You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
+When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting. |
-When enabled |
+When enabled |
You can control the methods that are available to users to recover data from BitLocker-protected removable data drives. |
-When disabled or not configured |
+When disabled or not configured |
The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
-Reference
+Reference
This policy setting is applied when you turn on BitLocker.
@@ -1791,37 +1791,37 @@ This policy setting is used to configure the entire recovery message and to repl
-Policy description |
+Policy description |
With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL. |
-Introduced |
+Introduced |
Windows 10 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL |
-Conflicts |
+Conflicts |
None |
-When enabled |
-The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the Use default recovery message and URL option. |
+When enabled |
+The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the Use default recovery message and URL option. |
-When disabled or not configured |
+When disabled or not configured |
If the setting has not been previously enabled the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is subsequently disabled the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message. |
-Reference
+Reference
Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key.
@@ -1846,38 +1846,38 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc
-Policy description |
+Policy description |
With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
All drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
-If you enable Allow Secure Boot for integrity validation, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.
+ | Conflicts |
+If you enable Allow Secure Boot for integrity validation, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.
For more information about PCR 7, see Platform Configuration Register (PCR) in this topic. |
-When enabled or not configured |
+When enabled or not configured |
BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation. |
-When disabled |
+When disabled |
BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation. |
-Reference
+Reference
Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8.
When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker.
@@ -1895,37 +1895,37 @@ This policy setting is used to establish an identifier that is applied to all dr
-Policy description |
+Policy description |
With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
All drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-Conflicts |
+Conflicts |
Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it is identical to the value that is configured on the computer. |
-When enabled |
+When enabled |
You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization. |
-When disabled or not configured |
+When disabled or not configured |
The identification field is not required. |
-Reference
+Reference
These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool.
@@ -1952,37 +1952,37 @@ This policy setting is used to control whether the computer's memory will be ove
-Policy description |
+Policy description |
With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets. |
-Introduced |
+Introduced |
Windows Vista |
-Drive type |
+Drive type |
All drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets. |
-When disabled or not configured |
+When disabled or not configured |
BitLocker secrets are removed from memory when the computer restarts. |
-Reference
+Reference
This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled.
@@ -1997,37 +1997,37 @@ This policy setting determines what values the TPM measures when it validates ea
-Policy description |
+Policy description |
With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-When disabled or not configured |
+When disabled or not configured |
The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
-Reference
+Reference
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.
@@ -2072,37 +2072,37 @@ This policy setting determines what values the TPM measures when it validates ea
-Policy description |
+Policy description |
With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key. |
-Introduced |
+Introduced |
Windows Server 2008 and Windows Vista |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-When disabled or not configured |
+When disabled or not configured |
The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
-Reference
+Reference
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection.
@@ -2147,39 +2147,39 @@ This policy setting determines what values the TPM measures when it validates ea
-Policy description |
+Policy description |
With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
-Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.
+ | Conflicts |
+Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.
If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.
For more information about PCR 7, see Platform Configuration Register (PCR) in this topic. |
-When enabled |
+When enabled |
Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-When disabled or not configured |
+When disabled or not configured |
BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
-Reference
+Reference
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection.
@@ -2222,41 +2222,41 @@ This policy setting determines if you want platform validation data to refresh w
-Policy description |
+Policy description |
With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
+Conflicts |
None |
-When enabled |
+When enabled |
Platform validation data is refreshed when Windows is started following a BitLocker recovery. |
-When disabled |
+When disabled |
Platform validation data is not refreshed when Windows is started following a BitLocker recovery. |
-When not configured |
+When not configured |
Platform validation data is refreshed when Windows is started following a BitLocker recovery. |
-Reference
+Reference
For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md).
@@ -2271,41 +2271,41 @@ This policy setting determines specific Boot Configuration Data (BCD) settings t
-Policy description |
+Policy description |
With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation. |
-Introduced |
+Introduced |
Windows Server 2012 and Windows 8 |
-Drive type |
+Drive type |
Operating system drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-Conflicts |
-When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored (as defined by the Allow Secure Boot for integrity validation Group Policy setting). |
+Conflicts |
+When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored (as defined by the Allow Secure Boot for integrity validation Group Policy setting). |
-When enabled |
+When enabled |
You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings. |
-When disabled |
+When disabled |
The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7. |
-When not configured |
+When not configured |
The computer verifies the default BCD settings in Windows. |
-Reference
+Reference
>**Note:** The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list.
@@ -2320,37 +2320,37 @@ This policy setting is used to control whether access to drives is allowed by us
-Policy description |
+Policy description |
With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2). |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Fixed data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-Conflicts |
+Conflicts |
None |
-When enabled and When not configured |
+When enabled and When not configured |
Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives. |
-When disabled |
+When disabled |
Fixed data drives that are formatted with the FAT file system and are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed. |
-Reference
+Reference
>**Note:** This policy setting does not apply to drives that are formatted with the NTFS file system.
@@ -2367,37 +2367,37 @@ This policy setting controls access to removable data drives that are using the
-Policy description |
+Policy description |
With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. |
-Introduced |
+Introduced |
Windows Server 2008 R2 and Windows 7 |
-Drive type |
+Drive type |
Removable data drives |
-Policy path |
+Policy path |
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-Conflicts |
+Conflicts |
None |
-When enabled and When not configured |
+When enabled and When not configured |
Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives. |
-When disabled |
+When disabled |
Removable data drives that are formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed. |
-Reference
+Reference
>**Note:** This policy setting does not apply to drives that are formatted with the NTFS file system.
@@ -2414,37 +2414,37 @@ You can configure the Federal Information Processing Standard (FIPS) setting for
-Policy description |
+Policy description |
Notes |
-Introduced |
+Introduced |
Windows Server 2003 with SP1 |
-Drive type |
+Drive type |
System-wide |
-Policy path |
-Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
+Policy path |
+Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
-Conflicts |
+Conflicts |
Some applications, such as Terminal Services, do not support FIPS-140 on all operating systems. |
-When enabled |
+When enabled |
Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password. |
-When disabled or not configured |
+When disabled or not configured |
No BitLocker encryption key is generated |
-Reference
+Reference
This policy needs to be enabled before any encryption key is generated for BitLocker. Note that when this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
index e8bd11f12b..275443414a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
@@ -24,7 +24,7 @@ ms.date: 07/10/2018
## What is BitLocker To Go?
-BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.
+BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](https://docs.microsoft.com/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
As with BitLocker, drives that are encrypted using BitLocker To Go can be opened with a password or smart card on another computer by using **BitLocker Drive Encryption** in Control Panel.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index e4e1a3ffcd..220bed5038 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -126,11 +126,11 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
-Name |
-Parameters |
+Name |
+Parameters |
-Add-BitLockerKeyProtector |
+Add-BitLockerKeyProtector |
-ADAccountOrGroup
-ADAccountOrGroupProtector
-Confirm
@@ -152,26 +152,26 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
-WhatIf |
-Backup-BitLockerKeyProtector |
+Backup-BitLockerKeyProtector |
-Confirm
-KeyProtectorId
-MountPoint
-WhatIf |
-Disable-BitLocker |
+Disable-BitLocker |
-Confirm
-MountPoint
-WhatIf |
-Disable-BitLockerAutoUnlock |
+Disable-BitLockerAutoUnlock |
-Confirm
-MountPoint
-WhatIf |
-Enable-BitLocker |
+Enable-BitLocker |
-AdAccountOrGroup
-AdAccountOrGroupProtector
-Confirm
@@ -196,44 +196,44 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
-WhatIf |
-Enable-BitLockerAutoUnlock |
+Enable-BitLockerAutoUnlock |
-Confirm
-MountPoint
-WhatIf |
-Get-BitLockerVolume |
+Get-BitLockerVolume |
-MountPoint |
-Lock-BitLocker |
+Lock-BitLocker |
-Confirm
-ForceDismount
-MountPoint
-WhatIf |
-Remove-BitLockerKeyProtector |
+Remove-BitLockerKeyProtector |
-Confirm
-KeyProtectorId
-MountPoint
-WhatIf |
-Resume-BitLocker |
+Resume-BitLocker |
-Confirm
-MountPoint
-WhatIf |
-Suspend-BitLocker |
+Suspend-BitLocker |
-Confirm
-MountPoint
-RebootCount
-WhatIf |
-Unlock-BitLocker |
+Unlock-BitLocker |
-AdAccountOrGroup
-Confirm
-MountPoint
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index 1473dadc79..d6b97d2ac5 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -168,91 +168,91 @@ The following table contains information about both Physical Disk Resources (i.e
|
-Action |
-On owner node of failover volume |
-On Metadata Server (MDS) of CSV |
-On (Data Server) DS of CSV |
-Maintenance Mode |
+Action |
+On owner node of failover volume |
+On Metadata Server (MDS) of CSV |
+On (Data Server) DS of CSV |
+Maintenance Mode |
-Manage-bde –on |
+Manage-bde –on |
Blocked |
Blocked |
Blocked |
Allowed |
-Manage-bde –off |
+Manage-bde –off |
Blocked |
Blocked |
Blocked |
Allowed |
-Manage-bde Pause/Resume |
+Manage-bde Pause/Resume |
Blocked |
-Blocked |
+Blocked |
Blocked |
Allowed |
-Manage-bde –lock |
+Manage-bde –lock |
Blocked |
Blocked |
Blocked |
Allowed |
-manage-bde –wipe |
+manage-bde –wipe |
Blocked |
Blocked |
Blocked |
Allowed |
-Unlock |
+Unlock |
Automatic via cluster service |
Automatic via cluster service |
Automatic via cluster service |
Allowed |
-manage-bde –protector –add |
+manage-bde –protector –add |
Allowed |
Allowed |
Blocked |
Allowed |
-manage-bde -protector -delete |
+manage-bde -protector -delete |
Allowed |
Allowed |
Blocked |
Allowed |
-manage-bde –autounlock |
+manage-bde –autounlock |
Allowed (not recommended) |
Allowed (not recommended) |
Blocked |
Allowed (not recommended) |
-Manage-bde -upgrade |
+Manage-bde -upgrade |
Allowed |
Allowed |
Blocked |
Allowed |
-Shrink |
+Shrink |
Allowed |
Allowed |
Blocked |
Allowed |
-Extend |
+Extend |
Allowed |
Allowed |
Blocked |
@@ -261,7 +261,7 @@ The following table contains information about both Physical Disk Resources (i.e
->Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
+>Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process.
diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index 60283edd89..97733a4dd7 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -4,7 +4,6 @@ description: Learn how unenlightened and enlightened apps might behave, based on
keywords: WIP, Enterprise Data Protection, EDP, Windows Information Protection, unenlightened apps, enlightened apps
ms.prod: w10
ms.mktglfcycl: explore
-ms.pagetype: security
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
@@ -54,7 +53,7 @@ This table includes info about how unenlightened apps might behave, based on you
Name-based policies, using the /*AppCompat*/ string or proxy-based policies |
- | Not required. App connects to enterprise cloud resources directly, using an IP address. |
+ Not required. App connects to enterprise cloud resources directly, using an IP address. |
- App is entirely blocked from both personal and enterprise cloud resources.
@@ -71,7 +70,7 @@ This table includes info about how unenlightened apps might behave, based on you
|
- | Not required. App connects to enterprise cloud resources, using a hostname. |
+ Not required. App connects to enterprise cloud resources, using a hostname. |
- App is blocked from accessing enterprise cloud resources, but can access other network resources.
@@ -81,7 +80,7 @@ This table includes info about how unenlightened apps might behave, based on you
|
- | Allow. App connects to enterprise cloud resources, using an IP address or a hostname. |
+ Allow. App connects to enterprise cloud resources, using an IP address or a hostname. |
- App can access both personal and enterprise cloud resources.
@@ -91,7 +90,7 @@ This table includes info about how unenlightened apps might behave, based on you
|
- | Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. |
+ Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. |
- App can access both personal and enterprise cloud resources.
@@ -111,7 +110,7 @@ This table includes info about how enlightened apps might behave, based on your
Networking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policies |
|
- | Not required. App connects to enterprise cloud resources, using an IP address or a hostname. |
+ Not required. App connects to enterprise cloud resources, using an IP address or a hostname. |
- App is blocked from accessing enterprise cloud resources, but can access other network resources.
@@ -121,7 +120,7 @@ This table includes info about how enlightened apps might behave, based on your
|
- | Allow. App connects to enterprise cloud resources, using an IP address or a hostname. |
+ Allow. App connects to enterprise cloud resources, using an IP address or a hostname. |
- App can access both personal and enterprise cloud resources.
@@ -131,7 +130,7 @@ This table includes info about how enlightened apps might behave, based on your
|
- | Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. |
+ Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. |
|
- | Publisher selected |
+ Publisher selected |
All files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps. |
- | Publisher and Product Name selected |
+ Publisher and Product Name selected |
All files for the specified product, signed by the named publisher. |
- | Publisher, Product Name, and Binary name selected |
+ Publisher, Product Name, and Binary name selected |
Any version of the named file or package for the specified product, signed by the named publisher. |
- | Publisher, Product Name, Binary name, and File Version, and above, selected |
+ Publisher, Product Name, Binary name, and File Version, and above, selected |
Specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened. |
- | Publisher, Product Name, Binary name, and File Version, And below selected |
+ Publisher, Product Name, Binary name, and File Version, And below selected |
Specified version or older releases of the named file or package for the specified product, signed by the named publisher. |
- | Publisher, Product Name, Binary name, and File Version, Exactly selected |
+ Publisher, Product Name, Binary name, and File Version, Exactly selected |
Specified version of the named file or package for the specified product, signed by the named publisher. |
@@ -403,8 +403,8 @@ There are no default locations included with WIP, you must add each of your netw
| Enterprise Cloud Resources |
- With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.comWithout proxy: contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>. Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. |
+ With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.comWithout proxy: contoso.sharepoint.com|contoso.visualstudio.com |
+ Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>. Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. |
| Enterprise Network Domain Names (Required) |
@@ -422,12 +422,12 @@ There are no default locations included with WIP, you must add each of your netw
Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter. |
| Enterprise IPv4 Range (Required) |
- Starting IPv4 Address: 3.4.0.1
Ending IPv4 Address: 3.4.255.254
Custom URI: 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254 |
+ Starting IPv4 Address: 3.4.0.1
Ending IPv4 Address: 3.4.255.254
Custom URI: 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254 |
Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
| Enterprise IPv6 Range |
- Starting IPv6 Address: 2a01:110::
Ending IPv6 Address: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
Custom URI: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
+ Starting IPv6 Address: 2a01:110::
Ending IPv6 Address: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
Custom URI: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index b3f555bb13..c1f81c4974 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -214,6 +214,8 @@ Path Publisher
Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name.
+Regarding to how to get the Product Name for the Apps you wish to Add, please reach out to our Windows Support Team to request the guidelines
+
### Import a list of apps
This section covers two examples of using an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time.
@@ -461,10 +463,10 @@ contoso.sharepoint.com|contoso.visualstudio.com
Specify the domains used for identities in your environment.
All traffic to the fully-qualified domains appearing in this list will be protected.
-Separate multiple domains with the "," delimiter.
+Separate multiple domains with the "|" delimiter.
```code
-exchange.contoso.com,contoso.com,region.contoso.com
+exchange.contoso.com|contoso.com|region.contoso.com
```
### Network domains
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 8c01645295..a099742145 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -108,7 +108,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
| Microsoft Messaging | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app |
| IE11 | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** iexplore.exe
**App Type:** Desktop app |
| OneDrive Sync Client | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** onedrive.exe
**App Type:** Desktop app |
-| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Microsoftskydrive
Product Version:Product version: 17.21.0.0 (and later)
**App Type:** Universal app |
+| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Microsoftskydrive
Product Version:Product version: 17.21.0.0 (and later)
**App Type:** Universal app |
| Notepad | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** notepad.exe
**App Type:** Desktop app |
| Microsoft Paint | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mspaint.exe
**App Type:** Desktop app |
| Microsoft Remote Desktop | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mstsc.exe
**App Type:** Desktop app |
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 340c9edb2a..c1cd7193c0 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -33,18 +33,18 @@ This table provides info about the most common problems you might encounter whil
| Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. |
- If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |
+ If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |
Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
| Direct Access is incompatible with WIP. |
Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. |
- We recommend that you use VPN for client access to your intranet resources.
Note
VPN is optional and isn’t required by WIP. |
+ We recommend that you use VPN for client access to your intranet resources.
Note
VPN is optional and isn’t required by WIP. |
- | NetworkIsolation Group Policy setting takes precedence over MDM Policy settings. |
- The NetworkIsolation Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. |
- If you use both Group Policy and MDM to configure your NetworkIsolation settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM. |
+ NetworkIsolation Group Policy setting takes precedence over MDM Policy settings. |
+ The NetworkIsolation Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. |
+ If you use both Group Policy and MDM to configure your NetworkIsolation settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM. |
| Cortana can potentially allow data leakage if it’s on the allowed apps list. |
@@ -63,7 +63,7 @@ This table provides info about the most common problems you might encounter whil
- Start the installer directly from the file share.
-OR-
- Decrypt the locally copied files needed by the installer.
-OR-
- - Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
+ - Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
@@ -74,17 +74,17 @@ This table provides info about the most common problems you might encounter whil
| Redirected folders with Client Side Caching are not compatible with WIP. |
Apps might encounter access errors while attempting to read a cached, offline file. |
- Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
Note
For more info about Work Folders and Offline Files, see the blog, Work Folders and Offline Files support for Windows Information Protection. If you're having trouble opening files offline while using Offline Files and WIP, see the support article, Can't open files offline when you use Offline Files and Windows Information Protection. |
+ Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
Note
For more info about Work Folders and Offline Files, see the blog, Work Folders and Offline Files support for Windows Information Protection. If you're having trouble opening files offline while using Offline Files and WIP, see the support article, Can't open files offline when you use Offline Files and Windows Information Protection. |
| An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device. |
- Data copied from the WIP-managed device is marked as Work. Data copied to the WIP-managed device is not marked as Work. Local Work data copied to the WIP-managed device remains Work data. Work data that is copied between two apps in the same session remains data. |
+ Data copied from the WIP-managed device is marked as Work. Data copied to the WIP-managed device is not marked as Work. Local Work data copied to the WIP-managed device remains Work data. Work data that is copied between two apps in the same session remains data. |
Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default. |
| You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. |
- A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal. |
- Open File Explorer and change the file ownership to Personal before you upload. |
+ A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal. |
+ Open File Explorer and change the file ownership to Personal before you upload. |
| ActiveX controls should be used with caution. |
@@ -97,7 +97,7 @@ This table provides info about the most common problems you might encounter whil
Format drive for NTFS, or use a different drive. |
- | WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False:
+ | WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False:
- AppDataRoaming
- Desktop
@@ -115,7 +115,7 @@ This table provides info about the most common problems you might encounter whil
|
WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager. |
- Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection.
+ | Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection.
|
@@ -143,7 +143,7 @@ This table provides info about the most common problems you might encounter whil
Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.
- | Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected.
+ | Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected.
|
If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.
|
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 961744bbf6..7353daae25 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -39,30 +39,30 @@ You can try any of the processes included in these scenarios, but you should foc
| Encrypt and decrypt files using File Explorer. |
- For desktop:
+ | For desktop:
- - Open File Explorer, right-click a work document, and then click Work from the File Ownership menu.
Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access: <your_enterprise_identity>. For example, contoso.com.
- - In File Explorer, right-click the same document, and then click Personal from the File Ownership menu.
Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
+ - Open File Explorer, right-click a work document, and then click Work from the File Ownership menu.
Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access: <your_enterprise_identity>. For example, contoso.com.
+ - In File Explorer, right-click the same document, and then click Personal from the File Ownership menu.
Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
- For mobile:
+ For mobile:
- - Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
- - Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
- - Select the same file, click File ownership from the drop down menu, and then click Personal.
Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
+ - Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
+ - Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
+ - Select the same file, click File ownership from the drop down menu, and then click Personal.
Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
|
| Create work documents in enterprise-allowed apps. |
- For desktop:
+ | For desktop:
- - Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.
Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.
Important
Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.
For more info about your Enterprise Identity and adding apps to your allowed apps list, see either Create a Windows Information Protection (WIP) policy using Microsoft Intune or Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager, based on your deployment system.
+ - Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.
Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.
Important
Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.
For more info about your Enterprise Identity and adding apps to your allowed apps list, see either Create a Windows Information Protection (WIP) policy using Microsoft Intune or Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager, based on your deployment system.
- For mobile:
+ For mobile:
- - Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location.
Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
+ - Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location.
Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
- Open the same document and attempt to save it to a non-work-related location.
WIP should stop you from saving the file to this location.
- - Open the same document one last time, make a change to the contents, and then save it again using the Personal option.
Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
+ - Open the same document one last time, make a change to the contents, and then save it again using the Personal option.
Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
|
@@ -70,7 +70,7 @@ You can try any of the processes included in these scenarios, but you should foc
- Start an app that doesn't appear on your allowed apps list, and then try to open a work-encrypted file.
The app shouldn't be able to access the file.
- - Try double-clicking or tapping on the work-encrypted file.
If your default app association is an app not on your allowed apps list, you should get an Access Denied error message.
+ - Try double-clicking or tapping on the work-encrypted file.
If your default app association is an app not on your allowed apps list, you should get an Access Denied error message.
|
@@ -78,9 +78,9 @@ You can try any of the processes included in these scenarios, but you should foc
Copy and paste from enterprise apps to non-enterprise apps. |
- - Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.
You should see a WIP-related warning box, asking you to click either Change to personal or Keep at work.
- - Click Keep at work.
The content isn't pasted into the non-enterprise app.
- - Repeat Step 1, but this time click Change to personal, and try to paste the content again.
The content is pasted into the non-enterprise app.
+ - Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.
You should see a WIP-related warning box, asking you to click either Change to personal or Keep at work.
+ - Click Keep at work.
The content isn't pasted into the non-enterprise app.
+ - Repeat Step 1, but this time click Change to personal, and try to paste the content again.
The content is pasted into the non-enterprise app.
- Try copying and pasting content between apps on your allowed apps list.
The content should copy and paste between apps without any warning messages.
|
@@ -89,9 +89,9 @@ You can try any of the processes included in these scenarios, but you should foc
Drag and drop from enterprise apps to non-enterprise apps. |
- - Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.
You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
- - Click Keep at work.
The content isn't dropped into the non-enterprise app.
- - Repeat Step 1, but this time click Change to personal, and try to drop the content again.
The content is dropped into the non-enterprise app.
+ - Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.
You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
+ - Click Keep at work.
The content isn't dropped into the non-enterprise app.
+ - Repeat Step 1, but this time click Change to personal, and try to drop the content again.
The content is dropped into the non-enterprise app.
- Try dragging and dropping content between apps on your allowed apps list.
The content should move between the apps without any warning messages.
|
@@ -100,9 +100,9 @@ You can try any of the processes included in these scenarios, but you should foc
Share between enterprise apps and non-enterprise apps. |
- - Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.
You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
- - Click Keep at work.
The content isn't shared into Facebook.
- - Repeat Step 1, but this time click Change to personal, and try to share the content again.
The content is shared into Facebook.
+ - Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.
You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
+ - Click Keep at work.
The content isn't shared into Facebook.
+ - Repeat Step 1, but this time click Change to personal, and try to share the content again.
The content is shared into Facebook.
- Try sharing content between apps on your allowed apps list.
The content should share between the apps without any warning messages.
|
@@ -112,8 +112,8 @@ You can try any of the processes included in these scenarios, but you should foc
- Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
- - Open File Explorer and make sure your modified files are appearing with a Lock icon.
- - Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.
Note
Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.
A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
+ - Open File Explorer and make sure your modified files are appearing with a Lock icon.
+ - Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.
Note
Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.
A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
|
@@ -130,7 +130,7 @@ You can try any of the processes included in these scenarios, but you should foc
Verify your shared files can use WIP. |
- - Download a file from a protected file share, making sure the file is encrypted by locating the Briefcase icon next to the file name.
+ - Download a file from a protected file share, making sure the file is encrypted by locating the Briefcase icon next to the file name.
- Open the same file, make a change, save it and then try to upload it back to the file share. Again, this should work without any warnings.
- Open an app that doesn't appear on your allowed apps list and attempt to access a file on the WIP-enabled file share.
The app shouldn't be able to access the file share.
@@ -142,7 +142,7 @@ You can try any of the processes included in these scenarios, but you should foc
- Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.
- Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.
Both browsers should respect the enterprise and personal boundary.
- - Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
IE11 shouldn't be able to access the sites.
Note
Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
+ - Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
IE11 shouldn't be able to access the sites.
Note
Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
|
@@ -150,7 +150,7 @@ You can try any of the processes included in these scenarios, but you should foc
Verify your Virtual Private Network (VPN) can be auto-triggered. |
- - Set up your VPN network to start based on the WIPModeID setting.
For specific info about how to do this, see the Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune topic.
+ - Set up your VPN network to start based on the WIPModeID setting.
For specific info about how to do this, see the Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune topic.
- Start an app from your allowed apps list.
The VPN network should automatically start.
- Disconnect from your network and then start an app that isn't on your allowed apps list.
The VPN shouldn't start and the app shouldn't be able to access your enterprise network.
@@ -160,7 +160,7 @@ You can try any of the processes included in these scenarios, but you should foc
| Unenroll client devices from WIP. |
- - Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove.
The device should be removed and all of the enterprise content for that managed account should be gone.
Important
On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
+ - Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove.
The device should be removed and all of the enterprise content for that managed account should be gone.
Important
On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
|
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index ad8caa24a0..1068081e2d 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -52,7 +52,7 @@
### [Attack surface reduction]()
#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
-#### [Attack surface reduction evaluation](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
+#### [Evaluate attack surface reduction rules](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
#### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md)
@@ -60,6 +60,7 @@
##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md)
+##### [View attack surface reduction events](microsoft-defender-atp/event-views.md)
#### [Hardware-based isolation]()
##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
@@ -85,12 +86,15 @@
#### [Exploit protection]()
##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md)
##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md)
+##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
+##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md)
+##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
#### [Network protection]()
##### [Protect your network](microsoft-defender-atp/network-protection.md)
-##### [Network protection evaluation](microsoft-defender-atp/evaluate-network-protection.md)
-##### [Enable network protection](microsoft-defender-atp/enable-network-protection.md)
+##### [Evaluate network protection](microsoft-defender-atp/evaluate-network-protection.md)
+##### [Turning on network protection](microsoft-defender-atp/enable-network-protection.md)
#### [Web protection]()
##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
@@ -102,7 +106,9 @@
#### [Controlled folder access]()
##### [Protect folders](microsoft-defender-atp/controlled-folders.md)
-##### [Controlled folder access evaluation](microsoft-defender-atp/evaluate-controlled-folder-access.md)
+##### [Evaluate controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
+##### [Enable controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
+##### [Customize controlled folder access](microsoft-defender-atp/customize-controlled-folders.md)
@@ -341,8 +347,9 @@
#### [Custom detections]()
-##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
-##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
+##### [Custom detections overview](microsoft-defender-atp/overview-custom-detections.md)
+##### [Create detection rules](microsoft-defender-atp/custom-detection-rules.md)
+##### [View & manage detection rules](microsoft-defender-atp/custom-detections-manage.md)
### [Behavioral blocking and containment]()
#### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md)
@@ -459,7 +466,7 @@
#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
-
+### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md)
## Reference
### [Management and APIs]()
@@ -554,7 +561,7 @@
####### [Score methods and properties](microsoft-defender-atp/score.md)
####### [List exposure score by machine group](microsoft-defender-atp/get-machine-group-exposure-score.md)
####### [Get exposure score](microsoft-defender-atp/get-exposure-score.md)
-####### [Get machine secure score](microsoft-defender-atp/get-device-secure-score.md)
+####### [Get device secure score](microsoft-defender-atp/get-device-secure-score.md)
###### [Software]()
####### [Software methods and properties](microsoft-defender-atp/software.md)
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index cf8e0d63b8..b310cd06ca 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -146,6 +146,7 @@ This event generates when a logon session is created (on destination machine). I
| Logon Type | Logon Title | Description |
|:----------:|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `0` | `System` | Used only by the System account, for example at system startup. |
| `2` | `Interactive` | A user logged on to this computer. |
| `3` | `Network` | A user or computer logged on to this computer from the network. |
| `4` | `Batch` | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
@@ -155,6 +156,8 @@ This event generates when a logon session is created (on destination machine). I
| `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
+| `12` | `CashedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. |
+| `13` | `CachedUnlock` | Workstation logon. |
- **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.
diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
index d0474f5941..4289b8d65a 100644
--- a/windows/security/threat-protection/auditing/event-4626.md
+++ b/windows/security/threat-protection/auditing/event-4626.md
@@ -157,7 +157,7 @@ This event generates on the computer to which the logon was performed (target co
- “dadmin” – claim value.
-**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value. For computer accounts this field has device claims listed.
+**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value. For computer accounts this field has device claims listed.
## Security Monitoring Recommendations
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index 45dcd000c9..bc6d20907b 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -274,5 +274,5 @@ For file system and registry objects, the following recommendations apply.
- If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.**
-- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers.
+- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers.
diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
index 1641acbc10..81b9fd94a0 100644
--- a/windows/security/threat-protection/auditing/event-4672.md
+++ b/windows/security/threat-protection/auditing/event-4672.md
@@ -22,7 +22,7 @@ ms.author: dansimp
-Subcategory: Audit Special Logon
+Subcategory: Audit Special Logon
***Event Description:***
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index 1caa24d32d..dc2d0e52fe 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -135,40 +135,40 @@ Failure event generates when service call attempt fails.
| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** |
|-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
-| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
-| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
-| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
-| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
Create symbolic links | Required to create a symbolic link. |
-| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
-| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. |
-| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
-| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
-| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. |
-| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
-| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
-| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
Modify an object label | Required to modify the mandatory integrity level of an object. |
-| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
Force shutdown from a remote system | Required to shut down a system using a network request. |
-| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
Shut down the system | Required to shut down a local system. |
-| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
-| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
-| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs.
If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
-| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
-| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
-| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
+| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
Create symbolic links | Required to create a symbolic link. |
+| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. |
+| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
Modify an object label | Required to modify the mandatory integrity level of an object. |
+| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
Force shutdown from a remote system | Required to shut down a system using a network request. |
+| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
Shut down the system | Required to shut down a local system. |
+| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs.
If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** |
|-------------------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
-| Audit Sensitive Privilege Use | SeAuditPrivilege:
Generate security audits | With this privilege, the user can add entries to the security log. |
-| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
-| Audit Sensitive Privilege Use | SeDebugPrivilege:
Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
-| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
-| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
-| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
-| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
-| Audit Sensitive Privilege Use | SeTcbPrivilege:
Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
-| Audit Sensitive Privilege Use | SeEnableDelegationPrivilege:
Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
+| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| Audit Sensitive Privilege Use | SeAuditPrivilege:
Generate security audits | With this privilege, the user can add entries to the security log. |
+| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| Audit Sensitive Privilege Use | SeDebugPrivilege:
Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
+| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| Audit Sensitive Privilege Use | SeTcbPrivilege:
Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
+| Audit Sensitive Privilege Use | SeEnableDelegationPrivilege:
Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
## Security Monitoring Recommendations
diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
index b4146f681a..5781254277 100644
--- a/windows/security/threat-protection/auditing/event-4674.md
+++ b/windows/security/threat-protection/auditing/event-4674.md
@@ -157,42 +157,42 @@ Failure event generates when operation attempt fails.
| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** |
|-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
-| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
-| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
-| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
-| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
Create symbolic links | Required to create a symbolic link. |
-| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
-| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. |
-| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
-| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
-| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
-| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
-| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
-| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
Modify an object label | Required to modify the mandatory integrity level of an object. |
-| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
Force shutdown from a remote system | Required to shut down a system using a network request. |
-| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
Shut down the system | Required to shut down a local system. |
-| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
-| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
-| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
-| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
-| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
-| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
+| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
Create symbolic links | Required to create a symbolic link. |
+| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
+| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
Modify an object label | Required to modify the mandatory integrity level of an object. |
+| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
Force shutdown from a remote system | Required to shut down a system using a network request. |
+| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
Shut down the system | Required to shut down a local system. |
+| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** |
|-------------------------------|-----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
-| Audit Sensitive Privilege Use | SeAuditPrivilege:
Generate security audits | With this privilege, the user can add entries to the security log. |
-| Audit Sensitive Privilege Use | SeBackupPrivilege:
Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
-| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
-| Audit Sensitive Privilege Use | SeDebugPrivilege:
Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right.
This user right provides complete access to sensitive and critical operating system components. |
-| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
-| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
-| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
-| Audit Sensitive Privilege Use | SeRestorePrivilege:
Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
-| Audit Sensitive Privilege Use | SeSecurityPrivilege:
Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
-| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
-| Audit Sensitive Privilege Use | SeTakeOwnershipPrivilege:
Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
+| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| Audit Sensitive Privilege Use | SeAuditPrivilege:
Generate security audits | With this privilege, the user can add entries to the security log. |
+| Audit Sensitive Privilege Use | SeBackupPrivilege:
Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
+| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| Audit Sensitive Privilege Use | SeDebugPrivilege:
Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right.
This user right provides complete access to sensitive and critical operating system components. |
+| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Sensitive Privilege Use | SeRestorePrivilege:
Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
+| Audit Sensitive Privilege Use | SeSecurityPrivilege:
Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
+| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| Audit Sensitive Privilege Use | SeTakeOwnershipPrivilege:
Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
## Security Monitoring Recommendations
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index 55ace9419d..e441a2501c 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -206,9 +206,9 @@ For 4688(S): A new process has been created.
- It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**.
-- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. Typically this means that UAC is disabled for this account for some reason.
+- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. Typically this means that UAC is disabled for this account for some reason.
-- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. This means that a user ran a program using administrative privileges.
+- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. This means that a user ran a program using administrative privileges.
- You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs.
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index ef907d69b0..ddfd079946 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -242,7 +242,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
- **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. The value of **dNSHostName** attribute of new computer object. For manually created computer account objects this field has value “**-**“.
-- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation:
+- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation:
HOST/Win81.contoso.local
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index b39135ee00..94fc78b48f 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -243,7 +243,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. If the SPN list of a computer account changed, you will see the new SPN list in **Service Principal Names** field (note that you will see the new list instead of changes). If the value of **servicePrincipalName** attribute of computer object was changed, you will see the new value here.
- Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots:
+ Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots:
HOST/Win81.contoso.local
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
index 34454c6d14..6610d670eb 100644
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ b/windows/security/threat-protection/auditing/event-4907.md
@@ -285,5 +285,5 @@ For 4907(S): Auditing settings on object were changed.
- If you have critical file or registry objects and you need to monitor all modifications (especially changes in SACL), monitor for specific “**Object\\Object Name”**.
-- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers.
+- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers.
diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md
index a4f705ba93..3d3d5152cc 100644
--- a/windows/security/threat-protection/auditing/event-5140.md
+++ b/windows/security/threat-protection/auditing/event-5140.md
@@ -145,7 +145,7 @@ For 5140(S, F): A network share object was accessed.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor share **C$** on domain controllers.
+- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor share **C$** on domain controllers.
- Monitor this event if the **Network Information\\Source Address** is not from your internal IP range.
diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md
index 858e4a608f..727a8f8576 100644
--- a/windows/security/threat-protection/auditing/event-5142.md
+++ b/windows/security/threat-protection/auditing/event-5142.md
@@ -104,7 +104,7 @@ For 5142(S): A network share object was added.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event. For example, you could monitor domain controllers.
+- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event. For example, you could monitor domain controllers.
- We recommend checking “**Share Path**”, because it should not point to system directories, such as **C:\\Windows** or **C:\\**, or to critical local folders which contain private or high value information.
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
index c7f46521ae..7fd678a12b 100644
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ b/windows/security/threat-protection/auditing/event-5143.md
@@ -259,5 +259,5 @@ For 5143(S): A network share object was modified.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor all changes to the SYSVOL share on domain controllers.
+- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor all changes to the SYSVOL share on domain controllers.
diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md
index 4c20a34092..c0cff03c22 100644
--- a/windows/security/threat-protection/auditing/event-5144.md
+++ b/windows/security/threat-protection/auditing/event-5144.md
@@ -106,5 +106,5 @@ For 5144(S): A network share object was deleted.
- If you have critical network shares for which you need to monitor all changes (especially, the deletion of that share), monitor for specific “**Share Information\\Share Name”.**
-- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers. For example, you could monitor file shares on domain controllers.
+- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers. For example, you could monitor file shares on domain controllers.
diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
index bddb29f760..2bc61ffce1 100644
--- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
@@ -2,7 +2,6 @@
title: Plan and deploy advanced security audit policies (Windows 10)
description: Learn to deploy an effective security audit policy in a network that includes advanced security audit policies.
ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442
-
ms.reviewer:
ms.author: dansimp
ms.prod: w10
diff --git a/windows/security/threat-protection/device-guard/memory-integrity.md b/windows/security/threat-protection/device-guard/memory-integrity.md
index 7cdda06143..5e2defcf75 100644
--- a/windows/security/threat-protection/device-guard/memory-integrity.md
+++ b/windows/security/threat-protection/device-guard/memory-integrity.md
@@ -3,7 +3,6 @@ title: Memory integrity
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
description: Memory integrity.
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 725e9d2023..d594900ce7 100644
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -42,7 +42,7 @@ The following tables provide more information about the hardware, firmware, and
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
-| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
+| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
@@ -75,6 +75,6 @@ The following tables describe additional hardware and firmware qualifications, a
| Protections for Improved Security | Description | Security benefits |
|---------------------------------------------|----------------------------------------------------|------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
• PE sections need to be page-aligned in memory (not required for in non-volitile storage).
• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
• No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
• PE sections need to be page-aligned in memory (not required for in non-volitile storage).
• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
• No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 7bc3af8993..262058bf1d 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -102,10 +102,10 @@ Validated Editions: Home, Pro, Enterprise, Education
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library |
@@ -166,10 +166,10 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library |
@@ -236,10 +236,10 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
@@ -251,7 +251,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
10.0.15063 |
#3094 |
#3094
@@ -323,10 +323,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
|
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
@@ -338,7 +338,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
10.0.14393 |
#2936 |
FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
@@ -416,10 +416,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
|
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
@@ -431,7 +431,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
10.0.10586 |
#2605 |
FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
@@ -514,10 +514,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
|
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
@@ -529,7 +529,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
10.0.10240 |
#2605 |
FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
@@ -612,10 +612,10 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
|
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
@@ -627,7 +627,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
6.3.9600 6.3.9600.17042 |
#2356 |
FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
@@ -689,10 +689,10 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
@@ -705,7 +705,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
6.2.9200 |
#1891 |
FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
@@ -791,10 +791,10 @@ Validated Editions: Windows 7, Windows 7 SP1
|
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
@@ -915,10 +915,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Boot Manager (bootmgr) |
@@ -981,10 +981,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Enhanced Cryptographic Provider (RSAENH) |
@@ -1033,10 +1033,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Kernel Mode Cryptographic Module (FIPS.SYS) |
@@ -1074,10 +1074,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| DSS/Diffie-Hellman Enhanced Cryptographic Provider |
@@ -1108,10 +1108,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Microsoft Enhanced Cryptographic Provider |
@@ -1135,10 +1135,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Kernel Mode Cryptographic Module |
@@ -1162,10 +1162,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Kernel Mode Cryptographic Module (FIPS.SYS) |
@@ -1199,10 +1199,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Kernel Mode Cryptographic Module (FIPS.SYS) |
@@ -1240,10 +1240,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider |
@@ -1270,10 +1270,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider |
@@ -1297,10 +1297,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider |
@@ -1318,10 +1318,10 @@ Validated Editions: Ultimate Edition
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Base Cryptographic Provider |
@@ -1349,10 +1349,10 @@ Validated Editions: Standard, Datacenter
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library |
@@ -1413,10 +1413,10 @@ Validated Editions: Standard, Datacenter
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library |
@@ -1483,10 +1483,10 @@ Validated Editions: Standard, Datacenter, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
@@ -1497,7 +1497,7 @@ Validated Editions: Standard, Datacenter, Storage Server
Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
10.0.14393 |
2936 |
FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
@@ -1562,10 +1562,10 @@ Validated Editions: Server, Storage Server,
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
@@ -1576,7 +1576,7 @@ Validated Editions: Server, Storage Server,
Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
6.3.9600 6.3.9600.17042 |
2356 |
FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
@@ -1638,10 +1638,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
@@ -1654,7 +1654,7 @@ Validated Editions: Server, Storage Server
Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+Kernel Mode Cryptographic Primitives Library (cng.sys) |
6.2.9200 |
1891 |
FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
@@ -1728,10 +1728,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Boot Manager (bootmgr) |
@@ -1742,7 +1742,7 @@ Validated Editions: Server, Storage Server
Other algorithms: MD5
-| Winload OS Loader (winload.exe) |
+Winload OS Loader (winload.exe) |
6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675 |
1333 |
FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
@@ -1806,10 +1806,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Boot Manager (bootmgr) |
@@ -1820,7 +1820,7 @@ Validated Editions: Server, Storage Server
Other algorithms: N/A
-| Winload OS Loader (winload.exe) |
+Winload OS Loader (winload.exe) |
6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596 |
1005 |
FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
@@ -1884,10 +1884,10 @@ Validated Editions: Server, Storage Server
|
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
@@ -1925,10 +1925,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Kernel Mode Cryptographic Module (FIPS.SYS) |
@@ -1972,10 +1972,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Kernel Mode Cryptographic Module (FIPS.SYS) |
@@ -2021,10 +2021,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Enhanced Cryptographic Provider |
@@ -2056,10 +2056,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Enhanced Cryptographic Provider |
@@ -2083,10 +2083,10 @@ Validated Editions: Server, Storage Server
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
+Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
| Outlook Cryptographic Provider (EXCHCSP) |
@@ -2113,8 +2113,8 @@ The following tables are organized by cryptographic algorithms with their modes,
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -2563,137 +2563,137 @@ The following tables are organized by cryptographic algorithms with their modes,
Version 10.0.16299 |
-CBC ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-OFB ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
+CBC ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+OFB ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627
Version 10.0.15063 |
-KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
+ | KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
AES Val#4624 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626
Version 10.0.15063 |
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+ | CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
AES Val#4624
|
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625
Version 10.0.15063 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+ | ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported
GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624
Version 10.0.15063 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 ); |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 ); |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434
Version 7.00.2872 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 ); |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 ); |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433
Version 8.00.6246 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431
Version 7.00.2872 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430
Version 8.00.6246 |
-CBC ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-OFB ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
+CBC ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+OFB ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074
Version 10.0.14393 |
-ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+ | ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064
Version 10.0.14393 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
+ | ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
|
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
Version 10.0.14393 |
-KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )
+ | KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )
AES Val#4064 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062
Version 10.0.14393 |
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+ | CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
AES Val#4064 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061
Version 10.0.14393 |
-KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
+ | KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
AES Val#3629 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652
Version 10.0.10586 |
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+ | CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
AES Val#3629 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653
Version 10.0.10586 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
+ | ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
|
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
Version 10.0.10586 |
-ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+ | ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
@@ -2706,141 +2706,141 @@ GMAC_Supported
Version 10.0.10240 |
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+ | CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
AES Val#3497 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498
Version 10.0.10240 |
-ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+ | ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
Version 10.0.10240 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
+ | ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
|
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
Version 10.0.10240 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
+ | ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
|
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853
Version 6.3.9600 |
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+ | CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
AES Val#2832 |
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848
Version 6.3.9600 |
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported ;
-OtherIVLen_Supported
-GMAC_Supported |
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported ;
+OtherIVLen_Supported
+GMAC_Supported |
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832
Version 6.3.9600 |
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+ | CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
AES Val#2197
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
+ CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
AES Val#2197
-GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
-GMAC_Supported |
+GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
+GMAC_Supported
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216 |
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+ | CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
AES Val#2196 |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
+ | ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
|
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196 |
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+ | CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
AES Val#1168 |
Windows Server 2008 R2 and SP1 CNG algorithms #1187
Windows 7 Ultimate and SP1 CNG algorithms #1178 |
-CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
+ | CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
AES Val#1168 |
Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
+ | ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
|
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 |
-GCM
-GMAC |
+GCM
+GMAC |
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed |
-| CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
+CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760 |
-| CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) |
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) |
Windows Server 2008 CNG algorithms #757
Windows Vista Ultimate SP1 CNG algorithms #756 |
-CBC ( e/d; 128 , 256 );
-CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
+CBC ( e/d; 128 , 256 );
+CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
Windows Vista Ultimate BitLocker Drive Encryption #715
Windows Vista Ultimate BitLocker Drive Encryption #424 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 ); |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 ); |
Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739
Windows Vista Symmetric Algorithm Implementation #553 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023 |
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 ); |
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 ); |
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781
@@ -2865,8 +2865,8 @@ Deterministic Random Bit Generator (DRBG)
|
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -2934,74 +2934,74 @@ Deterministic Random Bit Generator (DRBG)
Version 10.0.16299 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] |
Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556
Version 10.0.15063 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555
Version 10.0.15063 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433
Version 7.00.2872 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432
Version 8.00.6246 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430
Version 7.00.2872 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ] |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429
Version 8.00.6246 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222
Version 10.0.14393 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217
Version 10.0.14393 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955
Version 10.0.10586 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868
Version 10.0.10240 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] |
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489
Version 6.3.9600 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] |
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193 |
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] |
+CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] |
Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23 |
-| DRBG (SP 800–90) |
+DRBG (SP 800–90) |
Windows Vista Ultimate SP1, vendor-affirmed |
@@ -3017,8 +3017,8 @@ Deterministic Random Bit Generator (DRBG)
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -3137,118 +3137,118 @@ Deterministic Random Bit Generator (DRBG)
Version 10.0.16299 |
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+ | FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen: [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: Val#3790
DRBG: Val# 1555 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223
Version 10.0.15063 |
-FIPS186-4:
-PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+ | FIPS186-4:
+PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
SHS: Val# 3649 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188
Version 7.00.2872 |
-FIPS186-4:
-PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+ | FIPS186-4:
+PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
SHS: Val#3648 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187
Version 8.00.6246 |
-FIPS186-4:
-PQG(gen)PARMS TESTED: [
+ | FIPS186-4:
+PQG(gen)PARMS TESTED: [
(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256)
+SIG(gen)PARMS TESTED: [ (2048,256)
SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: Val# 3347
DRBG: Val# 1217 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098
Version 10.0.14393 |
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
-KeyPairGen: [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+ | FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
+KeyPairGen: [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: Val# 3047
DRBG: Val# 955 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024
Version 10.0.10586 |
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+ | FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: Val# 2886
DRBG: Val# 868 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983
Version 10.0.10240 |
-FIPS186-4:
-PQG(gen)PARMS TESTED: [
+ | FIPS186-4:
+PQG(gen)PARMS TESTED: [
(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256)
+PQG(ver)PARMS TESTED: [ (2048,256)
SHA( 256 ); (3072,256) SHA( 256 ) ]
KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: Val# 2373
DRBG: Val# 489 |
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855
Version 6.3.9600 |
-FIPS186-2:
-PQG(ver) MOD(1024);
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+PQG(ver) MOD(1024);
+SIG(ver) MOD(1024);
SHS: #1903
DRBG: #258
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+ FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: #1903
DRBG: #258
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687. |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687 |
-FIPS186-2:
-PQG(ver) MOD(1024);
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+PQG(ver) MOD(1024);
+SIG(ver) MOD(1024);
SHS: #1902
DRBG: #258
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686. |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686 |
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 1773
DRBG: Val# 193
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645. |
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645 |
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 1081
DRBG: Val# 23
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386. |
@@ -3256,8 +3256,8 @@ Some of the previously validated components for this validation have been remove
Windows 7 Ultimate and SP1 CNG algorithms #386
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 1081
RNG: Val# 649
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385. |
@@ -3265,16 +3265,16 @@ Some of the previously validated components for this validation have been remove
Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 753
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283. |
Windows Server 2008 CNG algorithms #284
Windows Vista Ultimate SP1 CNG algorithms #283 |
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 753
RNG: Val# 435
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281. |
@@ -3282,8 +3282,8 @@ Some of the previously validated components for this validation have been remove
Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 618
RNG: Val# 321
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226. |
@@ -3291,61 +3291,61 @@ Some of the previously validated components for this validation have been remove
Windows Vista Enhanced DSS (DSSENH) #226
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 784
RNG: Val# 448
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292. |
Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292 |
-FIPS186-2:
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 783
RNG: Val# 447
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291. |
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291 |
-FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
SHS: Val# 611
RNG: Val# 314 |
Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221 |
-FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
SHS: Val# 385 |
Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146 |
-FIPS186-2:
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
+ | FIPS186-2:
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
SHS: Val# 181
|
Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95 |
-FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
+ | FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
SHS: SHA-1 (BYTE)
-SIG(ver) MOD(1024);
+SIG(ver) MOD(1024);
SHS: SHA-1 (BYTE) |
Windows 2000 DSSENH.DLL #29
Windows 2000 DSSBASE.DLL #28
@@ -3353,12 +3353,12 @@ SHS: SHA-1 (BYTE) |
Windows NT 4 SP6 DSSBASE.DLL #25
-FIPS186-2: PRIME;
-FIPS186-2:
-KEYGEN(Y):
+ | FIPS186-2: PRIME;
+FIPS186-2:
+KEYGEN(Y):
SHS: SHA-1 (BYTE)
-SIG(gen):
-SIG(ver) MOD(1024);
+ SIG(gen):
+SIG(ver) MOD(1024);
SHS: SHA-1 (BYTE) |
Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17 |
@@ -3375,8 +3375,8 @@ SHS: SHA-1 (BYTE)
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -3653,93 +3653,93 @@ SHS: SHA-1 (BYTE) |
Version 10.0.16299
-FIPS186-4:
-PKG: CURVES( P-256 P-384 TestingCandidates )
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 TestingCandidates )
SHS: Val#3790
DRBG: Val# 1555 |
Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136
Version 10.0.15063 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
SHS: Val#3790
DRBG: Val# 1555 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135
Version 10.0.15063 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
SHS: Val#3790
DRBG: Val# 1555 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133
Version 10.0.15063 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
-SHS:Val# 3649
-DRBG:Val# 1430 |
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
+SHS:Val# 3649
+DRBG:Val# 1430 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073
Version 7.00.2872 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
-SHS:Val#3648
-DRBG:Val# 1429 |
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
+SHS:Val#3648
+DRBG:Val# 1429 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072
Version 8.00.6246 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 TestingCandidates )
-PKV: CURVES( P-256 P-384 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 TestingCandidates )
+PKV: CURVES( P-256 P-384 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )
SHS: Val# 3347
DRBG: Val# 1222 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920
Version 10.0.14393 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
SHS: Val# 3347
DRBG: Val# 1217 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911
Version 10.0.14393 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
SHS: Val# 3047
DRBG: Val# 955 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760
Version 10.0.10586 |
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
SHS: Val# 2886
DRBG: Val# 868 |
@@ -3747,79 +3747,79 @@ DRBG:
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+ | FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
SHS: Val#2373
DRBG: Val# 489 |
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505
Version 6.3.9600 |
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: #1903
-DRBG: #258
-SIG(ver):CURVES( P-256 P-384 P-521 )
-SHS: #1903
-DRBG: #258
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: #1903
-DRBG: #258
+ | FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: #1903
+DRBG: #258
+SIG(ver):CURVES( P-256 P-384 P-521 )
+SHS: #1903
+DRBG: #258
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: #1903
+DRBG: #258
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341. |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341 |
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#1773
-DRBG: Val# 193
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#1773
-DRBG: Val# 193
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#1773
-DRBG: Val# 193
+ | FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#1773
+DRBG: Val# 193
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#1773
+DRBG: Val# 193
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#1773
+DRBG: Val# 193
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295. |
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295 |
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#1081
-DRBG: Val# 23
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#1081
-DRBG: Val# 23
+ | FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#1081
+DRBG: Val# 23
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#1081
+DRBG: Val# 23
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141. |
Windows Server 2008 R2 and SP1 CNG algorithms #142
Windows 7 Ultimate and SP1 CNG algorithms #141 |
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#753
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#753
+ | FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#753
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#753
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82. |
Windows Server 2008 CNG algorithms #83
Windows Vista Ultimate SP1 CNG algorithms #82 |
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#618
-RNG: Val# 321
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#618
-RNG: Val# 321
+ | FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#618
+RNG: Val# 321
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#618
+RNG: Val# 321
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60. |
Windows Vista CNG algorithms #60 |
@@ -3836,8 +3836,8 @@ Some of the previously validated components for this validation have been remove
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -3983,265 +3983,265 @@ Some of the previously validated components for this validation have been remove
Version 10.0.16299 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062
Version 10.0.15063 |
-HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
+HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061
Version 10.0.15063 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652 |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946
Version 7.00.2872 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651 |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945
Version 8.00.6246 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943
Version 7.00.2872 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942
Version 8.00.6246 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+ | HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
SHS Val# 3347
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHS Val# 3347
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHS Val# 3347 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661
Version 10.0.14393 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651
Version 10.0.14393 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+ | HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
SHS Val# 3047
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHS Val# 3047
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHS Val# 3047
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHS Val# 3047 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381
Version 10.0.10586 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+ | HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
SHSVal# 2886
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal# 2886
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal# 2886
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal# 2886 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233
Version 10.0.10240 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+ | HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
SHS Val#2373
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHS Val#2373
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHS Val#2373
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+ HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHS Val#2373 |
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773
Version 6.3.9600 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764 |
Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122
Version 5.2.29344 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902
-HMAC-SHA256 ( Key Size Ranges Tested: KS#1902 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902
+HMAC-SHA256 ( Key Size Ranges Tested: KS#1902 |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902 |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
-SHS#1903
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
-SHS#1903
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
-SHS#1903
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
-SHS#1903 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+SHS#1903
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+SHS#1903
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+SHS#1903
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+SHS#1903 |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
-Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
+Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773 |
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774 |
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081 |
Windows Server 2008 R2 and SP1 CNG algorithms #686
Windows 7 and SP1 CNG algorithms #677
Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687
Windows 7 Enhanced Cryptographic Provider (RSAENH) #673 |
-HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081 |
+HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081 |
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816 |
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753 |
Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753 |
Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408
Windows Vista Enhanced Cryptographic Provider (RSAENH) #407 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
Windows Vista Enhanced Cryptographic Provider (RSAENH) #297 |
-| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785 |
Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429
Windows XP, vendor-affirmed |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783 |
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613 |
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289 |
-| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610 |
Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753 |
Windows Server 2008 CNG algorithms #413
Windows Vista Ultimate SP1 CNG algorithms #412 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737 |
Windows Vista Ultimate BitLocker Drive Encryption #386 |
-HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
+HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
Windows Vista CNG algorithms #298 |
-HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589 |
+HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589 |
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267 |
-HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578 |
+HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578 |
Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260 |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495 |
Windows Vista BitLocker Drive Encryption #199 |
-| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364 |
Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99
Windows XP, vendor-affirmed |
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305 |
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305 |
Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31 |
@@ -4257,8 +4257,8 @@ SHS
-Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -4782,7 +4782,7 @@ SHS
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
+ | ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
SHS Val#3790
DSA Val#1135
DRBG Val#1556 |
@@ -4790,15 +4790,15 @@ DRBG
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val#3790
DSA Val#1223
DRBG Val#1555
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+ ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val#3790
ECDSA Val#1133
@@ -4807,29 +4807,29 @@ DRBG
- | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val# 3649
DSA Val#1188
DRBG Val#1430
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ] |
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ] |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115
Version 7.00.2872 |
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhHybridOneFlow ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhHybridOneFlow ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val#3648
DSA Val#1187
DRBG Val#1429
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+ ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val#3648
ECDSA Val#1072
@@ -4838,19 +4838,19 @@ DRBG
- | ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration )
-SCHEMES [ FullUnified ( No_KC < KARole(s): Initiator / Responder > < KDF: CONCAT > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
+ | ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration )
+SCHEMES [ FullUnified ( No_KC < KARole(s): Initiator / Responder > < KDF: CONCAT > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
SHS Val# 3347 ECDSA Val#920 DRBG Val#1222 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93
Version 10.0.14393 |
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation )
-SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic (No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation )
+SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic (No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val# 3347 DSA Val#1098 DRBG Val#1217
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+ ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651 |
@@ -4858,11 +4858,11 @@ DRBG
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val# 3047 DSA Val#1024 DRBG Val#955
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+ ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val# 3047 ECDSA Val#760 DRBG Val#955 |
@@ -4870,11 +4870,11 @@ DRBG
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val# 2886 DSA Val#983 DRBG Val#868
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+ ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val# 2886 ECDSA Val#706 DRBG Val#868 |
@@ -4882,11 +4882,11 @@ DRBG
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val#2373 DSA Val#855 DRBG Val#489
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+ ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS Val#2373 ECDSA Val#505 DRBG Val#489 |
@@ -4894,20 +4894,20 @@ DRBG
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+ | FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS #1903 DSA Val#687 DRBG #258
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+ ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
SHS #1903 ECDSA Val#341 DRBG #258 |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36 |
-KAS (SP 800–56A)
+ | KAS (SP 800–56A)
key agreement
key establishment methodology provides 80 to 256 bits of encryption strength |
Windows 7 and SP1, vendor-affirmed
@@ -4922,8 +4922,8 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF)
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -5021,7 +5021,7 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF)
Version 10.0.16299 |
-CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
KAS Val#128
DRBG Val#1556
@@ -5030,7 +5030,7 @@ MAC
- | CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
KAS Val#127
AES Val#4624
@@ -5040,37 +5040,37 @@ MAC
- | CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
KAS Val#93 DRBG Val#1222 MAC Val#2661 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102
Version 10.0.14393 |
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101
Version 10.0.14393 |
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72
Version 10.0.10586 |
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66
Version 10.0.10240 |
-CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
DRBG Val#489 MAC Val#1773 |
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30
Version 6.3.9600 |
-CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+ | CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
DRBG #258 HMAC Val#1345 |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3 |
@@ -5087,34 +5087,34 @@ Random Number Generator (RNG)
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
-FIPS 186-2 General Purpose
-[ (x-Original); (SHA-1) ] |
+FIPS 186-2 General Purpose
+[ (x-Original); (SHA-1) ] |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110 |
-FIPS 186-2
-[ (x-Original); (SHA-1) ] |
+FIPS 186-2
+[ (x-Original); (SHA-1) ] |
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292
Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286
Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66 |
-FIPS 186-2
-[ (x-Change Notice); (SHA-1) ]
-FIPS 186-2 General Purpose
-[ (x-Change Notice); (SHA-1) ] |
+FIPS 186-2
+[ (x-Change Notice); (SHA-1) ]
+FIPS 186-2 General Purpose
+[ (x-Change Notice); (SHA-1) ] |
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649
Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435
Windows Vista RNG implementation #321 |
-FIPS 186-2 General Purpose
-[ (x-Change Notice); (SHA-1) ] |
+FIPS 186-2 General Purpose
+[ (x-Change Notice); (SHA-1) ] |
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470
Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447
@@ -5122,8 +5122,8 @@ Random Number Generator (RNG)
Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313 |
-FIPS 186-2
-[ (x-Change Notice); (SHA-1) ] |
+FIPS 186-2
+[ (x-Change Notice); (SHA-1) ] |
Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448
Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314 |
@@ -5140,8 +5140,8 @@ Random Number Generator (RNG)
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
RSA:
@@ -5711,419 +5711,419 @@ Random Number Generator (RNG)
Version 10.0.16299 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
SHA Val#3790 |
Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524
Version 10.0.15063 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3790 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523
Version 10.0.15063 |
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ | FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
SHA Val#3790
DRBG: Val# 1555 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522
Version 10.0.15063 |
-FIPS186-4:
+FIPS186-4:
186-4KEY(gen):
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
SHA Val#3790 |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521
Version 10.0.15063 |
|
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
-FIPS186-4:
-ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
-SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ FIPS186-4:
+ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
+SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3652 |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415
Version 7.00.2872 |
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
-FIPS186-4:
-ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
-SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ FIPS186-4:
+ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
+SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3651 |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414
Version 8.00.6246 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val# 3649
DRBG: Val# 1430 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412
Version 7.00.2872 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3648
DRBG: Val# 1429 |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411
Version 8.00.6246 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
SHA Val# 3347 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206
Version 10.0.14393 |
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+ | FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
SHA Val# 3347 DRBG: Val# 1217 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195
Version 10.0.14393 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3346 |
soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194
Version 10.0.14393 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val# 3347 DRBG: Val# 1217 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193
Version 10.0.14393 |
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ | FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
SHA Val# 3347 DRBG: Val# 1217 |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192
Version 10.0.14393 |
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+ | FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
SHA Val# 3047 DRBG: Val# 955 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889
Version 10.0.10586 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3048 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871
Version 10.0.10586 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val# 3047 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888
Version 10.0.10586 |
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ | FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
SHA Val# 3047 |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887
Version 10.0.10586 |
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+ | FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
SHA Val# 2886 DRBG: Val# 868 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798
Version 10.0.10240 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#2871 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784
Version 10.0.10240 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#2871 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783
Version 10.0.10240 |
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ | FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
SHA Val# 2886 |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802
Version 10.0.10240 |
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+ | FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
SHA Val#2373 DRBG: Val# 489 |
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487
Version 6.3.9600 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#2373 |
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494
Version 6.3.9600 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#2373 |
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493
Version 6.3.9600 |
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ | FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
SHA Val#2373 |
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519
Version 6.3.9600 |
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
+ | FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
SHA #1903
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134. |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134 |
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+ | FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
SHA #1903 DRBG: #258 |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133 |
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
+ | FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132. |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132 |
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052. |
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052 |
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
+ | FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051. |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568. |
Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560. |
Windows Server 2008 R2 and SP1 CNG algorithms #567
Windows 7 and SP1 CNG algorithms #560 |
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
+ | FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559. |
Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557. |
Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557 |
-FIPS186-2:
+FIPS186-2:
ALG[ANSIX9.31]:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395. |
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395 |
|
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371. |
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357. |
Windows Server 2008 CNG algorithms #358
Windows Vista SP1 CNG algorithms #357 |
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354. |
Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355
Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354 |
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
+ | FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353. |
Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353 |
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
+ | FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258. |
Windows Vista RSA key generation implementation #258 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257. |
Windows Vista CNG algorithms #257 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255. |
Windows Vista Enhanced Cryptographic Provider (RSAENH) #255 |
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245. |
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245 |
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230. |
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230 |
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222. |
Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222 |
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]:
+ | FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]:
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81. |
Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81 |
-FIPS186-2:
-ALG[ANSIX9.31]:
+ | FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52. |
Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52 |
-FIPS186-2:
+ | FIPS186-2:
– PKCS#1 v1.5, signature generation and verification
– Mod sizes: 1024, 1536, 2048, 3072, 4096
– SHS: SHA–1/256/384/512 |
@@ -6143,8 +6143,8 @@ Some of the previously validated components for this validation have been remove
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -6213,170 +6213,170 @@ Some of the previously validated components for this validation have been remove
Version 10.0.16299 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790
Version 10.0.15063 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652
Version 7.00.2872 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651
Version 8.00.6246 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649
Version 7.00.2872 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648
Version 8.00.6246 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
Version 10.0.14393 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
Version 10.0.14393 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
Version 10.0.10586 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
Version 10.0.10586 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
Version 10.0.10240 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
Version 10.0.10240 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
Version 6.3.9600 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
Version 6.3.9600 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)
+ | SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)
Implementation does not support zero-length (null) messages. |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816 |
-| SHA-1 (BYTE-only) |
+SHA-1 (BYTE-only) |
Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785
Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753
Windows Vista Symmetric Algorithm Implementation #618 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only) |
Windows Vista BitLocker Drive Encryption #737
Windows Vista Beta 2 BitLocker Drive Encryption #495 |
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613
Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364 |
-| SHA-1 (BYTE-only) |
+SHA-1 (BYTE-only) |
Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611
Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610
Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385
@@ -6386,16 +6386,16 @@ Version 6.3.9600 |
Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589
Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578
Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305 |
-| SHA-1 (BYTE-only) |
+SHA-1 (BYTE-only) |
Windows XP Microsoft Enhanced Cryptographic Provider #83
Crypto Driver for Windows 2000 (fips.sys) #35
Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32
@@ -6417,8 +6417,8 @@ Version 6.3.9600 |
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
+Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
@@ -6499,112 +6499,112 @@ Version 6.3.9600 |
Version 10.0.16299
-| TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, ) |
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459
Version 10.0.15063 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384
Version 8.00.6246 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) |
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383
Version 8.00.6246 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-CTR ( int only ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+CTR ( int only ) |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382
Version 7.00.2872 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) |
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381
Version 8.00.6246 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
Version 10.0.14393 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
Version 10.0.10586 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
Version 10.0.10240 |
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692
Version 6.3.9600 |
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) ;
-TCFB64( e/d; KO 1,2 ) |
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) ;
+TCFB64( e/d; KO 1,2 ) |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387 |
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386 |
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846 |
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656 |
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
Windows Vista Symmetric Algorithm Implementation #549 |
-| Triple DES MAC |
+Triple DES MAC |
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed |
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) |
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) |
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691
@@ -6636,15 +6636,15 @@ Version 6.3.9600 |
|
- Modes / States / Key Sizes
+ Modes / States / Key Sizes
|
- Algorithm Implementation and Certificate #
+ Algorithm Implementation and Certificate #
|
|
- PBKDF (vendor affirmed) |
+ PBKDF (vendor affirmed)
Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
(Software Version: 10.0.14393)
Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)
@@ -6654,7 +6654,7 @@ Version 6.3.9600 |
|
- PBKDF (vendor affirmed) |
+ PBKDF (vendor affirmed)
Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed
@@ -6672,8 +6672,8 @@ Version 6.3.9600 |
-| Publication / Component Validated / Description |
-Implementation and Certificate # |
+Publication / Component Validated / Description |
+Implementation and Certificate # |
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 3d52254721..7e2cc61fe3 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -1,7 +1,7 @@
---
title: Threat Protection (Windows 10)
description: Learn how Microsoft Defender ATP helps protect against threats.
-keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
+keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -27,7 +27,7 @@ ms.topic: conceptual
Threat & Vulnerability Management |
Attack surface reduction |
-
Next generation protection |
+
Next-generation protection |
Endpoint detection and response |
Automated investigation and remediation |
Microsoft Threat Experts |
@@ -77,8 +77,8 @@ The attack surface reduction set of capabilities provide the first line of defen
-**[Next generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
+**[Next-generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
+To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats.
- [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus)
- [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus)
diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md
index 52771c8630..2584ee9200 100644
--- a/windows/security/threat-protection/intelligence/coinminer-malware.md
+++ b/windows/security/threat-protection/intelligence/coinminer-malware.md
@@ -31,7 +31,7 @@ Many infections start with:
Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process generates coins but requires significant computing resources.
-Coin miners are not inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others look for alternative sources of computing power and try to find their way into corporate networks. These coin miners are not wanted in enterprise environments because they eat up precious computing resources.
+Coin miners aren't inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others look for alternative sources of computing power and try to find their way into corporate networks. These coin miners aren't wanted in enterprise environments because they eat up precious computing resources.
Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run trojanized miners at the expense of other people’s computing resources.
@@ -41,12 +41,12 @@ DDE exploits, which have been known to distribute ransomware, are now delivering
For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256: 7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit.
-The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A), which then downloads the trojanized miner: a modified version of the miner XMRig, which mines Monero cryptocurrency.
+The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A). It downloads the trojanized miner, a modified version of the miner XMRig, which then mines Monero cryptocurrency.
## How to protect against coin miners
-**Enable PUA detection**: Some coin mining tools are not considered malware but are detected as potentially unwanted applications (PUA). Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection.
+**Enable potentially unwanted applications (PUA) detection**. Some coin mining tools aren't considered malware but are detected as PUA. Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection.
-Since coin miners is becoming a popular payload in many different kinds of attacks, see general tips on how to [prevent malware infection](prevent-malware-infection.md).
+Since coin miners are becoming a popular payload in many different kinds of attacks, see general tips on how to [prevent malware infection](prevent-malware-infection.md).
For more information on coin miners, see the blog post [Invisible resource thieves: The increasing threat of cryptocurrency miners](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/).
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
index fef7da884b..6a3a933a3f 100644
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -20,20 +20,20 @@ ms.topic: article
Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries together to change the game against malware. While the cybersecurity industry today is effective at disrupting malware families through individual efforts, those disruptions rarely lead to eradication since malware authors quickly adapt their tactics to survive.
-CME calls for organizations to pool their tools, information and actions to drive coordinated campaigns against malware. The ultimate goal is to drive efficient and long lasting results for better protection of our collective communities, customers, and businesses.
+CME calls for organizations to pool their tools, information, and actions to drive coordinated campaigns against malware. The goal is to drive efficient and long-lasting results to better protect our communities, customers, and businesses.
## Combining our tools, information, and actions
-Diversity of participation across industries and disciplines, extending beyond cybersecurity, makes eradication campaigns even stronger across the malware lifecycle. For instance, while security vendors, computer emergency response/readiness teams (CERTs), and Internet service providers (ISPs) can contribute with malware telemetry, online businesses can identify fraudulent behavior and law enforcement agencies can drive legal action.
+Diversity of participation across industries and disciplines, extending beyond cybersecurity, makes eradication campaigns even stronger across the malware lifecycle. Security vendors, computer emergency response/readiness teams (CERTs), and Internet service providers (ISPs) can contribute with malware telemetry. Online businesses can identify fraudulent behavior and law enforcement agencies can drive legal action.
-In addition to telemetry and analysis data, Microsoft is planning to contribute cloud-based scalable storage and computing horsepower with the necessary big data analysis tools built-in to these campaigns.
+Microsoft is planning to contribute telemetry and analysis data to these campaigns. It will also provide cloud-based scalable storage and computing horsepower with the necessary big data analysis tools built-in.
## Coordinated campaigns for lasting results
-Organizations participating in the CME effort work together to help eradicate selected malware families by contributing their own telemetry data, expertise, tools, and other resources. These organizations operate under a campaign umbrella with clearly defined end goals and metrics. Any organization or member can initiate a campaign and invite others to join it. The members then have the option to accept or decline the invitations they receive.
+Organizations participating in the CME effort work together to help eradicate selected malware families by contributing their own telemetry data, expertise, tools, and other resources. These organizations operate under a campaign umbrella with clearly defined end goals and metrics. Any organization or member can start a campaign and invite others to join it. The members can then accept or decline the invitations they receive.
## Join the effort
-Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware).
+Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). Everyone agrees to use the available information and tools for their intended purpose (that is, the eradication of malware).
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For any questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
index 74c19eb50f..77a3c4e33d 100644
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@@ -1,7 +1,7 @@
---
title: How Microsoft identifies malware and potentially unwanted applications
ms.reviewer:
-description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it is malware or a potentially unwanted application.
+description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it's malware or a potentially unwanted application.
keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications
ms.prod: w10
ms.mktglfcycl: secure
@@ -18,7 +18,7 @@ search.appverid: met150
# How Microsoft identifies malware and potentially unwanted applications
-Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you are protected against known threats and warned about software that is unknown to us.
+Microsoft aims to provide a delightful and productive Windows experience by working to ensure you're safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you're protected against known threats. You are also warned about software that is unknown to us.
You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). This will help ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md)
@@ -29,9 +29,9 @@ The next sections provide an overview of the classifications we use for applicat
## Unknown – Unrecognized software
-No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates. With almost 2 billion websites on the internet and software continuously being updated and released, it's impossible to have information about every single site and program.
+No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates. With almost 2 billion websites on the internet and software continuously updated and released, it's impossible to have information about every single site and program.
-You can think of Unknown/Uncommonly downloaded warnings as an early warning system for potentially undetected malware, as there is generally a delay from the time new malware is released until it is identified. Not all uncommon programs are malicious, but the risk in the unknown category is significantly higher for the typical user. Warnings for unknown software are not blocks, and users can choose to download and run the application normally if they wish to.
+Think of Unknown/Uncommonly downloaded warnings as an early warning system for potentially undetected malware. There's generally a delay from the time new malware is released until it's identified. Not all uncommon programs are malicious, but the risk in the unknown category is much higher for the typical user. Warnings for unknown software aren't blocks. Users can choose to download and run the application normally if they wish to.
Once enough data is gathered, Microsoft's security solutions can make a determination. Either no threats are found, or an application or software is categorized as malware or potentially unwanted software.
@@ -61,11 +61,11 @@ Microsoft classifies most malicious software into one of the following categorie
* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
-* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note which states you must pay money, complete surveys, or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md).
+* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md).
* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services.
-* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate and tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device.
+* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate to tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device.
* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device.
@@ -73,17 +73,17 @@ Microsoft classifies most malicious software into one of the following categorie
### Unwanted software
-Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your device through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these behaviors as "unwanted software".
+Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your device through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that doesn't fully demonstrate these behaviors as "unwanted software".
#### Lack of choice
-You must be notified about what is happening on your device, including what software does and whether it is active.
+You must be notified about what is happening on your device, including what software does and whether it's active.
Software that exhibits lack of choice might:
* Fail to provide prominent notice about the behavior of the software and its purpose and intent.
-* Fail to clearly indicate when the software is active and might also attempt to hide or disguise its presence.
+* Fail to clearly indicate when the software is active. It might also attempt to hide or disguise its presence.
* Install, reinstall, or remove software without your permission, interaction, or consent.
@@ -93,7 +93,7 @@ Software that exhibits lack of choice might:
* Falsely claim to be software from Microsoft.
-Software must not mislead or coerce you into making decisions about your device. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
+Software must not mislead or coerce you into making decisions about your device. It is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
* Display exaggerated claims about your device's health.
@@ -103,7 +103,7 @@ Software must not mislead or coerce you into making decisions about your device.
Software that stores or transmits your activities or data must:
-* Give you notice and get consent to do so. Software should not include an option that configures it to hide activities associated with storing or transmitting your data.
+* Give you notice and get consent to do so. Software shouldn't include an option that configures it to hide activities associated with storing or transmitting your data.
#### Lack of control
@@ -119,7 +119,7 @@ Software that exhibits lack of control might:
* Modify or manipulate webpage content without your consent.
-Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models are considered non-extensible and should not be modified.
+Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that don't provide supported extensibility models are considered non-extensible and shouldn't be modified.
#### Installation and removal
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index bc3ecd48d1..747950168f 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -2,7 +2,7 @@
title: Fileless threats
ms.reviewer:
description: Learn about the categories of fileless threats and malware that "live off the land"
-keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next generation protection
+keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next-generation protection
ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md
index 8544b43d61..5ecbd9a101 100644
--- a/windows/security/threat-protection/intelligence/support-scams.md
+++ b/windows/security/threat-protection/intelligence/support-scams.md
@@ -63,6 +63,6 @@ It is also important to keep the following in mind:
Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by reporting tech support scams:
-www.microsoft.com/reportascam
+www.microsoft.com/reportascam
You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
index e9fd6a400e..a0e3d27f66 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
@@ -3,7 +3,6 @@ title: What to do with false positives/negatives in Microsoft Defender Antivirus
description: Did Microsoft Defender Antivirus miss or wrongly detect something? Find out what you can do.
keywords: Microsoft Defender Antivirus, false positives, false negatives, exclusions
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
index 691027c34e..072cc3c421 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
@@ -3,7 +3,6 @@ title: Collect diagnostic data for Update Compliance and Windows Defender Micros
description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add in
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
index 876f707fc7..9c9ec19ea9 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
@@ -3,7 +3,6 @@ title: Collect diagnostic data of Microsoft Defender Antivirus
description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
index 0286462e81..8bf5563e09 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
@@ -3,17 +3,16 @@ title: Use the command line to manage Microsoft Defender Antivirus
description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility.
keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer: ksarens
manager: dansimp
+ms.date: 08/17/2020
---
# Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool
@@ -31,11 +30,12 @@ You can perform various Microsoft Defender Antivirus functions with the dedicate
The utility has the following commands:
-```DOS
+```console
MpCmdRun.exe [command] [-options]
```
Here's an example:
-```
+
+```console
MpCmdRun.exe -Scan -ScanType 2
```
@@ -55,6 +55,22 @@ MpCmdRun.exe -Scan -ScanType 2
| `-ListAllDynamicSignatures` | Lists the loaded dynamic Security intelligence |
| `-RemoveDynamicSignature [-SignatureSetID]` | Removes dynamic Security intelligence |
| `-CheckExclusion -path ` | Checks whether a path is excluded |
+| `-ValidateMapsConnection` | Verifies that your network can communicate with the Microsoft Defender Antivirus cloud service. This command will only work on Windows 10, version 1703 or higher.|
+
+
+## Common errors in running commands via mpcmdrun.exe
+
+|Error message | Possible reason
+|:----|:----|
+| `ValidateMapsConnection failed (800106BA) or 0x800106BA` | The Microsoft Defender Antivirus service is disabled. Enable the service and try again.
**Note:** In Windows 10 1909 or older, and Windows Server 2019 or older, the service used to be called "Windows Defender Antivirus" service.|
+| `0x80070667` | You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
+| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0` (where `2008.4-0` might differ since platform updates are monthly except for December)|
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)` | Not enough privileges. Use the command prompt (cmd.exe) as an administrator.|
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070006 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80004005 httpcode=450)` | Possible network-related issues, like name resolution problems|
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80508015` | The firewall is blocking the connection or conducting SSL inspection. |
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=800722F0D` | The firewall is blocking the connection or conducting SSL inspection. |
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80072EE7 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
index 7be3761332..53d9dc6877 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Common mistakes to avoid when defining exclusions
description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans.
keywords: exclusions, files, extension, file type, folder name, file name, scans
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
index 9ca273c668..ac38745a10 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Manage Windows Defender in your business
description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender AV
keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
index 3464a06430..9800bbf096 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
@@ -7,7 +7,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -23,13 +22,11 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-**Use Microsoft Intune to configure scanning options**
+## Use Microsoft Intune to configure scanning options
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
-
-
-## Use Microsoft Endpoint Configuration Manager to configure scanning options:
+## Use Microsoft Endpoint Configuration Manager to configure scanning options
See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
@@ -70,6 +67,8 @@ See [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell
For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
+
+
## Email scanning limitations
Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
index 5fb8feab26..88892bd4a0 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
@@ -1,14 +1,12 @@
---
title: Enable Block at First Sight to detect malware in seconds
-description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly.
+description: Turn on the block at first sight feature to detect and block malware within seconds, and validate that it is configured correctly.
keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: high
author: denisebmsft
ms.author: deniseb
ms.reviewer:
@@ -16,7 +14,7 @@ manager: dansimp
ms.custom: nextgen
---
-# Enable block at first sight
+# Turn on block at first sight
**Applies to:**
@@ -31,9 +29,9 @@ You can [specify how long the file should be prevented from running](configure-c
## How it works
-When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean.
+When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat.
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
@@ -44,11 +42,11 @@ If the cloud backend is unable to make a determination, Microsoft Defender Antiv
In many cases, this process can reduce the response time for new malware from hours to seconds.
-## Confirm and validate that block at first sight is enabled
+## Confirm and validate that block at first sight is turned on
Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Microsoft Defender Antivirus deployments.
-### Confirm block at first sight is enabled with Intune
+### Confirm block at first sight is turned on with Intune
1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Microsoft Defender Antivirus**.
@@ -71,7 +69,7 @@ For more information about configuring Microsoft Defender Antivirus device restr
For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
-### Enable block at first sight with Microsoft Endpoint Configuration Manager
+### Turn on block at first sight with Microsoft Endpoint Configuration Manager
1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
@@ -93,8 +91,7 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D
7. Click **OK** to create the policy.
-
-### Confirm block at first sight is enabled with Group Policy
+### Confirm block at first sight is turned on with Group Policy
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -115,19 +112,19 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D
2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**.
-If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
+If you had to change any of the settings, you should redeploy the Group Policy Object across your network to ensure all endpoints are covered.
-### Confirm block at first sight is enabled with Registry editor
+### Confirm block at first sight is turned on with Registry editor
1. Start Registry Editor.
-2. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet**, and make sure that
+2. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet`, and make sure that
1. **SpynetReporting** key is set to **1**
2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples)
-3. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection**, and make sure that
+3. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection`, and make sure that
1. **DisableIOAVProtection** key is set to **0**
@@ -154,14 +151,14 @@ Block at first sight is automatically enabled as long as **Cloud-delivered prote
You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
-## Disable block at first sight
+## Turn off block at first sight
> [!WARNING]
-> Disabling block at first sight will lower the protection state of the endpoint and your network.
+> Turning off block at first sight will lower the protection state of the endpoint and your network.
You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
-### Disable block at first sight with Group Policy
+### Turn off block at first sight with Group Policy
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**.
@@ -174,7 +171,8 @@ You may choose to disable block at first sight if you want to retain the prerequ
> [!NOTE]
> Disabling block at first sight will not disable or alter the prerequisite group policies.
-## Related topics
+## See also
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+
- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
index 7840be58fc..3d86286bb7 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure the Microsoft Defender AV cloud block timeout period
description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination.
keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -15,7 +14,6 @@ ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
-ms.custom: nextgen
---
# Configure the cloud block timeout period
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
index b7af3e0452..0c3ce33cac 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure how users can interact with Microsoft Defender AV
description: Configure how end-users interact with Microsoft Defender AV, what notifications they see, and if they can override settings.
keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,7 +11,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
index 0e81659418..e7d0bb0417 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Set up exclusions for Microsoft Defender AV scans
description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell.
keywords:
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
index bbbbe12908..d9e2707453 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Configure and validate exclusions based on extension, name, or location
description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
keywords: exclusions, files, extension, file type, folder name, file name, scans
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
index 16fc08a832..e77c12eda2 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure local overrides for Microsoft Defender AV settings
description: Enable or disable users from locally changing settings in Microsoft Defender AV.
keywords: local override, local policy, group policy, gpo, lockdown,merge, lists
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
index 3f6f29e47b..c705e4b465 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
@@ -3,7 +3,6 @@ title: Configure Microsoft Defender Antivirus features
description: You can configure Microsoft Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell.
keywords: Microsoft Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
index 3f3d1f0b07..1901905edb 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure and validate Microsoft Defender Antivirus network connections
description: Configure and test your connection to the Microsoft Defender Antivirus cloud protection service.
keywords: antivirus, Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
index 57a0ea6f0e..945265b8a3 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure Microsoft Defender Antivirus notifications
description: Configure and customize Microsoft Defender Antivirus notifications.
keywords: notifications, defender, antivirus, endpoint, management, admin
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
index 9fb92406dc..31d62322c4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure exclusions for files opened by specific processes
description: You can exclude files from scans if they have been opened by a specific process.
keywords: Microsoft Defender Antivirus, process, exclusion, files, scans
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
index 2f09169a15..20f94ac46b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Enable and configure Microsoft Defender Antivirus protection features
description: Enable behavior-based, heuristic, and real-time protection in Microsoft Defender AV.
keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, Microsoft Defender Antivirus, antimalware, security, defender
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
index 727463b3d6..6bcef11259 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Enable and configure Microsoft Defender Antivirus protection capabilities
description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning
keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
index 65400ddb8c..8b66efba75 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Remediate and resolve infections detected by Microsoft Defender Antivirus
description: Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
keywords: remediation, fix, remove, threats, quarantine, scan, restore
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
index f0a52f7827..ab7fa39e3c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
@@ -5,7 +5,6 @@ manager: dansimp
description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions.
keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
index 0a108f47da..440b53b85c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Run and customize scheduled and on-demand scans
description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index 0a108f47da..440b53b85c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Run and customize scheduled and on-demand scans
description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
index b9406da6f4..0036dd3c81 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Deploy, manage, and report on Microsoft Defender Antivirus
description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI
keywords: deploy, manage, update, protection, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
index 6e0bb71ecc..56d1a243c9 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Deploy and enable Microsoft Defender Antivirus
description: Deploy Microsoft Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI.
keywords: deploy, enable, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
index a906762b9a..c2f2824510 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment gu
description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance.
keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
index 40994831c4..f996b8c772 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Block potentially unwanted applications with Microsoft Defender Antivirus
description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware.
keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
index 84f310871d..dbd8db2df4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Enable cloud-delivered protection in Microsoft Defender Antivirus
description: Enable cloud-delivered protection to benefit from fast and advanced protection features.
keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -25,7 +23,7 @@ ms.custom: nextgen
> [!NOTE]
> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
index 1c2dec92b5..f6fcbbbeda 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Evaluate Microsoft Defender Antivirus
description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows 10.
keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -31,7 +29,7 @@ Use this guide to determine how well Microsoft Defender Antivirus protects you f
>- Fast learning (including Block at first sight)
>- Potentially unwanted application blocking
-It explains the important next generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network.
+It explains the important next-generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network.
You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
index 545f77a114..75c974ae9b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Enable the limited periodic Microsoft Defender Antivirus scanning feature
description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers
keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
index c29455e452..8b91ba2fde 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Apply Microsoft Defender Antivirus updates after certain events
description: Manage how Microsoft Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports.
keywords: updates, protection, force updates, events, startup, check for latest, notifications
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
index 8956c31df7..690a9eee6a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Apply Microsoft Defender AV protection updates to out of date endpoints
description: Define when and how updates should be applied for endpoints that have not updated in a while.
keywords: updates, protection, out-of-date, outdated, old, catch-up
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
index 5ba75a3387..b626c962ef 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Schedule Microsoft Defender Antivirus protection updates
description: Schedule the day, time, and interval for when protection updates should be downloaded
keywords: updates, security baselines, schedule updates
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
search.appverid: met150
ms.mktglfcycl: manage
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
index 58e3fd0a6f..38a6d28737 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Manage how and where Microsoft Defender AV receives updates
description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates.
keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index f730a9670c..6f73b79b2b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Manage Microsoft Defender Antivirus updates and apply baselines
description: Manage how Microsoft Defender Antivirus receives protection and product updates.
keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
index fb9cbcf454..86217f98d9 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Define how mobile devices are updated by Microsoft Defender AV
description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender AV protection updates.
keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
index 4be2a05301..3952f63c4c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
@@ -3,7 +3,6 @@ title: Next-generation protection in Windows 10, Windows Server 2016, and Window
description: Learn how to manage, configure, and use Microsoft Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016
keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
index 2108fffbab..a5087f74b0 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
@@ -7,7 +7,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -20,7 +19,8 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Windows Server 2016
+- Windows Server 2019
Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
index 0a396c5667..e824427101 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
@@ -3,7 +3,6 @@ title: Microsoft Defender Offline in Windows 10
description: You can use Microsoft Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network.
keywords: scan, defender, offline
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
index 1bb6d1137c..d32346b285 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
@@ -3,7 +3,6 @@ title: Microsoft Defender Antivirus in the Windows Security app
description: With Microsoft Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks.
keywords: wdav, antivirus, firewall, security, windows
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
index 58f370b7dd..55931f992b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: "Better together - Microsoft Defender Antivirus and Office 365 (including
description: "Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more."
keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
index 18c0fdfc15..a2c6bdee36 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Hide the Microsoft Defender Antivirus interface
description: You can hide virus and threat protection tile in the Windows Security app.
keywords: ui lockdown, headless mode, hide app, hide settings, hide interface
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
index aa0b387ceb..da205310f1 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Monitor and report on Microsoft Defender Antivirus protection
description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Microsoft Defender AV with PowerShell and WMI.
keywords: siem, monitor, report, Microsoft Defender AV
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
index 325b0800ee..434a02f941 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Restore quarantined files in Microsoft Defender AV
description: You can restore files and folders that were quarantined by Microsoft Defender AV.
keywords:
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
index 1e4a2b7142..d23aa3b802 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Review the results of Microsoft Defender AV scans
description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
keywords: scan results, remediation, full scan, quick scan
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
index a0fc81be46..5266967e27 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Run and customize on-demand scans in Microsoft Defender AV
description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
keywords: scan, on-demand, dos, intune, instant scan
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
index ce7ad86555..7c297d11d4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Schedule regular quick and full scans with Microsoft Defender AV
description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
index c6a20d3a13..07f45f646e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
@@ -7,11 +7,10 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 09/03/2018
+ms.date: 08/12/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
@@ -62,7 +61,8 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
5. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**.
6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
- - **Default Microsoft Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.
+ - **Default blocking level** provides strong detection without increasing the risk of detecting legitimate files.
+ - **Moderate blocking level** provides moderate only for high confidence detections
- **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
- **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
- **Zero tolerance blocking level** blocks all unknown executables.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
index 75665404c2..6bc4a4a744 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Microsoft Defender AV event IDs and error codes
description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors
keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
index 43310f4b21..a2747a705d 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
@@ -3,7 +3,6 @@ title: Troubleshoot problems with reporting tools for Microsoft Defender AV
description: Identify and solve common problems when attempting to report in Microsoft Defender AV protection status in Update Compliance
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
index 266e82be31..58572c3d52 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Configure Microsoft Defender Antivirus with Group Policy
description: Configure Microsoft Defender Antivirus settings with Group Policy
keywords: group policy, GPO, configuration, settings
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
index 37d31d6dc7..71edcfc785 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure Microsoft Defender Antivirus with Configuration Manager and Int
description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection
keywords: scep, intune, endpoint protection, configuration
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
index 6c5cb6074b..2bfad82a62 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Use PowerShell cmdlets to configure and run Microsoft Defender AV
description: In Windows 10, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Microsoft Defender Antivirus.
keywords: scan, command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
index 5a54bd4546..49f9134d53 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure Microsoft Defender Antivirus with WMI
description: Use WMI scripts to configure Microsoft Defender AV.
keywords: wmi, scripts, windows management instrumentation, configuration
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
index e998e86722..9eb816975e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Use next-generation technologies in Microsoft Defender Antivirus through
description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection.
keywords: Microsoft Defender Antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -24,7 +22,7 @@ ms.custom: nextgen
Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
To take advantage of the power and speed of these next-generation technologies, Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
index 51cc0fbe72..91d3f43edb 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: "Why you should use Microsoft Defender Antivirus together with Microsoft
description: "For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings."
keywords: windows defender, antivirus, third party av
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.topic: article
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index c719d57d20..4dcd95abef 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 06/02/2020
+ms.date: 08/17/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -43,16 +43,20 @@ Depending on your organization's settings, employees can copy and paste images (
### Why don't employees see their Favorites in the Application Guard Edge session?
-To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.
+To help keep the Application Guard Edge session secure and isolated from the host device, favorites that are stored in an Application Guard Edge session are not copied to the host device.
-### Why aren’t employees able to see their Extensions in the Application Guard Edge session?
+### Are extensions supported in the Application Guard?
-Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.
+Extension installs in the container are supported from Microsoft Edge version 81. For more details, see [Extension support inside the container](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard#extension-support-inside-the-container).
### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
+If Application Guard is used with network proxies, they need to be specified by fully qualified domain name (FQDN) in the system proxy settings (likewise in a PAC script if that is the type of proxy configuration used). Additionally these proxies need to be marked as *neutral* in the **Application trust** list. The FQDNs for the PAC file and the proxy servers the PAC file redirects to must be added as neutral resources in the network isolation policies that are used by Application Guard. You can verify this by going to `edge://application-guard-internals/#utilities` and entering the FQDN for the pac/proxy in the **check url trust** field. Verify that it says *Neutral.*
+
+Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the enterprise IP ranges in the network isolation policies that are used by Application Guard. Additionally, go to `edge://application-guard-internals/#utilities` to view the Application Guard proxy configuration. This step can be done in both the host and within Application Guard to verify that each side is using the proxy setup you expect.
+
### Which Input Method Editors (IME) in 19H1 are not supported?
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard.
@@ -83,29 +87,29 @@ To trust a subdomain, you must precede your domain with two dots, for example: `
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's standalone mode. However, when using Windows Enterprise you will have access to Application Guard's enterprise-managed mode. This mode has some extra features that the standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
### Is there a size limit to the domain lists that I need to configure?
-Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383B limit.
+Yes, both the enterprise resource domains hosted in the cloud and the domains categorized as both work and personal have a 16383B limit.
### Why does my encryption driver break Microsoft Defender Application Guard?
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT").
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work, and will result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
-### Why do the Network Isolation policies in Group Policy and CSP look different?
+### Why do the network isolation policies in Group Policy and CSP look different?
-There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
+There is not a one-to-one mapping among all the network isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
-Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
### Why did Application Guard stop working after I turned off hyperthreading?
-If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
+If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility that Microsoft Defender Application Guard no longer meets the minimum requirements.
### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
@@ -119,8 +123,8 @@ For guidance on how to create a firewall rule by using group policy, see:
- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
First rule (DHCP Server):
-1. Program path: %SystemRoot%\System32\svchost.exe
-2. Local Service: Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))
+1. Program path: `%SystemRoot%\System32\svchost.exe`
+2. Local Service: Sid: `S-1-5-80-2009329905-444645132-2728249442-922493431-93864177` (Internet Connection Service (SharedAccess))
3. Protocol UDP
4. Port 67
@@ -139,7 +143,7 @@ In the Microsoft Defender Firewall user interface go through the following steps
### Why can I not launch Application Guard when Exploit Guard is enabled?
-There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to Windows Security-> App and Browser control -> Exploit Protection Setting -> switch CFG to the “use default".
+There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to the **use default**.
### How can I have ICS in enabled state yet still use Application Guard?
@@ -148,14 +152,23 @@ This is a two step process.
Step 1:
-Enable Internet Connection sharing by changing the Group Policy setting “Prohibit use of Internet Connection Sharing on your DNS domain network” which is part of the MS Security baseline from Enabled to Disabled.
+Enable Internet Connection sharing by changing the Group Policy setting **Prohibit use of Internet Connection Sharing on your DNS domain network.** This setting is part of the Microsoft security baseline. Change it from **Enabled** to **Disabled**.
Step 2:
-1. Disable IpNat.sys from ICS load
-System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1
-2. Configure ICS (SharedAccess) to enabled
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3
-3. Disabling IPNAT (Optional)
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4
-4. Reboot.
+1. Disable IpNat.sys from ICS load:
+`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`.
+2. Configure ICS (SharedAccess) to enabled:
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`.
+3. Disable IPNAT (Optional):
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`.
+4. Restart the device.
+
+### Why doesn't Application Guard work, even though it's enabled through Group Policy?
+
+Application Guard must meet all these prerequisites to be enabled in Enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard).
+To understand why it is not enabled in Enterprise mode, check the status of the evaluation to understand what's missing.
+
+For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). On this page, you will see the **status** node as well as the meaning of each bit. If the status is not 63, you are missing a prerequisite.
+
+For Group Policy you need to look at the registry. See **Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP** Status. The meaning of each bit is the same as the CSP.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
index 94c74051a1..59a850ea64 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@@ -57,3 +57,4 @@ Table and column names are also listed within the Microsoft Defender Security Ce
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Learn the query language](advanced-hunting-query-language.md)
+- [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index dde4d8932b..de60666730 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -3,7 +3,6 @@ title: Use attack surface reduction rules to prevent malware infection
description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
index db8dec5ba9..093a2013f5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
@@ -1,9 +1,8 @@
---
-title: Test how Microsoft Defender ATP features work
-description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it were enabled
+title: Test how Microsoft Defender ATP features work in audit mode
+description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it was enabled.
keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,28 +11,27 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 04/02/2019
ms.reviewer:
manager: dansimp
---
-# Use audit mode
+# Test how Microsoft Defender ATP features work in audit mode
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
+You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature.
-You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
+You may want to enable audit mode when testing how the features will work in your organization. Ensure it doesn't affect your line-of-business apps, and get an idea of how many suspicious file modification attempts generally occur over a certain period of time.
-While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
+The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log will record events as if the features were fully enabled. With audit mode, you can review the event log to see what impact the feature would have had if it was enabled.
To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
You can use Microsoft Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
+This article provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index f0292e125f..bd94cf5240 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -21,16 +21,16 @@ ms.topic: conceptual
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
-Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually.
+Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually, Microsoft Defender ATP includes automated investigation and remediation capabilities.
-The automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when the investigation was initiated.
+Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when each investigation was initiated.
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
## How the automated investigation starts
-When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
+When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
>[!NOTE]
>Currently, automated investigation only supports the following OS versions:
@@ -41,7 +41,7 @@ When an alert is triggered, a security playbook goes into effect. Depending on t
## Details of an automated investigation
-During and after an automated investigation, you can view details about the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs.
+During and after an automated investigation, you can view details about the investigation. Select a triggering alert to view the investigation details. From there, you can go to the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs.
|Tab |Description |
|--|--|
@@ -50,7 +50,7 @@ During and after an automated investigation, you can view details about the inve
|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
-|**Pending actions** |If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. |
+|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. |
> [!IMPORTANT]
> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
@@ -59,28 +59,41 @@ During and after an automated investigation, you can view details about the inve
While an investigation is running, any other alerts generated from the device are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
-If an incriminated entity is seen in another device, the automated investigation process will expand its scope to include that device, and a general security playbook will start on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
+If an incriminated entity is seen in another device, the automated investigation process expands its scope to include that device, and a general security playbook starts on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action requires an approval, and is visible on the **Pending actions** tab.
## How threats are remediated
-Depending on how you set up the device groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats.
+Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically remediates threats.
+
+> [!NOTE]
+> Microsoft Defender ATP tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
You can configure the following levels of automation:
|Automation level | Description|
|---|---|
-|No automated response | Devices do not get any automated investigations run on them. |
-|Semi - require approval for any remediation | This is the default automation level.
An approval is needed for any remediation action. |
-|Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders.
Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.|
-|Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.
Files or executables in all other folders will automatically be remediated if needed.|
-|Full - remediate threats automatically | All remediation actions will be performed automatically.|
+|**Full - remediate threats automatically** | All remediation actions are performed automatically.
*This option is selected by default for Microsoft Defender ATP tenants created on or after August 16, 2020.*|
+|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.
Files or executables in all other folders are automatically remediated, if needed.|
+|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders.
Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).|
+|**Semi - require approval for any remediation** | An approval is needed for any remediation action.
*This option is selected by default for Microsoft Defender ATP tenants created before August 16, 2020.*|
+|**No automated response** | Devices do not get any automated investigations run on them.
*This option is not recommended, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
-> [!TIP]
-> For more information on how to configure these automation levels, see [Create and manage device groups](machine-groups.md).
-The default device group is configured for semi-automatic remediation. This means that any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** section. This can be changed to fully automatic so that no user approval is needed.
+> [!IMPORTANT]
+> A few points of clarification regarding automation levels and default settings:
+> - If your tenant already has device groups defined, the automation level settings are not changed.
+> - If your tenant was onboarded to Microsoft Defender ATP before August 16, 2020, your organization's first device group is set to **Semi - require approval for any remediation** by default.
+> - If your tenant is onboarded on or after August 16, 2020, when your organization's first device group is set to **Full - remediate threats automatically**.
+> - To change an automation level, edit your [device groups](configure-automated-investigations-remediation.md#set-up-device-groups).
-When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
+
+### A few points to keep in mind
+
+- Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
+
+- If your Microsoft Defender ATP tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed.
+
+- If your Microsoft Defender ATP tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
## Next steps
diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
index 04569f6785..4fc887a605 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
@@ -90,7 +90,7 @@ While the attack was detected and stopped, alerts, such as an "initial access al
This example shows how behavior-based device learning models in the cloud add new layers of protection against attacks, even after they have started running.
-### Example 2: NTML relay - Juicy Potato malware variant
+### Example 2: NTLM relay - Juicy Potato malware variant
As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Microsoft Defender ATP detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
index 2dc93956ba..ef4053bac6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
@@ -103,8 +103,8 @@ The following steps assume that you have completed all the required steps in [Be
For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file.
Events URL |
- Depending on the location of your datacenter, select either the EU or the US URL: For EU: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
- For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
For UK: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME |
+ Depending on the location of your datacenter, select either the EU or the US URL: For EU: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
+ For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
For UK: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME |
| Authentication Type |
OAuth 2 |
@@ -113,7 +113,7 @@ The following steps assume that you have completed all the required steps in [Be
Browse to the location of the wdatp-connector.properties file. The name must match the file provided in the .zip that you downloaded. |
| Refresh Token |
- You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.
For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP. Get your refresh token using the restutil tool: a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool. b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open. c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. d. A refresh token is shown in the command prompt. e. Copy and paste it into the Refresh Token field.
+ | You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.
For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP. Get your refresh token using the restutil tool: a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool. b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open. c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. d. A refresh token is shown in the command prompt. e. Copy and paste it into the Refresh Token field.
|
|
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
index 3f0a7dcdd7..413259ce26 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
@@ -101,6 +101,75 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
> If you don't set a value, the default value is to enable sample collection.
+## Other recommended configuration settings
+
+### Update endpoint protection configuration
+
+After configuring the onboarding script, continue editing the same group policy to add endpoint protection configurations. Perform group policy edits from a system running Windows 10 or Server 2019 to ensure you have all of the required Microsoft Defender Antivirus capabilities. You may need to close and reopen the group policy object to register the Defender ATP configuration settings.
+
+All policies are located under `Computer Configuration\Policies\Administrative Templates`.
+
+**Policy location:** \Windows Components\Windows Defender ATP
+
+Policy | Setting
+:---|:---
+Enable\Disable Sample collection| Enabled - "Enable sample collection on machines" checked
+
+
+**Policy location:** \Windows Components\Windows Defender Antivirus
+
+Policy | Setting
+:---|:---
+Configure detection for potentially unwanted applications | Enabled, Block
+
+**Policy location:** \Windows Components\Windows Defender Antivirus\MAPS
+
+Policy | Setting
+:---|:---
+Join Microsoft MAPS | Enabled, Advanced MAPS
+Send file samples when further analysis is required | Enabled, Send safe samples
+
+**Policy location:** \Windows Components\Windows Defender Antivirus\Real-time Protection
+
+Policy | Setting
+:---|:---
+Turn off real-time protection|Disabled
+Turn on behavior monitoring|Enabled
+Scan all downloaded files and attachments|Enabled
+Monitor file and program activity on your computer|Enabled
+
+
+**Policy location:** \Windows Components\Windows Defender Antivirus\Scan
+
+These settings configure periodic scans of the endpoint. We recommend performing a weekly quick scan, performance permitting.
+
+Policy | Setting
+:---|:---
+Check for the latest virus and spyware security intelligence before running a scheduled scan |Enabled
+
+
+
+**Policy location:** \Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction
+
+Get the current list of attack surface reduction GUIDs from [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
+
+1. Open the **Configure Attack Surface Reduction** policy.
+2. Select **Enabled**.
+3. Select the **Show…** button.
+4. Add each GUID in the **Value Name** field with a Value of 2.
+
+This will set each up for audit only.
+
+
+
+
+
+Policy | Setting
+:---|:---
+Configure Controlled folder access| Enabled, Audit Mode
+
+
+
## Offboard devices using Group Policy
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
index b06ae2ef0e..50e1369d5f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
@@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 12/06/2018
---
# Onboard Windows 10 devices using Mobile Device Management tools
@@ -51,6 +50,8 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh
>[!TIP]
> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md).
+
+
## Offboard and monitor devices using Mobile Device Management tools
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
index 5ad42ec668..4536ced3cc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
@@ -28,17 +28,24 @@ ms.date: 02/07/2020
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
-
+## Supported client operating systems
-## Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager current branch
+Based on the version of Configuration Manager you're running, the following client operating systems can be onboarded:
-Configuration Manager current branch has integrated support to configure and manage Microsoft Defender ATP on managed devices. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection).
+#### Configuration Manager version 1910 and prior
-
+- Clients computers running Windows 10, version 1607 and later
-## Onboard Windows 10 devices using earlier versions of System Center Configuration Manager
+#### Configuration Manager version 2002 and later
-You can use existing Configuration Manager functionality to create a policy to configure your devices. This action is supported in System Center 2012 R2 Configuration Manager.
+Starting in Configuration Manager version 2002, you can onboard the following operating systems:
+
+- Windows 8.1
+- Windows 10, version 1607 or later
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Server 2016, version 1803 or later
+- Windows Server 2019
### Onboard devices using System Center Configuration Manager
@@ -50,7 +57,7 @@ You can use existing Configuration Manager functionality to create a policy to c
c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
- d. Click **Download package**, and save the .zip file.
+ d. Select **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
@@ -75,7 +82,11 @@ For more information, see [Configure Detection Methods in System Center 2012 R2
For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
-You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a device.
+>[!NOTE]
+>These configuration settings are typically done through Configuration Manager.
+
+You can set a compliance rule for configuration item in Configuration Manager to change the sample share setting on a device.
+
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted devices to make sure they’re complaint.
The configuration is set through the following registry key entry:
@@ -93,13 +104,49 @@ Possible values are:
The default value in case the registry key doesn’t exist is 1.
-For more information about System Center Configuration Manager Compliance see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
+For more information about System Center Configuration Manager Compliance, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
+## Other recommended configuration settings
+After onboarding devices to the service, it's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.
+
+### Device collection configuration
+If you're using Endpoint Configuration Manager, version 2002 or later, you can choose to broaden the deployment to include servers or down-level clients.
+
+
+### Next generation protection configuration
+The following configuration settings are recommended:
+
+**Scan**
+- Scan removable storage devices such as USB drives: Yes
+
+**Real-time Protection**
+- Enable Behavioral Monitoring: Yes
+- Enable protection against Potentially Unwanted Applications at download and prior to installation: Yes
+
+**Cloud Protection Service**
+- Cloud Protection Service membership type: Advanced membership
+
+**Attack surface reduction**
+Configure all available rules to Audit.
+
+>[!NOTE]
+> Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections.
+
+
+**Network protection**
+Prior to enabling network protection in audit or block mode, ensure that you've installed the antimalware platform update, which can be obtained from the [support page](https://support.microsoft.com/en-us/help/4560203/windows-defender-anti-malware-platform-binaries-are-missing).
+
+
+**Controlled folder access**
+Enable the feature in audit mode for at least 30 days. After this period, review detections and create a list of applications that are allowed to write to protected directories.
+
+For more information, see [Evaluate controlled folder access](evaluate-controlled-folder-access.md).
+
## Offboard devices using Configuration Manager
-For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
+For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
@@ -118,7 +165,7 @@ If you use Microsoft Endpoint Configuration Manager current branch, see [Create
c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
- d. Click **Download package**, and save the .zip file.
+ d. Select **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
@@ -144,13 +191,13 @@ If you're using System Center 2012 R2 Configuration Manager, monitoring consists
1. In the Configuration Manager console, click **Monitoring** at the bottom of the navigation pane.
-2. Click **Overview** and then **Deployments**.
+2. Select **Overview** and then **Deployments**.
-3. Click on the deployment with the package name.
+3. Select on the deployment with the package name.
4. Review the status indicators under **Completion Statistics** and **Content Status**.
- If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
+ If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 32e7e448f6..771c2b866b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -63,7 +63,7 @@ The following steps will guide you through onboarding VDI devices and will highl
1. Click **Download package** and save the .zip file.
-2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
+2. Copy all the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
>[!NOTE]
>If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 99ed32fda4..ed06fd8042 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -140,8 +140,8 @@ You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windo
- [Local script](configure-endpoints-script.md)
- [Group Policy](configure-endpoints-gp.md)
-- [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md#onboard-windows-10-devices-using-microsoft-endpoint-configuration-manager-current-branch)
-- [System Center Configuration Manager 2012 / 2012 R2 1511 / 1602](configure-endpoints-sccm.md#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
+- [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
+- [System Center Configuration Manager 2012 / 2012 R2 1511 / 1602](configure-endpoints-sccm.md#onboard-devices-using-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md)
> [!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index 6efcb63fd5..d48749b987 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -3,13 +3,11 @@ title: Prevent ransomware and threats from encrypting and changing files
description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware from encrypting your files.
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: denisebmsft
ms.author: deniseb
audience: ITPro
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 7481a4362e..6021933e52 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -1,7 +1,7 @@
---
-title: Create and manage custom detection rules in Microsoft Defender ATP
+title: Create custom detection rules in Microsoft Defender ATP
ms.reviewer:
-description: Learn how to create and manage custom detection rules based on advanced hunting queries
+description: Learn how to create custom detection rules based on advanced hunting queries
keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -18,22 +18,27 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-
-# Create and manage custom detection rules
+# Create custom detection rules
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
+Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
-> [!NOTE]
-> To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md).
-## Create a custom detection rule
-### 1. Prepare the query.
+## 1. Check required permissions
-In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
+To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-#### Required columns in the query results
+## 2. Prepare the query
+
+In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
+
+>[!IMPORTANT]
+>To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
+
+
+### Required columns in the query results
To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
@@ -48,83 +53,60 @@ DeviceEvents
| where count_ > 5
```
-### 2. Create new rule and provide alert details.
+## 3. Create new rule and provide alert details
With the query in the query editor, select **Create detection rule** and specify the following alert details:
-- **Detection name** — name of the detection rule
-- **Frequency** — interval for running the query and taking action. [See additional guidance below](#rule-frequency)
-- **Alert title** — title displayed with alerts triggered by the rule
-- **Severity** — potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
-- **Category** — type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
-- **Description** — more information about the component or activity identified by the rule
-- **Recommended actions** — additional actions that responders might take in response to an alert
+- **Detection name**—name of the detection rule
+- **Frequency**—interval for running the query and taking action. [See additional guidance below](#rule-frequency)
+- **Alert title**—title displayed with alerts triggered by the rule
+- **Severity**—potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
+- **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
+- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software
+- **Description**—more information about the component or activity identified by the rule
+- **Recommended actions**—additional actions that responders might take in response to an alert
For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
-#### Rule frequency
+### Rule frequency
When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
-- **Every 24 hours** — runs every 24 hours, checking data from the past 30 days
-- **Every 12 hours** — runs every 12 hours, checking data from the past 24 hours
-- **Every 3 hours** — runs every 3 hours, checking data from the past 6 hours
-- **Every hour** — runs hourly, checking data from the past 2 hours
+- **Every 24 hours**—runs every 24 hours, checking data from the past 30 days
+- **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours
+- **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours
+- **Every hour**—runs hourly, checking data from the past 2 hours
Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
-### 3. Specify actions on files or devices.
+## 4. Specify actions on files or devices
Your custom detection rule can automatically take actions on files or devices that are returned by the query.
-#### Actions on devices
+### Actions on devices
These actions are applied to devices in the `DeviceId` column of the query results:
-- **Isolate device** — applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
-- **Collect investigation package** — collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
-- **Run antivirus scan** — performs a full Microsoft Defender Antivirus scan on the device
-- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the device
+- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
+- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
+- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
+- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
-#### Actions on files
+### Actions on files
These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
-- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
-- **Quarantine file** — deletes the file from its current location and places a copy in quarantine
+- **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
+- **Quarantine file**—deletes the file from its current location and places a copy in quarantine
-### 4. Click **Create** to save and turn on the rule.
-After reviewing the rule, click **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
+## 5. Set the rule scope
+Set the scope to specify which devices are covered by the rule:
-## Manage existing custom detection rules
-In **Settings** > **Custom detections**, you can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
+- All devices
+- Specific device groups
-### View existing rules
+Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
-To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information:
+## 6. Review and turn on the rule
+After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
-- **Last run** — when a rule was last run to check for query matches and generate alerts
-- **Last run status** — whether a rule ran successfully
-- **Next run** — the next scheduled run
-- **Status** — whether a rule has been turned on or off
-### View rule details, modify rule, and run rule
-
-To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. This opens a page about the custom detection rule with the following information:
-
-- General information about the rule, including the details of the alert, run status, and scope
-- List of triggered alerts
-- List of triggered actions
-
-
-*Custom detection rule page*
-
-You can also take the following actions on the rule from this page:
-
-- **Run** — run the rule immediately. This also resets the interval for the next run.
-- **Edit** — modify the rule without changing the query
-- **Modify query** — edit the query in advanced hunting
-- **Turn on** / **Turn off** — enable the rule or stop it from running
-- **Delete** — turn off the rule and remove it
-
->[!TIP]
->To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
-
-## Related topic
+## Related topics
+- [View and manage detection rules](custom-detections-manage.md)
- [Custom detections overview](overview-custom-detections.md)
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the advanced hunting query language](advanced-hunting-query-language.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md
new file mode 100644
index 0000000000..bae067bcec
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md
@@ -0,0 +1,67 @@
+---
+title: View and manage custom detection rules in Microsoft Defender ATP
+ms.reviewer:
+description: Learn how to view and manage custom detection rules
+keywords: custom detections, view, manage, alerts, edit, run on demand, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+
+# View and manage custom detection rules
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
+
+## Required permissions
+
+To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+
+## View existing rules
+
+To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information:
+
+- **Last run**—when a rule was last run to check for query matches and generate alerts
+- **Last run status**—whether a rule ran successfully
+- **Next run**—the next scheduled run
+- **Status**—whether a rule has been turned on or off
+
+## View rule details, modify rule, and run rule
+
+To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. A page about the selected rule displays the following information:
+
+- General information about the rule, including the details of the alert, run status, and scope
+- List of triggered alerts
+- List of triggered actions
+
+
+*Custom detection rule page*
+
+You can also take the following actions on the rule from this page:
+
+- **Run**—run the rule immediately. This action also resets the interval for the next run.
+- **Edit**—modify the rule without changing the query
+- **Modify query**—edit the query in advanced hunting
+- **Turn on** / **Turn off**—enable the rule or stop it from running
+- **Delete**—turn off the rule and remove it
+
+>[!TIP]
+>To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
+
+## Related topics
+- [Custom detections overview](overview-custom-detections.md)
+- [Create detection rules](custom-detection-rules.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [View and organize alerts](alerts-queue.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
index a7c6223e18..8a8bf44962 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
@@ -1,18 +1,15 @@
---
-title: Configure how attack surface reduction rules work to fine-tune protection in your network
-description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
+title: Customize attack surface reduction rules
+description: Individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from attack surface reduction rules
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/20/2020
ms.reviewer:
manager: dansimp
---
@@ -35,21 +32,21 @@ You can set attack surface reduction rules for devices running any of the follow
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
+You can use Group Policy, PowerShell, and Mobile Device Management (MDM) configuration service providers (CSP) to configure these settings.
## Exclude files and folders
-You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running.
+You can choose to exclude files and folders from being evaluated by attack surface reduction rules. Once excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior.
> [!WARNING]
> This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
-An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to a specific rule.
+An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource. However, you cannot limit an exclusion to a specific rule.
An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
-If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
+Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+If you are encountering problems with rules detecting files that you believe should not be detected, [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
Rule description | GUID
-|-|-
@@ -73,20 +70,20 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail
### Use Group Policy to exclude files and folders
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
-4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
> [!WARNING]
> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
### Use PowerShell to exclude files and folders
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
@@ -104,7 +101,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusio
## Customize the notification
-See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+You can customize the notification for when a rule is triggered and blocks an app or file. See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) article.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
index 6a0da83f4f..0659908d5c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
@@ -1,18 +1,15 @@
---
-title: Add additional folders and apps to be protected
-description: Add additional folders that should be protected by Controlled folder access, or allow apps that are incorrectly blocking changes to important files.
+title: Customize controlled folder access
+description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files.
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/13/2019
ms.reviewer:
manager: dansimp
---
@@ -23,9 +20,9 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients.
-This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
+This article describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
* [Add additional folders to be protected](#protect-additional-folders)
* [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
@@ -37,11 +34,9 @@ This topic describes how to customize the following settings of the controlled f
## Protect additional folders
-Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
+Controlled folder access applies to a number of system folders and default locations, such as Documents, Pictures, Movies, and Desktop. You can add additional folders to be protected, but you can't remove the default folders in the default list.
-You can add additional folders to be protected, but you cannot remove the default folders in the default list.
-
-Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
+Adding other folders to controlled folder access can be useful. Some use-cases include if you don't store files in the default Windows libraries, or you've changed the location of the libraries away from the defaults.
You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
@@ -49,27 +44,27 @@ You can use the Windows Security app or Group Policy to add and remove additiona
### Use the Windows Security app to protect additional folders
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**:
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
-3. Under the **Controlled folder access** section, click **Protected folders**
+3. Under the **Controlled folder access** section, select **Protected folders**.
-4. Click **Add a protected folder** and follow the prompts to add apps.
+4. Select **Add a protected folder** and follow the prompts to add apps.
### Use Group Policy to protect additional folders
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
-4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
+4. Double-click **Configured protected folders** and set the option to **Enabled**. Select **Show** and enter each folder.
### Use PowerShell to protect additional folders
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
@@ -89,41 +84,41 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m
## Allow specific apps to make changes to controlled folders
-You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
+You can specify if certain apps are always considered safe and give write access to files in protected folders. Allowing apps can be useful if a particular app you know and trust is being blocked by the controlled folder access feature.
> [!IMPORTANT]
> By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
> You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
-When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
+When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders. If the app (with the same name) is in a different location, it will not be added to the allow list and may be blocked by controlled folder access.
-An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
+An allowed application or service only has write access to a controlled folder after it starts. For example, an update service will continue to trigger events after it's allowed until it is stopped and restarted.
### Use the Windows Defender Security app to allow specific apps
-1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security by selecting the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
-3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
+3. Under the **Controlled folder access** section, select **Allow an app through Controlled folder access**
-4. Click **Add an allowed app** and follow the prompts to add apps.
+4. Select **Add an allowed app** and follow the prompts to add apps.
### Use Group Policy to allow specific apps
-1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
-4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
+4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Select **Show** and enter each app.
### Use PowerShell to allow specific apps
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
@@ -149,7 +144,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications]
## Customize the notification
-See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center).
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
index 13358eb288..55552af86b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
@@ -1,18 +1,15 @@
---
-title: Enable or disable specific mitigations used by Exploit protection
+title: Customize exploit protection
keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr
-description: You can enable individual mitigations using the Windows Security app or PowerShell. You can also audit mitigations and export configurations.
+description: You can enable or disable specific mitigations used by exploit protection using the Windows Security app or PowerShell. You can also audit mitigations and export configurations.
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 03/26/2019
ms.reviewer:
manager: dansimp
---
@@ -25,11 +22,11 @@ manager: dansimp
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
-You configure these settings using the Windows Security app on an individual device, and then export the configuration as an XML file that you can deploy to other devices. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
+Configure these settings using the Windows Security app on an individual device. Then, export the configuration as an XML file so you can deploy to other devices. Use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
-This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
+This article lists each of the mitigations available in exploit protection. It indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
-It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
+It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating, exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
> [!WARNING]
> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
@@ -38,20 +35,20 @@ It also describes how to enable or configure the mitigations using Windows Secur
All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
-You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
+You can set each of the mitigations on, off, or to their default value. Some mitigations have additional options that are indicated in the description in the table.
Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
-For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
+For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this article.
Mitigation | Description | Can be applied to | Audit mode available
-|-|-|-
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
@@ -61,14 +58,14 @@ Block untrusted fonts | Prevents loading any GDI-based fonts not installed in th
Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Don't allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
> [!IMPORTANT]
> If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
@@ -107,9 +104,9 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
### Configure system-level mitigations with the Windows Security app
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
+2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**.
3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
* **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
@@ -125,14 +122,14 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
5. Go to the **Program settings** section and choose the app you want to apply mitigations to:
- 1. If the app you want to configure is already listed, click it and then click **Edit**
- 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
+ 1. If the app you want to configure is already listed, select it and then select **Edit**
+ 2. If the app isn't listed, at the top of the list select **Add program to customize** and then choose how you want to add the app:
* Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
* Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
+6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, select the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
-7. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+7. Repeat these steps for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
@@ -204,7 +201,7 @@ Where:
You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
- For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
+ For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used previously, you'd use the following command:
```PowerShell
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
@@ -250,9 +247,9 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu
## Customize the notification
-See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center).
-## Related topics
+## See also
* [Protect devices from exploits](exploit-protection.md)
* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
index 350568b2e5..3a379ea946 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
@@ -41,13 +41,15 @@ There are several methods you can use to onboard to the service. For information
## In Scope
The following is in scope for this deployment guide:
+
- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service
+
- Enabling Microsoft Defender ATP endpoint protection platform (EPP)
capabilities
- - Next Generation Protection
+ - Next-generation protection
- - Attack Surface Reduction
+ - Attack surface reduction
- Enabling Microsoft Defender ATP endpoint detection and response (EDR)
capabilities including automatic investigation and remediation
diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
index 12436534f1..29b20bcf7f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
@@ -15,7 +15,7 @@ ms.localizationpriority: medium
ms.custom:
- next-gen
- edr
-ms.collection:
+ms.date: 08/21/2020
---
# Endpoint detection and response (EDR) in block mode
@@ -26,10 +26,14 @@ ms.collection:
## What is EDR in block mode?
-When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
+When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is turned on, Microsoft Defender ATP blocks malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected, post breach.
+
+EDR in block mode is also integrated with [threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Your organization's security team will get a [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) to turn EDR in block mode on if it isn't already enabled.
+
+:::image type="content" source="images/edrblockmode-TVMrecommendation.png" alt-text="recommendation to turn on EDR in block mode":::
> [!NOTE]
-> EDR in block mode is currently in private preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
+> EDR in block mode is currently in preview, available to organizations who have opted in to receive **[preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
## What happens when something is detected?
@@ -37,7 +41,7 @@ When EDR in block mode is turned on, and a malicious artifact is detected, block
The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:
-:::image type="content" source="images/edr-in-block-mode.jpg" alt-text="EDR in block mode detected something":::
+:::image type="content" source="images/edr-in-block-mode-detection.png" alt-text="EDR in block mode detected something":::
## Enable EDR in block mode
@@ -83,7 +87,9 @@ Because Microsoft Defender Antivirus detects and remediates malicious items, it'
Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
-## Related articles
+## See also
+
+[Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
[Behavioral blocking and containment](behavioral-blocking-containment.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md
deleted file mode 100644
index 040f644860..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md
+++ /dev/null
@@ -1,87 +0,0 @@
----
-title: Compare the features in Exploit protection with EMET
-keywords: emet, enhanced mitigation experience toolkit, configuration, exploit, compare, difference between, versus, upgrade, convert
-description: Exploit protection in Microsoft Defender ATP is our successor to Enhanced Mitigation Experience Toolkit (EMET) and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.date: 08/08/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> [!IMPORTANT]
-> If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP.
->
-> You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
-
-This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP.
-
-Exploit protection in Microsoft Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
-
-EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.
-
-After July 31, 2018, it will not be supported.
-
-For more information about the individual features and mitigations available in Microsoft Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
-
-* [Protect devices from exploits](exploit-protection.md)
-* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-
-## Mitigation comparison
-
-The mitigations available in EMET are included in Windows Defender, under the [exploit protection feature](exploit-protection.md).
-
-The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.
-
-Mitigation | Available in Windows Defender | Available in EMET
--|-|-
-Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Memory Protection Check"
-Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Load Library Check"
-Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-
-> [!NOTE]
-> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender as part of enabling the anti-ROP mitigations for a process.
->
-> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
-
-## Related topics
-
-* [Protect devices from exploits with Windows Defender](exploit-protection.md)
-* [Evaluate exploit protection](evaluate-exploit-protection.md)
-* [Enable exploit protection](enable-exploit-protection.md)
-* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index 2506f2934b..a9f51e70aa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -1,9 +1,8 @@
---
-title: Enable attack surface reduction rules individually to protect your organization
+title: Enable attack surface reduction rules
description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques.
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,7 +11,6 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 06/04/2020
ms.reviewer:
manager: dansimp
---
@@ -69,11 +67,11 @@ The following procedures for enabling ASR rules include instructions for how to
2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
-3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
+3. Under **Attack Surface Reduction exceptions**, enter individual files and folders. You can also select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
`C:\folder`, `%ProgramFiles%\folder\file`, `C:\path`
-4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
+4. Select **OK** on the three configuration panes. Then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
## MDM
@@ -104,32 +102,32 @@ Example:
## Microsoft Endpoint Configuration Manager
-1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-2. Click **Home** > **Create Exploit Guard Policy**.
+2. Select **Home** > **Create Exploit Guard Policy**.
-3. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
+3. Enter a name and a description, select **Attack Surface Reduction**, and select **Next**.
-4. Choose which rules will block or audit actions and click **Next**.
+4. Choose which rules will block or audit actions and select **Next**.
-5. Review the settings and click **Next** to create the policy.
+5. Review the settings and select **Next** to create the policy.
-6. After the policy is created, click **Close**.
+6. After the policy is created, **Close**.
## Group Policy
> [!WARNING]
> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section.
- Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
+ Select **Show...** and enter the rule ID in the **Value name** column and your chosen state in the **Value** column as follows:
- Disable = 0
- Block (enable ASR rule) = 1
@@ -137,7 +135,7 @@ Example:
-5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
> [!WARNING]
> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
@@ -145,9 +143,9 @@ Example:
## PowerShell
> [!WARNING]
-> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
+> If you manage your computers and devices with Intune, Configuration Manager, or another enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. To allow users to define the value using PowerShell, use the "User Defined" option for the rule in the management platform.
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
@@ -200,4 +198,3 @@ Example:
- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
- [Attack surface reduction FAQ](attack-surface-reduction.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index 4fa6b49fc9..8c811f809d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -1,9 +1,8 @@
---
-title: Turn on the protected folders feature in Windows 10
+title: Enable controlled folder access
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use
description: Learn how to protect your important files by enabling Controlled folder access
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,7 +11,6 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/13/2019
ms.reviewer:
manager: dansimp
---
@@ -29,7 +27,7 @@ You can enable controlled folder access by using any of these methods:
* [Windows Security app](#windows-security-app)
* [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
+* [Mobile Device Management (MDM)](#mobile-device-management-mdm)
* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
@@ -45,71 +43,70 @@ For more information about disabling local list merging, see [Prevent or allow u
## Windows Security app
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar. You can also search the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
3. Set the switch for **Controlled folder access** to **On**.
> [!NOTE]
> If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
> If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
-
> If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive.
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-2. Click **Device configuration** > **Profiles** > **Create profile**.
+2. Go to **Device configuration** > **Profiles** > **Create profile**.
3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**.
+4. Go to **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**.
-5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
+5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection. Select **Add**.
> [!NOTE]
> Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
-6. Click **OK** to save each open blade and click **Create**.
+6. Select **OK** to save each open blade and **Create**.
-7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+7. Select the profile **Assignments**, assign to **All Users & All Devices**, and **Save**.
-## MDM
+## Mobile Device Management (MDM)
Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Microsoft Endpoint Configuration Manager
-1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-2. Click **Home** > **Create Exploit Guard Policy**.
+2. Select **Home** > **Create Exploit Guard Policy**.
-3. Enter a name and a description, click **Controlled folder access**, and click **Next**.
+3. Enter a name and a description, select **Controlled folder access**, and select **Next**.
-4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
+4. Choose whether block or audit changes, allow other apps, or add other folders, and select **Next**.
> [!NOTE]
> Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
-5. Review the settings and click **Next** to create the policy.
+5. Review the settings and select **Next** to create the policy.
-6. After the policy is created, click **Close**.
+6. After the policy is created, **Close**.
## Group Policy
-1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
-4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
- * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
- * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
+4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following options:
+ * **Enable** - Malicious and suspicious apps won't be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
+ * **Disable (Default)** - The Controlled folder access feature won't work. All apps can make changes to files in protected folders.
+ * **Audit Mode** - Changes will be allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it will be recorded in the Windows event log where you can assess the impact on your organization.
* **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123.
- * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders will not be recorded.
+ * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders won't be recorded.
@@ -118,7 +115,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
## PowerShell
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
@@ -128,9 +125,9 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
You can enable the feature in audit mode by specifying `AuditMode` instead of `Enabled`.
-Use `Disabled` to turn the feature off.
+Use `Disabled` to turn off the feature.
-## Related topics
+## See also
* [Protect important folders with controlled folder access](controlled-folders.md)
* [Customize controlled folder access](customize-controlled-folders.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 2251cef5dc..c611445181 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -3,16 +3,13 @@ title: Turn on exploit protection to help mitigate against attacks
keywords: exploit, mitigation, attacks, vulnerability
description: Learn how to enable exploit protection in Windows 10. Exploit protection helps protect your device against malware.
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
-ms.date: 01/08/2020
ms.reviewer:
manager: dansimp
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index 298ace459d..e737eb44d7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -1,19 +1,16 @@
---
-title: Turn on network protection
-description: Enable Network protection with Group Policy, PowerShell, or MDM CSPs
+title: Turning on network protection
+description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager
keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: levinec
ms.author: ellevin
ms.reviewer:
-audience: ITPro
manager: dansimp
---
@@ -23,12 +20,11 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
-You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.
+[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it.
## Check if network protection is enabled
-You can see if network protection has been enabled on a local device by using Registry editor.
+Check if network protection has been enabled on a local device by using Registry editor.
1. Select the **Start** button in the task bar and type **regedit** to open Registry editor
1. Choose **HKEY_LOCAL_MACHINE** from the side menu
@@ -41,87 +37,101 @@ You can see if network protection has been enabled on a local device by using Re
## Enable network protection
-You can enable network protection by using any of these methods:
+Enable network protection by using any of these methods:
* [PowerShell](#powershell)
* [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
+* [Mobile Device Management (MDM)](#mobile-device-management-mmd)
* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
### PowerShell
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
-You can enable the feature in audit mode using the following cmdlet:
+3. Optional: Enable the feature in audit mode using the following cmdlet:
-```PowerShell
-Set-MpPreference -EnableNetworkProtection AuditMode
-```
+ ```PowerShell
+ Set-MpPreference -EnableNetworkProtection AuditMode
+ ```
-Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off.
+ Use `Disabled` instead of `AuditMode` or `Enabled` to turn off the feature.
### Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-1. Click **Device configuration** > **Profiles** > **Create profile**.
-1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
- 
-1. Click **OK** to save each open blade and click **Create**.
-1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
-### MDM
+2. Go to **Device configuration** > **Profiles** > **Create profile**.
+
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+
+ 
+
+4. Select **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
+
+ 
+
+5. Select **OK** to save each open section and **Create**.
+
+6. Select the profile called **Assignments**, assign to **All Users & All Devices**, and **Save**.
+
+### Mobile Device Management (MMD)
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
## Microsoft Endpoint Configuration Manager
-1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
-1. Enter a name and a description, click **Network protection**, and click **Next**.
-1. Choose whether to block or audit access to suspicious domains and click **Next**.
-1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+
+2. Then go to **Home** > **Create Exploit Guard Policy**.
+
+3. Enter a name and a description, select **Network protection**, and then **Next**.
+
+4. Choose whether to block or audit access to suspicious domains and select **Next**.
+
+5. Review the settings and select **Next** to create the policy.
+
+6. After the policy is created, **Close**.
### Group Policy
-You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
+Use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
-1. On a standalone computer, click **Start**, type and then click **Edit group policy**.
+1. On a standalone computer, go to **Start** and then type and select **Edit group policy**.
*-Or-*
- On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+ On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
-4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
- * **Block** - Users will not be able to access malicious IP addresses and domains
- * **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
- * **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
+4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options:
+ * **Block** - Users can't access malicious IP addresses and domains
+ * **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains
+ * **Audit Mode** - If a user visits a malicious IP address or domain, an event won't be recorded in the Windows event log. However, the user won't be blocked from visiting the address.
> [!IMPORTANT]
> To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
-You can confirm network protection is enabled on a local computer by using Registry editor:
+Confirm network protection is enabled on a local computer by using Registry editor:
+
+1. Select **Start** and type **regedit** to open **Registry Editor**.
-1. Click **Start** and type **regedit** to open **Registry Editor**.
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
-3. Click **EnableNetworkProtection** and confirm the value:
+
+3. Select **EnableNetworkProtection** and confirm the value:
* 0=Off
* 1=On
* 2=Audit
-## Related topics
+## See also
* [Network protection](network-protection.md)
* [Evaluate network protection](evaluate-network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md
deleted file mode 100644
index 76c04110e7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-title: Enable Secure Score in Microsoft Defender ATP
-description: Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard.
-keywords: enable secure score, baseline, calculation, analytics, score, secure score dashboard, dashboard
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Enable Secure Score security controls
-
-**Applies to:**
-
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
-Set the baselines for calculating the score of security controls on the Secure Score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
-
- >[!NOTE]
- >Changes might take up to a few hours to reflect on the dashboard.
-
-1. In the navigation pane, select **Settings** > **Secure Score**.
-
-2. Select the security control, then toggle the setting between **On** and **Off**.
-
-3. Click **Save preferences**.
-
-## Related topics
-- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
-- [Update data retention settings for Microsoft Defender ATP](data-retention-settings.md)
-- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md)
-- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-- [Configure advanced features in Microsoft Defender ATP](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
index bbcbd77dcc..e78e648ca5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
@@ -37,7 +37,7 @@ These capabilities help prevent attacks and exploitations from infecting your or
- [Evaluate application guard](../microsoft-defender-application-guard/test-scenarios-md-app-guard.md)
- [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
-## Evaluate next generation protection
+## Evaluate next-generation protection
Next gen protections help detect and block the latest threats.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index 980238995f..32432b5025 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -1,18 +1,15 @@
---
-title: Use a demo to see how ASR rules can help protect your devices
-description: The custom demo tool lets you create sample malware infection scenarios so you can see how ASR would block and prevent attacks
+title: Evaluate attack surface reduction rules
+description: See how attack surface reduction would block and prevent attacks with the custom demo tool.
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/20/2020
ms.reviewer:
manager: dansimp
---
@@ -23,22 +20,21 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+
- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-Learn how to evaluate attack surface reduction rules, by enabling audit mode to test the feature directly in your organization.
+Learn how to evaluate attack surface reduction rules by enabling audit mode to test the feature directly in your organization.
> [!TIP]
-> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> You can also visit the Microsoft Defender ATP demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use audit mode to measure impact
-You can enable attack surface reduction rules in audit mode. This lets you see a record of what apps would have been blocked if you had enabled attack surface reduction rules.
-
-You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
+Enable attack surface reduction rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how often the rules will fire during normal use.
To enable all attack surface reduction rules in audit mode, use the following PowerShell cmdlet:
@@ -49,13 +45,13 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
> [!TIP]
> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).
-You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md).
+You can also use Group Policy, Intune, or mobile device management (MDM) configuration service providers (CSPs) to configure and deploy the setting. Learn more in the main [Attack surface reduction rules](attack-surface-reduction.md) article.
## Review attack surface reduction events in Windows Event Viewer
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.
- Event ID | Description
+Event ID | Description
-|-
5007 | Event when settings are changed
1121 | Event when an attack surface reduction rule fires in block mode
@@ -65,9 +61,9 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev
During your evaluation, you may wish to configure each rule individually or exclude certain files and processes from being evaluated by the feature.
-See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
+See [Customize attack surface reduction rules](customize-attack-surface-reduction.md) for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
-## Related topics
+## See also
* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
* [Use audit mode to evaluate Windows Defender](audit-windows-defender.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
index ae0a15fe7f..1df853c6ba 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
@@ -1,18 +1,15 @@
---
-title: See how controlled folder access can help protect files from being changed by malicious apps
-description: Use a custom tool to see how Controlled folder access works in Windows 10.
+title: Evaluate controlled folder access
+description: See how controlled folder access can help protect files from being changed by malicious apps.
keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
---
@@ -23,20 +20,18 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients.
-It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
+It is especially useful in helping protect against [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that attempts to encrypt your files and hold them hostage.
-This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
+This article helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
> [!TIP]
-> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> You can also visit the Microsoft Defender ATP demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use audit mode to measure impact
-You can enable the controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
-
-You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
+Enable the controlled folder access in audit mode to see a record of what *would* have happened if it was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how many suspicious file modification attempts generally occur over a certain period of time.
To enable audit mode, use the following PowerShell cmdlet:
@@ -46,7 +41,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
> [!TIP]
> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).
-You can also use Group Policy, Intune, MDM, or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
+You can also use Group Policy, Intune, mobile device management (MDM), or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
## Review controlled folder access events in Windows Event Viewer
@@ -65,9 +60,9 @@ Event ID | Description
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
-See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
+See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM configuration service providers (CSPs).
-## Related topics
+## See also
* [Protect important folders with controlled folder access](controlled-folders.md)
* [Evaluate Microsoft Defender ATP]../(microsoft-defender-atp/evaluate-atp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
index d0ad0448da..dabee673ee 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
@@ -3,7 +3,6 @@ title: See how exploit protection works in a demo
description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps.
keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
index 6e3840831e..1e08e42942 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
@@ -1,18 +1,15 @@
---
-title: Conduct a demo to see how network protection works
-description: Quickly see how Network protection works by performing common scenarios that it protects against
+title: Evaluate network protection
+description: See how network protection works by testing common scenarios that it protects against.
keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/10/2019
ms.reviewer:
manager: dansimp
---
@@ -25,18 +22,16 @@ manager: dansimp
[Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
-This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.
+This article helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The sites in this evaluation article aren't malicious. They're specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.
> [!TIP]
> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work.
## Enable network protection in audit mode
-You can enable network protection in audit mode to see which IP addresses and domains would have been blocked if it was enabled.
+Enable network protection in audit mode to see which IP addresses and domains would have been blocked. You can make sure it doesn't affect line-of-business apps, or get an idea of how often blocks occur.
-You might want to do this to make sure it doesn't affect line-of-business apps or to get an idea of how often blocks occur.
-
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
@@ -63,7 +58,7 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev
|1125 | Windows Defender (Operational) | Event when a network connection is audited |
|1126 | Windows Defender (Operational) | Event when a network connection is blocked |
-## Related topics
+## See also
* [Network protection](network-protection.md)
* [Enable network protection](enable-network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
index 7f19406d2e..a856668804 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
@@ -108,15 +108,15 @@ See Onboard Windows 10 devices.
| 9 |
Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable. |
-During onboarding: The device did not onboard correctly and will not be reporting to the portal.
During offboarding: Failed to change the service start type. The offboarding process continues. |
+During onboarding: The device did not onboard correctly and will not be reporting to the portal.
During offboarding: Failed to change the service start type. The offboarding process continues. |
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See Onboard Windows 10 devices. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-views.md b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
index 2fe08915a1..d373f292ac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-views.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
@@ -1,20 +1,16 @@
---
-ms.reviewer:
-title: Import custom views to see attack surface reduction events
-description: Use Windows Event Viewer to import individual views for each of the features.
+title: View attack surface reduction events
+description: Import custom views to see attack surface reduction events.
keywords: event view, exploit guard, audit, review, events
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
-ms.date: 04/16/2018
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 03/26/2019
+ms.reviewer:
manager: dansimp
---
@@ -24,19 +20,17 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
+Review attack surface reduction events in Event Viewer to monitor what rules or settings are working. You can also determine if any settings are too "noisy" or impacting your day to day workflow.
-Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
+Reviewing events is handy when you're evaluating the features. You can enable audit mode for features or settings, and then review what would have happened if they were fully enabled.
-This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
+This article lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
-You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
+Get detailed reporting into events and blocks as part of Windows Security if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
## Use custom views to review attack surface reduction capabilities
-You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings.
-
-The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page.
+Create custom views in the Windows Event Viewer to only see events for specific capabilities and settings. The easiest way is to import a custom view as an XML file. You can copy the XML directly from this page.
You can also manually navigate to the event area that corresponds to the feature.
@@ -48,33 +42,33 @@ You can also manually navigate to the event area that corresponds to the feature
- Attack surface reduction events custom view: *asr-events.xml*
- Network/ protection events custom view: *np-events.xml*
-1. Type **event viewer** in the Start menu and open **Event Viewer**.
+2. Type **event viewer** in the Start menu and open **Event Viewer**.
-1. Click **Action** > **Import Custom View...**
+3. Select **Action** > **Import Custom View...**
-1. Navigate to where you extracted XML file for the custom view you want and select it.
+4. Navigate to where you extracted XML file for the custom view you want and select it.
-1. Click **Open**.
+5. Select **Open**.
-1. This will create a custom view that filters to only show the events related to that feature.
+6. It will create a custom view that filters to only show the events related to that feature.
### Copy the XML directly
1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
-1. On the left panel, under **Actions**, click **Create Custom View...**
+2. On the left panel, under **Actions**, select **Create Custom View...**
-1. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
+3. Go to the XML tab and select **Edit query manually**. You'll see a warning that you can't edit the query using the **Filter** tab if you use the XML option. Select **Yes**.
-1. Paste the XML code for the feature you want to filter events from into the XML section.
+4. Paste the XML code for the feature you want to filter events from into the XML section.
-1. Click **OK**. Specify a name for your filter.
+5. Select **OK**. Specify a name for your filter.
-1. This will create a custom view that filters to only show the events related to that feature.
+6. It will create a custom view that filters to only show the events related to that feature.
### XML for attack surface reduction rule events
@@ -131,13 +125,13 @@ You can also manually navigate to the event area that corresponds to the feature
## List of attack surface reduction events
-All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
+All attack surface reduction events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
You can access these events in Windows Event viewer:
-1. Open the **Start** menu and type **event viewer**, and then click on the **Event Viewer** result.
+1. Open the **Start** menu and type **event viewer**, and then select the **Event Viewer** result.
2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below.
-3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking.
+3. Double-click on the sub item to see events. Scroll through the events to find the one you're looking.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
index bab625f913..49d1fcd691 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
@@ -3,7 +3,6 @@ title: Apply mitigations to help prevent attacks through vulnerabilities
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
description: Protect devices against exploits with Windows 10. Windows 10 has advanced exploit protection capabilities, building upon and improving the settings available in Enhanced Mitigation Experience Toolkit (EMET).
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -40,7 +39,7 @@ You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how ex
Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Exploit protection](emet-exploit-protection.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.
> [!IMPORTANT]
-> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10.
> [!WARNING]
> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender.md) before deploying the configuration across a production environment or the rest of your network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index 37e873ced5..c820d3d69e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -1,7 +1,7 @@
---
title: OData queries with Microsoft Defender ATP
ms.reviewer:
-description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender ATP
+description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender ATP.
keywords: apis, supported apis, odata, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
index 5f0bb3386d..94487dd4ff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
@@ -1,108 +1,108 @@
----
-title: List all recommendations
-description: Retrieves a list of all security recommendations affecting the organization.
-keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List all recommendations
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of all security recommendations affecting the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
- "value": [
- {
- "id": "va-_-microsoft-_-windows_10",
- "productName": "windows_10",
- "recommendationName": "Update Windows 10",
- "weaknesses": 397,
- "vendor": "microsoft",
- "recommendedVersion": "",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": true,
- "activeAlert": false,
- "associatedThreats": [
- "3098b8ef-23b1-46b3-aed4-499e1928f9ed",
- "40c189d5-0330-4654-a816-e48c2b7f9c4b",
- "4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
- "e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
- "94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
- ],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 7.674418604651163,
- "totalMachineCount": 37,
- "exposedMachinesCount": 7,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Windows 10"
- }
- ...
- ]
-}
-```
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
-
+---
+title: List all recommendations
+description: Retrieves a list of all security recommendations affecting the organization.
+keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List all recommendations
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of all security recommendations affecting the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
+ "value": [
+ {
+ "id": "va-_-microsoft-_-windows_10",
+ "productName": "windows_10",
+ "recommendationName": "Update Windows 10",
+ "weaknesses": 397,
+ "vendor": "microsoft",
+ "recommendedVersion": "",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": true,
+ "activeAlert": false,
+ "associatedThreats": [
+ "3098b8ef-23b1-46b3-aed4-499e1928f9ed",
+ "40c189d5-0330-4654-a816-e48c2b7f9c4b",
+ "4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
+ "e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
+ "94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
+ ],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 7.674418604651163,
+ "totalMachineCount": 37,
+ "exposedMachinesCount": 7,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Windows 10"
+ }
+ ...
+ ]
+}
+```
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
index 4114015c39..8b61f18cfc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
@@ -1,96 +1,96 @@
----
-title: Get all vulnerabilities
-description: Retrieves a list of all the vulnerabilities affecting the organization
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of all the vulnerabilities affecting the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of vulnerabilities in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities",
- "value": [
- {
- "id": "CVE-2019-0608",
- "name": "CVE-2019-0608",
- "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 4,
- "publishedOn": "2019-10-08T00:00:00Z",
- "updatedOn": "2019-12-16T16:20:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: Get all vulnerabilities
+description: Retrieves a list of all the vulnerabilities affecting the organization
+keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of all the vulnerabilities affecting the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of vulnerabilities in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities",
+ "value": [
+ {
+ "id": "CVE-2019-0608",
+ "name": "CVE-2019-0608",
+ "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 4,
+ "publishedOn": "2019-10-08T00:00:00Z",
+ "updatedOn": "2019-12-16T16:20:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ...
+ ]
+
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
index 6eb1d7d80c..b33b579f20 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
@@ -1,83 +1,83 @@
----
-title: Get Machine Secure score
-description: Retrieves the organizational device secure score.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get Machine Secure score
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves the organizational device secure score.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-## HTTP request
-```
-GET /api/configurationScore
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with the with device secure score data in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/configurationScore
-```
-
-**Response**
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
- "time": "2019-12-03T09:15:58.1665846Z",
- "score": 340
-}
-```
-
-## Related topics
-- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
+---
+title: Get device secure score
+description: Retrieves the organizational device secure score.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: levinec
+ms.author: ellevin
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get device secure score
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Retrieves your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+## HTTP request
+
+```
+GET /api/configurationScore
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK, with the device secure score data in the response body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/configurationScore
+```
+
+### Response
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity.
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
+ "time": "2019-12-03T09:15:58.1665846Z",
+ "score": 340
+}
+```
+
+## Related topics
+
+- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
index d93e999a34..333b21f72f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
@@ -1,93 +1,94 @@
----
-title: Get discovered vulnerabilities
-description: Retrieves a collection of discovered vulnerabilities related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get discovered vulnerabilities
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of discovered vulnerabilities related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the discovered vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2019-1348",
- "name": "CVE-2019-1348",
- "description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an attacker could exploit this vulnerability to overwrite arbitrary paths.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 1,
- "publishedOn": "2019-12-13T00:00:00Z",
- "updatedOn": "2019-12-13T00:00:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: Get discovered vulnerabilities
+description: Retrieves a collection of discovered vulnerabilities related to a given device ID.
+keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: levinec
+ms.author: ellevin
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get discovered vulnerabilities
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Retrieves a collection of discovered vulnerabilities related to a given device ID.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+
+```
+GET /api/machines/{machineId}/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK with the discovered vulnerability information in the body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
+```
+
+### Response
+
+Here is an example of the response.
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2019-1348",
+ "name": "CVE-2019-1348",
+ "description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an attacker could exploit this vulnerability to overwrite arbitrary paths.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 1,
+ "publishedOn": "2019-12-13T00:00:00Z",
+ "updatedOn": "2019-12-13T00:00:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+}
+```
+
+## Related topics
+
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
index 794272d101..c31cd33d28 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
@@ -1,88 +1,87 @@
----
-title: Get exposure score
-description: Retrieves the organizational exposure score.
-keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get exposure score
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves the organizational exposure score.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-
-## HTTP request
-```
-GET /api/exposureScore
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with the exposure data in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/exposureScore
-```
-
-**Response**
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
- "time": "2019-12-03T07:23:53.280499Z",
- "score": 33.491554051195706
-}
-
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
-
-
+---
+title: Get exposure score
+description: Retrieves the organizational exposure score.
+keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: levinec
+ms.author: ellevin
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get exposure score
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves the organizational exposure score.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+## HTTP request
+
+```
+GET /api/exposureScore
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK, with the exposure data in the response body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/exposureScore
+```
+
+### Response
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity.
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
+ "time": "2019-12-03T07:23:53.280499Z",
+ "score": 33.491554051195706
+}
+
+```
+
+## Related topics
+
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
index db2c9f018f..12b129b43f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
@@ -1,6 +1,6 @@
---
title: Get file information API
-description: Retrieves a file by identifier Sha1, Sha256, or MD5.
+description: Learn how to use the Get file information API to get a file by Sha1, Sha256, or MD5 identifier in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
index 5ea61a7554..446e50982d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
@@ -1,6 +1,6 @@
---
title: Get file related alerts API
-description: Retrieves a collection of alerts related to a given file hash.
+description: Learn how to use the Get file related alerts API to get a collection of alerts related to a given file hash in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, file, hash
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
index 480f952df9..029c7fc1d5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
@@ -1,6 +1,6 @@
---
title: Get file related machines API
-description: Retrieves a collection of devices related to a given file hash.
+description: Learn how to use the Get file related machines API to get a collection of machines related to a file hash in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, devices, hash
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
index b6abc23c5f..6f35b59012 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
@@ -1,6 +1,6 @@
---
title: Get file statistics API
-description: Retrieves the prevalence for the given file.
+description: Learn how to use the Get file statistics API to retrieve the statistics for the given file in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, file, statistics
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
index 2521e0a16b..4ae4475d50 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
@@ -1,89 +1,89 @@
----
-title: Get installed software
-description: Retrieves a collection of installed software related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get installed software
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of installed software related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the installed software information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
-"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software",
-"value": [
- {
-"id": "microsoft-_-internet_explorer",
-"name": "internet_explorer",
-"vendor": "microsoft",
-"weaknesses": 67,
-"publicExploit": true,
-"activeAlert": false,
-"exposedMachines": 42115,
-"impactScore": 46.2037163
- }
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: Get installed software
+description: Retrieves a collection of installed software related to a given device ID.
+keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get installed software
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of installed software related to a given device ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the installed software information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software",
+"value": [
+ {
+"id": "microsoft-_-internet_explorer",
+"name": "internet_explorer",
+"vendor": "microsoft",
+"weaknesses": 67,
+"publicExploit": true,
+"activeAlert": false,
+"exposedMachines": 42115,
+"impactScore": 46.2037163
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
index 91b44caf50..832b6cd185 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
@@ -1,6 +1,6 @@
---
title: Get machine by ID API
-description: Retrieves a device entity by ID.
+description: Learn how to use the Get machine by ID API to retrieve a machine by its device ID or computer name in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, devices, entity, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
index 10f886e0d1..05b0cbef9d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
@@ -7,8 +7,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+author: levinec
+ms.author: ellevin
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -27,6 +27,7 @@ ms.topic: article
Retrieves a collection of alerts related to a given domain address.
## Permissions
+
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
@@ -35,6 +36,7 @@ Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
## HTTP request
+
```
GET /api/exposureScore/ByMachineGroups
```
@@ -46,15 +48,16 @@ GET /api/exposureScore/ByMachineGroups
| Authorization | String | Bearer {token}.**Required**.
## Request body
+
Empty
## Response
-If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
+If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
## Example
-**Request**
+### Request
Here is an example of the request.
@@ -62,7 +65,7 @@ Here is an example of the request.
GET https://api.securitycenter.windows.com/api/exposureScore/ByMachineGroups
```
-**Response**
+### Response
Here is an example of the response.
@@ -87,5 +90,6 @@ Here is an example of the response.
```
## Related topics
+
- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
index fc56069b04..9856c6c603 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
@@ -1,6 +1,6 @@
---
title: Get machine log on users API
-description: Retrieve a collection of logged on users on a specific device using Microsoft Defender ATP APIs.
+description: Learn how to use the Get machine log on users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, device, log on, users
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
index e8fb105671..2aa5a05832 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
@@ -1,6 +1,6 @@
---
title: Get machine related alerts API
-description: Retrieves a collection of alerts related to a given device ID.
+description: Learn how to use the Get machine related alerts API to retrieve all alerts related to a specific device in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, devices, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
index dbcaf5b6fb..abd2981676 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
@@ -1,6 +1,6 @@
---
title: Get MachineAction object API
-description: Use this API to create calls related to get machineaction object
+description: Learn how to use the Get MachineAction API to retrieve a specific Machine Action by its ID in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, machineaction object
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
index 08f5fff7d0..c8a2ee671c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
@@ -1,6 +1,6 @@
---
title: List machineActions API
-description: Use the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API to create calls related to get machineactions collection.
+description: Learn how to use the List MachineActions API to retrieve a collection of Machine Actions in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, machineaction collection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
index 8dca334083..b3de168061 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
@@ -1,6 +1,6 @@
---
title: Get RBAC machine groups collection API
-description: Retrieves a collection of RBAC device groups.
+description: Learn how to use the Get KB collection API to retrieve a collection of RBAC device groups in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, RBAC, group
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
index ebf471edee..e066fab80a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
@@ -1,93 +1,93 @@
----
-title: List devices by software
-description: Retrieve a list of devices that has this software installed.
-keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by software
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieve a list of device references that has this software installed.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/machineReferences
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK and a list of devices with the software installed in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
- "computerDnsName": "dave_desktop",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- },
- {
- "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
- "computerDnsName": "jane_PC",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: List devices by software
+description: Retrieve a list of devices that has this software installed.
+keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List devices by software
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieve a list of device references that has this software installed.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/machineReferences
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK and a list of devices with the software installed in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
+ "computerDnsName": "dave_desktop",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ },
+ {
+ "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
+ "computerDnsName": "jane_PC",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
index fddc82d5dd..71597be89f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
@@ -1,92 +1,92 @@
----
-title: List devices by vulnerability
-description: Retrieves a list of devices affected by a vulnerability.
-keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by vulnerability
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of devices affected by a vulnerability.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities/{cveId}/machineReferences
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "235a2e6278c63fcf85bab9c370396972c58843de",
- "computerDnsName": "h1mkn_PC",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- },
- {
- "id": "afb3f807d1a185ac66668f493af028385bfca184",
- "computerDnsName": "chat_Desk ",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
- }
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: List devices by vulnerability
+description: Retrieves a list of devices affected by a vulnerability.
+keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List devices by vulnerability
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of devices affected by a vulnerability.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities/{cveId}/machineReferences
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "235a2e6278c63fcf85bab9c370396972c58843de",
+ "computerDnsName": "h1mkn_PC",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ },
+ {
+ "id": "afb3f807d1a185ac66668f493af028385bfca184",
+ "computerDnsName": "chat_Desk ",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ }
+ ...
+ ]
+ }
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
index 93303b75fa..5c24fe2ff9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
@@ -1,6 +1,6 @@
---
title: List machines API
-description: Retrieves a collection of recently seen devices.
+description: Learn how to use the List machines API to retrieve a collection of machines that have communicated with Microsoft Defender ATP cloud.
keywords: apis, graph api, supported apis, get, devices
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
index 5fed8ccf11..9c22b88199 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
@@ -1,6 +1,6 @@
---
title: Get machines security states collection API
-description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP.
+description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get, device, security, state
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
index 3b41ca66ef..1fa1040fdc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
@@ -1,6 +1,6 @@
---
title: Get missing KBs by device ID
-description: Retrieves missing KBs by device Id
+description: Retrieves missing security updates by device ID
keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -22,7 +22,7 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Retrieves missing KBs by device Id
+Retrieves missing KBs (security updates) by device ID
## HTTP request
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
index e91d137857..a14e6588c5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
@@ -1,6 +1,6 @@
---
title: Get missing KBs by software ID
-description: Retrieves missing KBs by software ID
+description: Retrieves missing security updates by software ID
keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -22,7 +22,7 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Retrieves missing KBs by software ID
+Retrieves missing KBs (security updates) by software ID
## Permissions
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
index 9254f80562..5b5ce91ff1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
@@ -1,96 +1,96 @@
----
-title: Get recommendation by Id
-description: Retrieves a security recommendation by its ID.
-keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get recommendation by ID
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a security recommendation by its ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity",
- "id": "va-_-google-_-chrome",
- "productName": "chrome",
- "recommendationName": "Update Chrome",
- "weaknesses": 38,
- "vendor": "google",
- "recommendedVersion": "",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": false,
- "activeAlert": false,
- "associatedThreats": [],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 3.9441860465116285,
- "totalMachineCount": 6,
- "exposedMachinesCount": 5,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Chrome"
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: Get recommendation by Id
+description: Retrieves a security recommendation by its ID.
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by ID
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a security recommendation by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity",
+ "id": "va-_-google-_-chrome",
+ "productName": "chrome",
+ "recommendationName": "Update Chrome",
+ "weaknesses": 38,
+ "vendor": "google",
+ "recommendedVersion": "",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": false,
+ "activeAlert": false,
+ "associatedThreats": [],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 3.9441860465116285,
+ "totalMachineCount": 6,
+ "exposedMachinesCount": 5,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Chrome"
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
index 9c2965fd9c..fd557b7129 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@@ -1,85 +1,85 @@
----
-title: List devices by recommendation
-description: Retrieves a list of devices associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by recommendation
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of devices associated with the security recommendation.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/machineReferences
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of devices associated with the security recommendation.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
- "computerDnsName": "niw_pc",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: List devices by recommendation
+description: Retrieves a list of devices associated with the security recommendation.
+keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List devices by recommendation
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of devices associated with the security recommendation.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/machineReferences
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of devices associated with the security recommendation.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
+ "computerDnsName": "niw_pc",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
index d4e5a895ef..c4654ccd11 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
@@ -1,84 +1,84 @@
----
-title: Get recommendation by software
-description: Retrieves a security recommendation related to a specific software.
-keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get recommendation by software
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a security recommendation related to a specific software.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
- "id": "google-_-chrome",
- "name": "chrome",
- "vendor": "google",
- "weaknesses": 38,
- "publicExploit": false,
- "activeAlert": false,
- "exposedMachines": 5,
- "impactScore": 3.94418621
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: Get recommendation by software
+description: Retrieves a security recommendation related to a specific software.
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by software
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a security recommendation related to a specific software.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
+ "id": "google-_-chrome",
+ "name": "chrome",
+ "vendor": "google",
+ "weaknesses": 38,
+ "publicExploit": false,
+ "activeAlert": false,
+ "exposedMachines": 5,
+ "impactScore": 3.94418621
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
index e7e5725b8a..a7218907c7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
@@ -1,94 +1,94 @@
----
-title: List vulnerabilities by recommendation
-description: Retrieves a list of vulnerabilities associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities by recommendation
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of vulnerabilities associated with the security recommendation.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2019-13748",
- "name": "CVE-2019-13748",
- "description": "Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
- "severity": "Medium",
- "cvssV3": 6.5,
- "exposedMachines": 0,
- "publishedOn": "2019-12-10T00:00:00Z",
- "updatedOn": "2019-12-16T12:15:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: List vulnerabilities by recommendation
+description: Retrieves a list of vulnerabilities associated with the security recommendation.
+keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities by recommendation
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of vulnerabilities associated with the security recommendation.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2019-13748",
+ "name": "CVE-2019-13748",
+ "description": "Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
+ "severity": "Medium",
+ "cvssV3": 6.5,
+ "exposedMachines": 0,
+ "publishedOn": "2019-12-10T00:00:00Z",
+ "updatedOn": "2019-12-16T12:15:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
index 67e29e0532..e071070fba 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
@@ -1,101 +1,101 @@
----
-title: Get security recommendations
-description: Retrieves a collection of security recommendations related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get security recommendations
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of security recommendations related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/recommendations
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
- "value": [
- {
- "id": "va-_-git-scm-_-git",
- "productName": "git",
- "recommendationName": "Update Git to version 2.24.1.2",
- "weaknesses": 3,
- "vendor": "git-scm",
- "recommendedVersion": "2.24.1.2",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": false,
- "activeAlert": false,
- "associatedThreats": [],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 0,
- "totalMachineCount": 0,
- "exposedMachinesCount": 1,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Git"
- },
-…
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: Get security recommendations
+description: Retrieves a collection of security recommendations related to a given device ID.
+keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get security recommendations
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of security recommendations related to a given device ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/recommendations
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
+ "value": [
+ {
+ "id": "va-_-git-scm-_-git",
+ "productName": "git",
+ "recommendationName": "Update Git to version 2.24.1.2",
+ "weaknesses": 3,
+ "vendor": "git-scm",
+ "recommendedVersion": "2.24.1.2",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": false,
+ "activeAlert": false,
+ "associatedThreats": [],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 0,
+ "totalMachineCount": 0,
+ "exposedMachinesCount": 1,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Git"
+ },
+…
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
index 2276c784bf..a596b5e16e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
@@ -1,86 +1,86 @@
----
-title: Get software by Id
-description: Retrieves a list of exposure scores by device group.
-keywords: apis, graph api, supported apis, get, software, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get software by Id
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves software details by ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the specified software data in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity",
- "id": "microsoft-_-edge",
- "name": "edge",
- "vendor": "microsoft",
- "weaknesses": 467,
- "publicExploit": true,
- "activeAlert": false,
- "exposedMachines": 172,
- "impactScore": 2.39947438
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: Get software by Id
+description: Retrieves a list of exposure scores by device group.
+keywords: apis, graph api, supported apis, get, software, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get software by Id
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves software details by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the specified software data in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity",
+ "id": "microsoft-_-edge",
+ "name": "edge",
+ "vendor": "microsoft",
+ "weaknesses": 467,
+ "publicExploit": true,
+ "activeAlert": false,
+ "exposedMachines": 172,
+ "impactScore": 2.39947438
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
index 159f48e08e..8263dd34d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
@@ -1,91 +1,91 @@
----
-title: List software version distribution
-description: Retrieves a list of your organization's software version distribution
-keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List software version distribution
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of your organization's software version distribution.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/distributions
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with a list of software distributions data in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions",
- "value": [
- {
- "version": "11.0.17134.1039",
- "installations": 1,
- "vulnerabilities": 11
- },
- {
- "version": "11.0.18363.535",
- "installations": 750,
- "vulnerabilities": 0
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: List software version distribution
+description: Retrieves a list of your organization's software version distribution
+keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List software version distribution
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of your organization's software version distribution.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/distributions
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with a list of software distributions data in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions",
+ "value": [
+ {
+ "version": "11.0.17134.1039",
+ "installations": 1,
+ "vulnerabilities": 11
+ },
+ {
+ "version": "11.0.18363.535",
+ "installations": 750,
+ "vulnerabilities": 0
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
index 883c240d11..5e97985a54 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
@@ -1,90 +1,90 @@
----
-title: List software
-description: Retrieves a list of software inventory
-keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List software inventory API
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Retrieves the organization software inventory.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the software inventory in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software",
- "value": [
- {
- "id": "microsoft-_-edge",
- "name": "edge",
- "vendor": "microsoft",
- "weaknesses": 467,
- "publicExploit": true,
- "activeAlert": false,
- "exposedMachines": 172,
- "impactScore": 2.39947438
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: List software
+description: Retrieves a list of software inventory
+keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List software inventory API
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Retrieves the organization software inventory.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the software inventory in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software",
+ "value": [
+ {
+ "id": "microsoft-_-edge",
+ "name": "edge",
+ "vendor": "microsoft",
+ "weaknesses": 467,
+ "publicExploit": true,
+ "activeAlert": false,
+ "exposedMachines": 172,
+ "impactScore": 2.39947438
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
index 7ac3ed480b..88927d6912 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
@@ -1,6 +1,6 @@
---
title: List Indicators API
-description: Use this API to create calls related to get Indicators collection
+description: Learn how to use the List Indicators API to retrieve a collection of all active Indicators in Microsoft Defender Advanced Threat Protection.
keywords: apis, public api, supported apis, Indicators collection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
index 026cdb7ca3..a5efe702fe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
@@ -1,6 +1,6 @@
---
title: Get user information API
-description: Retrieve a User entity by key such as user name or domain.
+description: Learn how to use the Get user information API to retrieve a User entity by key, or user name, in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, user, user information
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
index e55f0b9188..7116b8080d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
@@ -1,6 +1,6 @@
---
title: Get user related machines API
-description: Retrieves a collection of devices related to a given user ID.
+description: Learn how to use the Get user related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, user, user related alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
index 42147bc353..056f883007 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
@@ -1,93 +1,93 @@
----
-title: List vulnerabilities by software
-description: Retrieve a list of vulnerabilities in the installed software.
-keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities by software
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieve a list of vulnerabilities in the installed software.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/vulnerabilities
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2017-0140",
- "name": "CVE-2017-0140",
- "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
- "severity": "Medium",
- "cvssV3": 4.2,
- "exposedMachines": 1,
- "publishedOn": "2017-03-14T00:00:00Z",
- "updatedOn": "2019-10-03T00:03:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-}
-```
-
+---
+title: List vulnerabilities by software
+description: Retrieve a list of vulnerabilities in the installed software.
+keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities by software
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieve a list of vulnerabilities in the installed software.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/vulnerabilities
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2017-0140",
+ "name": "CVE-2017-0140",
+ "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
+ "severity": "Medium",
+ "cvssV3": 4.2,
+ "exposedMachines": 1,
+ "publishedOn": "2017-03-14T00:00:00Z",
+ "updatedOn": "2019-10-03T00:03:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ...
+ ]
+}
+```
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
index a7ec42d80f..4dd3118f79 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
@@ -1,88 +1,88 @@
----
-title: Get vulnerability by Id
-description: Retrieves vulnerability information by its ID.
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get vulnerability by ID
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves vulnerability information by its ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities/{cveId}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity",
- "id": "CVE-2019-0608",
- "name": "CVE-2019-0608",
- "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 4,
- "publishedOn": "2019-10-08T00:00:00Z",
- "updatedOn": "2019-12-16T16:20:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
-}
-```
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: Get vulnerability by Id
+description: Retrieves vulnerability information by its ID.
+keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get vulnerability by ID
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves vulnerability information by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities/{cveId}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity",
+ "id": "CVE-2019-0608",
+ "name": "CVE-2019-0608",
+ "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 4,
+ "publishedOn": "2019-10-08T00:00:00Z",
+ "updatedOn": "2019-12-16T16:20:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+}
+```
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/asr-guid.png b/windows/security/threat-protection/microsoft-defender-atp/images/asr-guid.png
new file mode 100644
index 0000000000..d8a8570fb0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/asr-guid.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode-detection.png b/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode-detection.png
new file mode 100644
index 0000000000..2a5104b582
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode-detection.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/edrblockmode-TVMrecommendation.png b/windows/security/threat-protection/microsoft-defender-atp/images/edrblockmode-TVMrecommendation.png
new file mode 100644
index 0000000000..42273cd0d4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/edrblockmode-TVMrecommendation.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-approval.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-approval.png
new file mode 100644
index 0000000000..e82a6f0dce
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-approval.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-fda.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-fda.png
new file mode 100644
index 0000000000..fe52985647
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-fda.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png
new file mode 100644
index 0000000000..d2f1c35a83
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-pref.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-pref.png
new file mode 100644
index 0000000000..1b8a3df4ca
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-pref.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png
new file mode 100644
index 0000000000..8106b9e665
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-mitigations.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-mitigations.png
new file mode 100644
index 0000000000..4aea3eea5a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-mitigations.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-overview.png
new file mode 100644
index 0000000000..e246a0d3da
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-overview.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta.png
deleted file mode 100644
index 42a386d71f..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ta.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/threat-analytics-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/threat-analytics-report.png
deleted file mode 100644
index 374a1e58b2..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/threat-analytics-report.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
index f5439add6d..322278414a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
@@ -1,18 +1,16 @@
---
title: Import, export, and deploy exploit protection configurations
-keywords: Exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install
-description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit protection configuration.
+description: Use Group Policy to deploy mitigations configuration.
+keywords: Exploit protection, mitigations, import, export, configure, convert, conversion, deploy, install
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 04/30/2018
ms.reviewer:
manager: dansimp
---
@@ -23,35 +21,27 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](microsoft-defender-advanced-threat-protection.md)
-Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
+Exploit protection helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/help/2458544/) are now included in exploit protection.
+You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple devices on your network. Then, they all have the same set of mitigation settings.
-You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple devices on your network so they all have the same set of mitigation settings.
-
-You can also convert and import an existing EMET configuration XML file into an exploit protection configuration XML.
-
-This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
-
-The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
+The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an [Enhanced Mitigation Experience Toolkit (no longer supported)](https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit) configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and review the settings in the Windows Security app.
## Create and export a configuration file
-Before you export a configuration file, you need to ensure you have the correct settings.
+Before you export a configuration file, you need to ensure you have the correct settings. First, configure exploit protection on a single, dedicated device. See [Customize exploit protection](customize-exploit-protection.md) for more information about configuring mitigations.
-You should first configure exploit protection on a single, dedicated device. See [Customize exploit protection](customize-exploit-protection.md) for descriptions about and instructions for configuring mitigations.
-
-When you have configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Security app or PowerShell.
+When you've configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Security app or PowerShell.
### Use the Windows Security app to export a configuration file
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar. Or, search the start menu for **Defender**.
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
+2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection settings**:
-3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
+3. At the bottom of the **Exploit protection** section, select **Export settings**. Choose the location and name of the XML file where you want the configuration to be saved.
> [!IMPORTANT]
> If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file.
@@ -63,7 +53,7 @@ When you have configured exploit protection to your desired state (including bot
### Use PowerShell to export a configuration file
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
@@ -87,7 +77,7 @@ After importing, the settings will be instantly applied and can be reviewed in t
### Use PowerShell to import a configuration file
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
@@ -102,37 +92,7 @@ After importing, the settings will be instantly applied and can be reviewed in t
> [!IMPORTANT]
>
-> Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
-
-## Convert an EMET configuration file to an exploit protection configuration file
-
-You can convert an existing EMET configuration file to the new format used by exploit protection. You must do this if you want to import an EMET configuration into exploit protection in Windows 10.
-
-You can only do this conversion in PowerShell.
-
-> [!WARNING]
->
-> You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
->
-> However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file.
->
-> You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
-
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
-2. Enter the following cmdlet:
-
- ```PowerShell
- ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
- ```
-
- Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
-
-> [!IMPORTANT]
->
-> If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
->
-> 1. Open the PowerShell-converted XML file in a text editor.
-> 2. Search for `ASLR ForceRelocateImages="false"` and change it to `ASLR ForceRelocateImages="true"` for each app that you want Mandatory ASLR to be enabled.
+> Ensure you import a configuration file that is created specifically for exploit protection.
## Manage or deploy a configuration
@@ -143,29 +103,28 @@ You can use Group Policy to deploy the configuration you've created to multiple
### Use Group Policy to distribute the configuration
-1. On your Group Policy management device, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
-4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
+4. Double-click **Use a common set of Exploit protection settings** and set the option to **Enabled**.
-5. In the **Options::** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples:
+5. In the **Options:** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples:
* C:\MitigationSettings\Config.XML
* \\\Server\Share\Config.xml
* https://localhost:8080/Config.xml
* C:\ExploitConfigfile.xml
-6. Click **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy).
+6. Select **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy).
## Related topics
* [Protect devices from exploits](exploit-protection.md)
-* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
* [Evaluate exploit protection](evaluate-exploit-protection.md)
* [Enable exploit protection](enable-exploit-protection.md)
* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
index 4bace3c6df..424ed0cb61 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
@@ -1,6 +1,6 @@
---
title: Investigate connection events that occur behind forward proxies
-description: Investigate connection events that occur behind forward proxies
+description: Learn how to use advanced HTTP level monitoring through network protection in Microsoft Defender ATP, which surfaces a real target, instead of a proxy.
keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
index ca9dbdfdd3..a74c4a0187 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
@@ -1,6 +1,6 @@
---
title: Isolate machine API
-description: Use this API to create calls related isolating a device.
+description: Learn how to use the Isolate machine API to isolate a device from accessing external network in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, isolate device
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -84,13 +84,13 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+```console
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
Content-type: application/json
{
"Comment": "Isolate machine due to alert 1234",
“IsolationType”: “Full”
}
-
+```
- To unisolate a device, see [Release device from isolation](unisolate-machine.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
index 3c07af2507..27d42d2a2c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
@@ -43,7 +43,7 @@ Exclusion | Definition | Examples
---|---|---
File extension | All files with the extension, anywhere on the device | `.test`
File | A specific file identified by the full path | `/var/log/test.log`
`/var/log/*.log`
`/var/log/install.?.log`
-Folder | All files under the specified folder | `/var/log/`
`/var/*/`
+Folder | All files under the specified folder (recursively) | `/var/log/`
`/var/*/`
Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat`
`c?t`
File, folder, and process exclusions support the following wildcards:
@@ -64,36 +64,56 @@ For more information on how to configure exclusions from Puppet, Ansible, or ano
Run the following command to see the available switches for managing exclusions:
```bash
-$ mdatp exclusion
+mdatp exclusion
```
+> [!TIP]
+> When configuring exclusions with wildcards, enclose the parameter in double-quotes to prevent globbing.
+
Examples:
- Add an exclusion for a file extension:
```bash
- $ mdatp exclusion extension add --name .txt
+ mdatp exclusion extension add --name .txt
+ ```
+ ```Output
Extension exclusion configured successfully
```
- Add an exclusion for a file:
```bash
- $ mdatp exclusion file add --path /var/log/dummy.log
+ mdatp exclusion file add --path /var/log/dummy.log
+ ```
+ ```Output
File exclusion configured successfully
```
- Add an exclusion for a folder:
```bash
- $ mdatp exclusion folder add --path /var/log/
+ mdatp exclusion folder add --path /var/log/
+ ```
+ ```Output
+ Folder exclusion configured successfully
+ ```
+
+- Add an exclusion for a folder with a wildcard in it:
+
+ ```bash
+ mdatp exclusion folder add --path "/var/*/"
+ ```
+ ```Output
Folder exclusion configured successfully
```
- Add an exclusion for a process:
```bash
- $ mdatp exclusion process add --name cat
+ mdatp exclusion process add --name cat
+ ```
+ ```Output
Process exclusion configured successfully
```
@@ -104,7 +124,7 @@ You can validate that your exclusion lists are working by using `curl` to downlo
In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
```bash
-$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
+curl -o test.txt https://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
@@ -116,3 +136,25 @@ echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > te
```
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
+
+## Allow threats
+
+In addition to excluding certain content from being scanned, you can also configure the product not to detect some classes of threats (identified by the threat name). You should exercise caution when using this functionality, as it can leave your device unprotected.
+
+To add a threat name to the allowed list, execute the following command:
+
+```bash
+mdatp threat allowed add --name [threat-name]
+```
+
+The threat name associated with a detection on your device can be obtained using the following command:
+
+```bash
+mdatp threat list
+```
+
+For example, to add `EICAR-Test-File (not a virus)` (the threat name associated with the EICAR detection) to the allowed list, execute the following command:
+
+```bash
+mdatp threat allowed add --name "EICAR-Test-File (not a virus)"
+```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index 0ac4cc8574..1746f4fcb3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -71,7 +71,7 @@ In order to preview new features and provide early feedback, it is recommended t
sudo rpm --import http://packages.microsoft.com/keys/microsoft.asc
```
-- Install `yum-utils` if it is not already installed:
+- Install `yum-utils` if it isn't installed yet:
```bash
sudo yum install yum-utils
@@ -107,13 +107,13 @@ In order to preview new features and provide early feedback, it is recommended t
### Ubuntu and Debian systems
-- Install `curl` if it is not already installed:
+- Install `curl` if it isn't installed yet:
```bash
sudo apt-get install curl
```
-- Install `libplist-utils` if it is not already installed:
+- Install `libplist-utils` if it isn't installed yet:
```bash
sudo apt-get install libplist-utils
@@ -177,14 +177,17 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
# list all repositories
- $ yum repolist
+ yum repolist
+ ```
+ ```Output
...
packages-microsoft-com-prod packages-microsoft-com-prod 316
packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2
...
-
+ ```
+ ```bash
# install the package from the production repository
- $ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
+ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
```
- SLES and variants:
@@ -196,16 +199,18 @@ In order to preview new features and provide early feedback, it is recommended t
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
```bash
- # list all repositories
- $ zypper repos
+ zypper repos
+ ```
+
+ ```Output
...
# | Alias | Name | ...
XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ...
XX | packages-microsoft-com-prod | microsoft-prod | ...
...
-
- # install the package from the production repository
- $ sudo zypper install packages-microsoft-com-prod:mdatp
+ ```
+ ```bash
+ sudo zypper install packages-microsoft-com-prod:mdatp
```
- Ubuntu and Debian system:
@@ -217,13 +222,14 @@ In order to preview new features and provide early feedback, it is recommended t
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
```bash
- # list all repositories
- $ cat /etc/apt/sources.list.d/*
+ cat /etc/apt/sources.list.d/*
+ ```
+ ```Output
deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main
deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main
-
- # install the package from the production repository
- $ sudo apt -t bionic install mdatp
+ ```
+ ```bash
+ sudo apt -t bionic install mdatp
```
## Download the onboarding package
@@ -243,17 +249,19 @@ Download the onboarding package from Microsoft Defender Security Center:
ls -l
```
- `total 8`
- `-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip`
+ ```Output
+ total 8
+ -rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
+ ```
```bash
unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+ ```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: MicrosoftDefenderATPOnboardingLinuxServer.py
```
- `Archive: WindowsDefenderATPOnboardingPackage.zip`
- `inflating: WindowsDefenderATPOnboarding.py`
## Client configuration
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
index 709b03a5e2..52f85ffb99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-This topic describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
+This article describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
- [Download the onboarding package](#download-the-onboarding-package)
- [Create Ansible YAML files](#create-ansible-yaml-files)
@@ -33,12 +33,12 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Ansibl
## Prerequisites and system requirements
-Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
-In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Please refer to the [Ansible documentation](https://docs.ansible.com/) for details.
+In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Ansible documentation](https://docs.ansible.com/) for details.
-- Ansible needs to be installed on at least on one computer (we will call it the master).
-- SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication.
+- Ansible needs to be installed on at least one computer (we will call it the primary computer).
+- SSH must be configured for an administrator account between the primary computer and all clients, and it is recommended be configured with public key authentication.
- The following software must be installed on all clients:
- curl
- python-apt
@@ -54,7 +54,7 @@ In addition, for Ansible deployment, you need to be familiar with Ansible admini
- Ping test:
```bash
- $ ansible -m ping all
+ ansible -m ping all
```
## Download the onboarding package
@@ -70,10 +70,16 @@ Download the onboarding package from Microsoft Defender Security Center:
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
```bash
- $ ls -l
+ ls -l
+ ```
+ ```Output
total 8
-rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
- $ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+ ```bash
+ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+ ```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: mdatp_onboard.json
```
@@ -158,7 +164,9 @@ Create a subtask or role files that contribute to an playbook or task.
- For apt-based distributions use the following YAML file:
```bash
- $ cat install_mdatp.yml
+ cat install_mdatp.yml
+ ```
+ ```Output
- hosts: servers
tasks:
- include: ../roles/onboarding_setup.yml
@@ -170,7 +178,9 @@ Create a subtask or role files that contribute to an playbook or task.
```
```bash
- $ cat uninstall_mdatp.yml
+ cat uninstall_mdatp.yml
+ ```
+ ```Output
- hosts: servers
tasks:
- apt:
@@ -181,7 +191,9 @@ Create a subtask or role files that contribute to an playbook or task.
- For yum-based distributions use the following YAML file:
```bash
- $ cat install_mdatp_yum.yml
+ cat install_mdatp_yum.yml
+ ```
+ ```Output
- hosts: servers
tasks:
- include: ../roles/onboarding_setup.yml
@@ -193,7 +205,9 @@ Create a subtask or role files that contribute to an playbook or task.
```
```bash
- $ cat uninstall_mdatp_yum.yml
+ cat uninstall_mdatp_yum.yml
+ ```
+ ```Output
- hosts: servers
tasks:
- yum:
@@ -208,7 +222,7 @@ Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
- Installation:
```bash
- $ ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
+ ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
```
> [!IMPORTANT]
@@ -217,14 +231,16 @@ Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
- Validation/configuration:
```bash
- $ ansible -m shell -a 'mdatp connectivity test' all
- $ ansible -m shell -a 'mdatp health' all
+ ansible -m shell -a 'mdatp connectivity test' all
+ ```
+ ```bash
+ ansible -m shell -a 'mdatp health' all
```
- Uninstallation:
```bash
- $ ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
+ ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
```
## Log installation issues
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
index ef1aa769a6..14677aa8a3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
+This article describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
- [Download the onboarding package](#download-the-onboarding-package)
- [Create Puppet manifest](#create-a-puppet-manifest)
@@ -35,7 +35,7 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet
For a description of prerequisites and system requirements for the current software version, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md).
-In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Please refer to the [Puppet documentation](https://puppet.com/docs) for details.
+In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Refer to the [Puppet documentation](https://puppet.com/docs) for details.
## Download the onboarding package
@@ -47,13 +47,20 @@ Download the onboarding package from Microsoft Defender Security Center:
-4. From a command prompt, verify that you have the file. Extract the contents of the archive:
+4. From a command prompt, verify that you have the file.
```bash
- $ ls -l
+ ls -l
+ ```
+ ```Output
total 8
-rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
- $ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+5. Extract the contents of the archive.
+ ```bash
+ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+ ```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: mdatp_onboard.json
```
@@ -62,13 +69,19 @@ Download the onboarding package from Microsoft Defender Security Center:
You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
-Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
+Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This folder is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
```bash
-$ pwd
+pwd
+```
+```Output
/etc/puppetlabs/code/environments/production/modules
+```
-$ tree install_mdatp
+```bash
+tree install_mdatp
+```
+```Output
install_mdatp
├── files
│ └── mdatp_onboard.json
@@ -161,20 +174,24 @@ $version = undef
Include the above manifest in your site.pp file:
```bash
-$ cat /etc/puppetlabs/code/environments/production/manifests/site.pp
+cat /etc/puppetlabs/code/environments/production/manifests/site.pp
+```
+```Output
node "default" {
include install_mdatp
}
```
-Enrolled agent devices periodically poll the Puppet Server, and install new configuration profiles and policies as soon as they are detected.
+Enrolled agent devices periodically poll the Puppet Server and install new configuration profiles and policies as soon as they are detected.
## Monitor Puppet deployment
On the agent device, you can also check the onboarding status by running:
```bash
-$ mdatp health
+mdatp health
+```
+```Output
...
licensed : true
org_id : "[your organization identifier]"
@@ -200,7 +217,7 @@ The above command prints `1` if the product is onboarded and functioning as expe
If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
-- 1 if the device is not yet onboarded.
+- 1 if the device isn't onboarded yet.
- 3 if the connection to the daemon cannot be established.
## Log installation issues
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
index 4e59ea8aad..bc9ddc57fc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
@@ -29,7 +29,7 @@ ms.topic: conceptual
In enterprise environments, Microsoft Defender ATP for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
-This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
+This article describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
## Configuration profile structure
@@ -141,7 +141,7 @@ Used to exclude content from the scan by file extension.
**Process excluded from the scan**
-Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (e.g. `cat`) or full path (e.g. `/bin/cat`).
+Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (for example, `cat`) or full path (for example, `/bin/cat`).
|||
|:---|:---|
@@ -373,7 +373,7 @@ The following configuration profile contains entries for all settings described
The configuration profile must be a valid JSON-formatted file. There are a number of tools that can be used to verify this. For example, if you have `python` installed on your device:
```bash
-$ python -m json.tool mdatp_managed.json
+python -m json.tool mdatp_managed.json
```
If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
index 415341d721..50067c7547 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
@@ -53,13 +53,13 @@ You can configure how PUA files are handled from the command line or from the ma
In Terminal, execute the following command to configure PUA protection:
```bash
-$ mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
+mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
```
### Use the management console to configure PUA protection:
-In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) topic.
+In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) article.
-## Related topics
+## Related articles
- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
index a038804f65..addb17136c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
@@ -26,28 +26,35 @@ ms.topic: conceptual
## Collect diagnostic information
-If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
+If you can reproduce a problem, first increase the logging level, run the system for some time, and then restore the logging level to the default.
1. Increase logging level:
```bash
- $ mdatp log level set --level verbose
+ mdatp log level set --level verbose
+ ```
+ ```Output
Log level configured successfully
```
2. Reproduce the problem.
-3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds:
+3. Run the following command to back up Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive.
```bash
- $ sudo mdatp diagnostic create
+ sudo mdatp diagnostic create
+ ```
+ This command will also print out the file path to the backup after the operation succeeds:
+ ```Output
Diagnostic file created:
```
4. Restore logging level:
```bash
- $ mdatp log level set --level info
+ mdatp log level set --level info
+ ```
+ ```Output
Log level configured successfully
```
@@ -59,7 +66,7 @@ The detailed log will be saved to `/var/log/microsoft/mdatp_install.log`. If you
## Uninstall
-There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, please follow the package uninstallation instructions for the configuration tool.
+There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, follow the package uninstallation instructions for the configuration tool.
### Manual uninstallation
@@ -73,7 +80,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
### Global options
-By default, the command-line tool outputs the result in human-readable format. In addition to this, the tool also supports outputting the result as JSON, which is useful for automation scenarios. To change the output to JSON, pass `--output json` to any of the below commands.
+By default, the command-line tool outputs the result in human-readable format. In addition, the tool also supports outputting the result as JSON, which is useful for automation scenarios. To change the output to JSON, pass `--output json` to any of the below commands.
### Supported commands
@@ -91,6 +98,9 @@ The following table lists commands for some of the most common scenarios. Run `m
|Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add|remove] --path [path-to-directory]` |
|Configuration |Add/remove an antivirus exclusion for a process |`mdatp exclusion process [add|remove] --path [path-to-process]`
`mdatp exclusion process [add|remove] --name [process-name]` |
|Configuration |List all antivirus exclusions |`mdatp exclusion list` |
+|Configuration |Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
+|Configuration |Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
+|Configuration |List all allowed threat names |`mdatp threat allowed list` |
|Configuration |Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action block` |
|Configuration |Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action off` |
|Configuration |Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action audit` |
@@ -107,8 +117,8 @@ The following table lists commands for some of the most common scenarios. Run `m
|Quarantine management |List all quarantined files |`mdatp threat quarantine list` |
|Quarantine management |Remove all files from the quarantine |`mdatp threat quarantine remove-all` |
|Quarantine management |Add a file detected as a threat to the quarantine |`mdatp threat quarantine add --id [threat-id]` |
-|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine add --id [threat-id]` |
-|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine add --id [threat-id]` |
+|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine remove --id [threat-id]` |
+|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine restore --id [threat-id]` |
## Microsoft Defender ATP portal information
@@ -138,5 +148,5 @@ In the Microsoft Defender ATP portal, you'll see two categories of information:
- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
```bash
- $ sudo SUSEConnect --status-text
+ sudo SUSEConnect --status-text
```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
index 0ac647a0b9..04ec1f7937 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
@@ -48,7 +48,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP:
```bash
- $ HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
+ HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
```
> [!NOTE]
@@ -56,7 +56,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
The `HTTPS_PROXY` environment variable may similarly be defined during uninstallation.
-Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take significantly longer due to network timeouts.
+Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take much longer due to network timeouts.
## Post installation configuration
@@ -73,5 +73,5 @@ After installation, the `HTTPS_PROXY` environment variable must be defined in th
After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:
```bash
-$ systemctl daemon-reload; systemctl restart mdatp
+systemctl daemon-reload; systemctl restart mdatp
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
index f48ac979fd..86e2b4f38e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
@@ -29,7 +29,7 @@ ms.topic: conceptual
To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
```bash
-$ mdatp connectivity test
+mdatp connectivity test
```
If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
@@ -44,7 +44,7 @@ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https:
The output from this command should be similar to:
-```bash
+```Output
OK https://x.cp.wd.microsoft.com/api/report
OK https://cdn.x.cp.wd.microsoft.com/ping
```
@@ -59,7 +59,7 @@ OK https://cdn.x.cp.wd.microsoft.com/ping
If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
```bash
-$ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands.
@@ -78,13 +78,13 @@ Also ensure that the correct static proxy address is filled in to replace `addre
If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting:
```bash
-$ sudo systemctl daemon-reload; sudo systemctl restart mdatp
+sudo systemctl daemon-reload; sudo systemctl restart mdatp
```
Upon success, attempt another connectivity test from the command line:
```bash
-$ mdatp connectivity test
+mdatp connectivity test
```
If the problem persists, contact customer support.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
index d89a6593f9..67c96c9bdf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
@@ -26,12 +26,15 @@ ms.topic: conceptual
## Verify if installation succeeded
-An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, one can obtain and check the installation logs using:
+An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, obtain and check the installation logs using:
```bash
- $ sudo journalctl | grep 'microsoft-mdatp' > installation.log
- $ grep 'postinstall end' installation.log
-
+ sudo journalctl | grep 'microsoft-mdatp' > installation.log
+```
+```bash
+ grep 'postinstall end' installation.log
+```
+```Output
microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
```
@@ -44,8 +47,9 @@ Also check the [Client configuration](linux-install-manually.md#client-configura
Check if the mdatp service is running:
```bash
- $ systemctl status mdatp
-
+systemctl status mdatp
+```
+```Output
● mdatp.service - Microsoft Defender ATP
Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
@@ -61,41 +65,43 @@ Check if the mdatp service is running:
1. Check if "mdatp" user exists:
```bash
- $ id "mdatp"
+ id "mdatp"
```
If there’s no output, run
```bash
- $ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
+ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
```
2. Try enabling and restarting the service using:
```bash
- $ sudo systemctl enable mdatp
- $ sudo systemctl restart mdatp
+ sudo systemctl enable mdatp
```
-
-3. If mdatp.service isn't found upon running the previous command, run
```bash
- $ sudo cp /opt/microsoft/mdatp/conf/mdatp.service
-
- where is
- /lib/systemd/system for Ubuntu and Debian distributions
- /usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES
+ sudo systemctl restart mdatp
```
- and then rerun step 2.
+
+3. If mdatp.service isn't found upon running the previous command, run:
+ ```bash
+ sudo cp /opt/microsoft/mdatp/conf/mdatp.service
+ ```
+ where `````` is
+ ```/lib/systemd/system``` for Ubuntu and Debian distributions and
+ ```/usr/lib/systemd/system``` for Rhel, CentOS, Oracle and SLES.
+Then rerun step 2.
4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot.
5. Ensure that the daemon has executable permission.
```bash
- $ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
-
+ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
+ ```
+ ```Output
-rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
```
If the daemon doesn't have executable permissions, make it executable using:
```bash
- $ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
+ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
```
and retry running step 2.
@@ -105,7 +111,7 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan
1. Check the file system type using:
```bash
- $ findmnt -T
+ findmnt -T
```
Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned.
@@ -113,13 +119,15 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan
1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command:
```bash
- $ sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
+ sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
```
and try again.
If none of the above steps help, collect the diagnostic logs:
```bash
- $ sudo mdatp diagnostic create
+ sudo mdatp diagnostic create
+ ```
+ ```Output
Diagnostic file created:
```
Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
index 5119c3afc3..a4c54a9aa4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
@@ -23,7 +23,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
+This article provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
@@ -36,7 +36,9 @@ The following steps can be used to troubleshoot and mitigate these issues:
If your device is not managed by your organization, real-time protection can be disabled from the command line:
```bash
- $ mdatp config real-time-protection --value disabled
+ mdatp config real-time-protection --value disabled
+ ```
+ ```Output
Configuration property updated
```
@@ -50,26 +52,28 @@ The following steps can be used to troubleshoot and mitigate these issues:
This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
```bash
- $ mdatp config real-time-protection-statistics --value enabled
+ mdatp config real-time-protection-statistics --value enabled
```
This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
```bash
- $ mdatp health --field real_time_protection_enabled
+ mdatp health --field real_time_protection_enabled
```
Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it:
```bash
- $ mdatp config real-time-protection --value enabled
+ mdatp config real-time-protection --value enabled
+ ```
+ ```Output
Configuration property updated
```
To collect current statistics, run:
```bash
- $ mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file
+ mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file
```
The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
index 49399fbe9f..ba716299fe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
@@ -1,6 +1,6 @@
---
title: Live response command examples
-description: Learn to run basic or advanced live response commands for Microsoft Defender Advanced Threat Protection (ATP) and see examples on how it's used
+description: Learn to run basic or advanced live response commands for Microsoft Defender Advanced Threat Protection (ATP) and see examples on how it's used.
keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
index 2a2e8465f2..56f59ba081 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@@ -23,9 +23,9 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Live response is a capability that gives your security operations team instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats — in real time.
+Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats—in real time.
-Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
+Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUW]
@@ -98,7 +98,7 @@ The dashboard also gives you access to:
## Initiate a live response session on a device
-1. Log in to Microsoft Defender Security Center.
+1. Sign in to Microsoft Defender Security Center.
2. Navigate to the devices list page and select a device to investigate. The devices page opens.
@@ -112,6 +112,10 @@ The dashboard also gives you access to:
Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see [Create and manage roles](user-roles.md).
+
+>[!NOTE]
+>Live response is a cloud-based interactive shell, as such, specific command experience may vary in response time depending on network quality and system load between the end user and the target device.
+
### Basic commands
The following commands are available for user roles that are granted the ability to run **basic** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
@@ -137,7 +141,7 @@ drivers | Shows all drivers installed on the device. |
|`trace` | Sets the terminal's logging mode to debug. |
### Advanced commands
-The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments see [Create and manage roles](user-roles.md).
+The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
| Command | Description |
|---|---|
@@ -201,7 +205,7 @@ You can have a collection of PowerShell scripts that can run on devices that you
4. Specify if you'd like to overwrite a file with the same name.
-5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
+5. If you'd like to be, know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
6. Click **Confirm**.
@@ -220,7 +224,7 @@ Some commands have prerequisite commands to run. If you don't run the prerequisi
You can use the auto flag to automatically run prerequisite commands, for example:
-```
+```console
getfile c:\Users\user\Desktop\work.txt -auto
```
@@ -269,7 +273,7 @@ Live response supports output piping to CLI and file. CLI is the default output
Example:
-```
+```console
processes > output.txt
```
@@ -285,7 +289,7 @@ Each command is tracked with full details such as:
## Limitations
- Live response sessions are limited to 10 live response sessions at a time.
-- Large scale command execution is not supported.
+- Large-scale command execution is not supported.
- A user can only initiate one session at a time.
- A device can only be in one session at a time.
- The following file size limits apply:
@@ -295,11 +299,3 @@ Each command is tracked with full details such as:
## Related article
- [Live response command examples](live-response-command-examples.md)
-
-
-
-
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
index c0fe9490e6..4e97dc6960 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
@@ -43,7 +43,7 @@ Exclusion | Definition | Examples
---|---|---
File extension | All files with the extension, anywhere on the machine | `.test`
File | A specific file identified by the full path | `/var/log/test.log`
`/var/log/*.log`
`/var/log/install.?.log`
-Folder | All files under the specified folder | `/var/log/`
`/var/*/`
+Folder | All files under the specified folder (recursively) | `/var/log/`
`/var/*/`
Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat`
`c?t`
File, folder, and process exclusions support the following wildcards:
@@ -86,3 +86,25 @@ echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > te
```
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
+
+## Allow threats
+
+In addition to excluding certain content from being scanned, you can also configure the product not to detect some classes of threats (identified by the threat name). You should exercise caution when using this functionality, as it can leave your device unprotected.
+
+To add a threat name to the allowed list, execute the following command:
+
+```bash
+mdatp threat allowed add --name [threat-name]
+```
+
+The threat name associated with a detection on your device can be obtained using the following command:
+
+```bash
+mdatp threat list
+```
+
+For example, to add `EICAR-Test-File (not a virus)` (the threat name associated with the EICAR detection) to the allowed list, execute the following command:
+
+```bash
+mdatp threat allowed add --name "EICAR-Test-File (not a virus)"
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index ef40ef4868..7367f5ccb6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -89,14 +89,17 @@ Important tasks, such as controlling product settings and triggering on-demand s
|-------------|-------------------------------------------|-----------------------------------------------------------------------|
|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` |
|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` |
-|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` |
+|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` |
|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` |
+|Configuration|Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
+|Configuration|Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
+|Configuration|List all allowed threat names |`mdatp threat allowed list` |
|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
|Configuration|Turn on/off passiveMode |`mdatp --config passiveMode [on/off]` |
|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
-|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
+|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
|Health |Check the product's health |`mdatp --health` |
|Protection |Scan a path |`mdatp --scan --path [path]` |
|Protection |Do a quick scan |`mdatp --scan --quick` |
@@ -129,7 +132,7 @@ To enable autocompletion in `zsh`:
echo "autoload -Uz compinit && compinit" >> ~/.zshrc
```
-- Run the following command to enable autocompletion for Microsoft Defender ATP for Mac and restart the Terminal session:
+- Run the following commands to enable autocompletion for Microsoft Defender ATP for Mac and restart the Terminal session:
```zsh
sudo mkdir -p /usr/local/share/zsh/site-functions
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
new file mode 100644
index 0000000000..d480a11fb7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
@@ -0,0 +1,147 @@
+---
+title: Microsoft Defender ATP for Mac - System Extensions (Public Preview)
+description: This article contains instructions for trying out the system extensions functionality of Microsoft Defender ATP for Mac. This functionality is currently in public preview.
+keywords: microsoft, defender, atp, mac, kernel, system, extensions, catalina
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ROBOTS: noindex,nofollow
+---
+
+# Microsoft Defender ATP for Mac - System Extensions (Public Preview)
+
+In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS.
+
+This functionality is currently in public preview. This article contains instructions for enabling this functionality on your device. You can choose to try out this feature locally on your own device or configure it remotely through a management tool.
+
+These steps assume you already have Microsoft Defender ATP running on your device. For more information, see [this page](microsoft-defender-atp-mac.md).
+
+## Known issues
+
+- We’ve received reports of the network extension interfering with Apple SSO Kerberos extension.
+- The current version of the product still installs a kernel extension. The kernel extension is only used as a fallback mechanism and will be removed before this feature reaches public preview.
+- We are still working on a product version that deploys and functions properly on macOS 11 Big Sur.
+
+## Deployment prerequisites
+
+- Minimum operating system version: **10.15.4**
+- Minimum product version: **101.03.73**
+- Your device must be in the **Insider Fast update channel**. You can check the update channel using the following command:
+
+```bash
+mdatp --health releaseRing
+```
+
+If your device is not already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).
+
+```bash
+defaults write com.microsoft.autoupdate2 ChannelName -string InsiderFast
+```
+
+Alternatively, if you are in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [this page](mac-updates.md#set-the-channel-name).
+
+## Deployment steps
+
+Select the deployment steps corresponding to your environment and your preferred method of trying out this feature.
+
+### Manual deployment
+
+#### Approve the system extensions & enable the network extension
+
+Once all deployment prerequisites are met, restart your device to start the system extension approval and activation process.
+
+You will be presented series of system prompts to approve the Microsoft Defender ATP system extensions. You must approve ALL prompts from the series, because macOS requires an explicit approval for each extension that Microsoft Defender ATP for Mac installs on the device.
+
+For each approval, click **Open Security Preferences** and then click **Allow** to allow the system extension to run.
+
+> [!IMPORTANT]
+> Between subsequent approvals, you must close and re-open the **System Preferences** > **Security & Privacy** window, otherwise macOS will not display the next approval.
+
+> [!IMPORTANT]
+> There is a one minute timeout before the product falls back to the kernel extension (to ensure that the device is protected).
+>
+> If more than one minute has elapsed, restart the daemon (by rebooting the device or using `sudo killall -9 wdavdaemon`) in order to trigger the approval flow again.
+
+
+
+
+
+Following the approval of the system extensions, macOS will prompt for an approval to allow network traffic to be filtered. Click **Allow**.
+
+
+
+#### Grant Full Disk Access to the Endpoint Security system extension
+
+Open **System Preferences** > **Security & Privacy** > **Privacy** tab and grant **Full Disk Access** to the **Microsoft Defender Endpoint Security Extension**.
+
+
+
+#### Reboot your device
+
+In order for the changes to take effect, you must reboot your device.
+
+#### Verify that the system extensions are running
+
+From the Terminal, run the following command:
+
+```bash
+mdatp health --field real_time_protection_subsystem
+```
+
+Terminal output `endpoint_security_extension` indicates the product is using the system extensions functionality.
+
+### Managed deployment
+
+Refer to [this page](mac-sysext-policies.md#jamf) for the new configuration profiles that must be deployed for this new feature.
+
+In addition to those profiles, make sure the target devices are also configured to be in the Insider Fast update channel, as described in [this section](#deployment-prerequisites).
+
+On a device where all prerequisites are met and the new configuration profiles have been deployed, run:
+
+```bash
+$ mdatp health --field real_time_protection_subsystem
+```
+
+If this command prints `endpoint_security_extension`, then the product is using the system extensions functionality.
+
+## Validate basic scenarios
+
+1. Test EICAR detection. From a Terminal window, run:
+
+```bash
+curl -o eicar.txt https://secure.eicar.org/eicar.com.txt
+```
+
+ Verify that the EICAR file is quarantined. This verification can be done from the user interface (from the Protection History page) or command line using the following command:
+
+```bash
+mdatp threat list
+```
+
+2. Test EDR DIY scenario. From a terminal window, run:
+
+```bash
+curl -o "MDATP MacOS DIY.zip" https://aka.ms/mdatpmacosdiy
+```
+
+ Validate that two alerts have popped up in the portal in the machine page for EICAR and EDR DIY scenarios.
+
+## Frequently asked questions
+
+- Q: Why am I still seeing `kernel_extension` when I run `mdatp health --field real_time_protection_subsystem`?
+
+ A: Refer back to the [Deployment prerequisites](#deployment-prerequisites) section and double-check all of them are met. If all prerequisites are met, restart your device and check again.
+
+- Q: When is macOS 11 Big Sur going to be supported?
+
+ A: We are actively working on adding support for macOS 11. We will post more information to the [What's new](mac-whatsnew.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 4b48c8771f..b236965be2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -38,6 +38,20 @@ ms.topic: conceptual
> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.
+## 101.06.63
+
+- Addressed a performance regression introduced in version `101.05.17`. The regression was introduced with the fix to eliminate the kernel panics some customers have observed when accessing SMB shares. We have reverted this code change and are investigating alternative ways to eliminate the kernel panics.
+
+## 101.05.17
+
+> [!IMPORTANT]
+> We are working on a new and enhanced syntax for the `mdatp` command-line tool. The new syntax is currently the default in the Insider Fast and Insider Slow update channels. We encourage you to famliliarize yourself with this new syntax.
+>
+> We will continue supporting the old syntax in parallel with the new syntax and will provide more communication around the deprecation plan for the old syntax in the upcoming months.
+
+- Addressed a kernel panic that occurred sometimes when accessing SMB file shares
+- Performance improvements & bug fixes
+
## 101.05.16
- Improvements to quick scan logic to significantly reduce the number of scanned files
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index 92e5b76fd8..e0c0e5b9b1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -1,6 +1,6 @@
---
title: Machine resource type
-description: Retrieves top machines
+description: Learn about the methods and properties of the Machine resource type in Microsoft Defender Advanced Threat Protection.
keywords: apis, supported apis, get, machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
index 930d43341f..be98dcc681 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
@@ -1,6 +1,6 @@
---
title: machineAction resource type
-description: Quickly respond to detected attacks by isolating machines or collecting an investigation package.
+description: Learn about the methods and properties of the MachineAction resource type in Microsoft Defender Advanced Threat Protection.
keywords: apis, supported apis, get, machineaction, recent
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
index 8ee9cd8e12..9665f24c1f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
@@ -34,13 +34,13 @@ Selecting an incident from the **Incidents queue** brings up the **Incident mana
You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
> [!TIP]
-> For additional visibility at-a-glance, automatic incident naming, currently in public preview, generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident.
+> For additional visibility at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident.
>
> For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
>
-> Incidents that existed prior the rollout of automatic incident naming will not have their name changed.
+> Incidents that existed prior the rollout of automatic incident naming will retain their names.
>
-> Learn more about [turning on preview features](preview.md#turn-on-preview-features).
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index e17e4280c2..081eb65201 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -1,6 +1,6 @@
---
-title: Create indicators
-ms.reviewer:
+title: Create indicators
+ms.reviewer:
description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
keywords: manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
@@ -14,11 +14,11 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
---
-# Create indicators
+# Create indicators
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -40,10 +40,10 @@ The same list of indicators is honored by the prevention agent. Meaning, if Micr
**Automated investigation and remediation engine**
The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad".
-
+
The current supported actions are:
-- Allow
+- Allow
- Alert only
- Alert and block
@@ -55,7 +55,7 @@ You can create an indicator for:
>[!NOTE]
->There is a limit of 15,000 indicators per tenant.
+>There is a limit of 15,000 indicators per tenant.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
index 04bb26271d..6b4210212e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
@@ -1,6 +1,6 @@
---
title: Manage Microsoft Defender Advanced Threat Protection suppression rules
-description: Manage suppression rules
+description: You might need to prevent alerts from appearing in the portal by using suppression rules. Learn how to manage your suppression rules in Microsoft Defender ATP.
keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index 283349edd3..d4d253fe83 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Microsoft Defender Advanced Threat Protection
description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise endpoint security platform that helps defend against advanced persistent threats.
-keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
+keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -52,7 +52,7 @@ Microsoft Defender ATP uses the following combination of technology built into W
Threat & Vulnerability Management |
Attack surface reduction |
-
Next generation protection |
+
Next-generation protection |
Endpoint detection and response |
Automated investigation and remediation |
Microsoft Threat Experts |
@@ -87,8 +87,8 @@ The attack surface reduction set of capabilities provide the first line of defen
-**[Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
+**[Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**
+To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
index 12f56bc412..e25b6e042f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
@@ -42,7 +42,7 @@ This topic describes how to install, configure, update, and use Microsoft Defend
- **For end users**
- - Microsoft Defender ATP license assigned to the end user(s) of the app.
+ - Microsoft Defender ATP license assigned to the end user(s) of the app. See [Microsoft Defender ATP licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements)
- Intune Company Portal app can be downloaded from [Google
Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal)
@@ -78,7 +78,8 @@ This topic describes how to install, configure, update, and use Microsoft Defend
### Installation instructions
Microsoft Defender ATP for Android supports installation on both modes of
-enrolled devices - the legacy Device Administrator and Android Enterprise modes
+enrolled devices - the legacy Device Administrator and Android Enterprise modes.
+**Currently, only Work Profile enrolled devices are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.**
Deployment of Microsoft Defender ATP for Android is via Microsoft Intune (MDM).
For more information, see [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
index fda5e2b14b..b2b4bdcfae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@@ -65,7 +65,7 @@ If you experience any installation failures, refer to [Troubleshooting installat
> [!CAUTION]
> Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
-- Disk space: 650 MB
+- Disk space: 1GB
- The solution currently provides real-time protection for the following file system types:
- `btrfs`
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index ae6569fd45..62d68dcdee 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -61,7 +61,7 @@ There are several methods and deployment tools that you can use to install and c
The three most recent major releases of macOS are supported.
- 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
-- Disk space: 650 MB
+- Disk space: 1GB
Beta versions of macOS are not supported. macOS Sierra (10.12) support ended on January 1, 2020.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index c3372148b8..b3d3eb3ef8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -103,8 +103,9 @@ The hardware requirements for Microsoft Defender ATP on devices are the same for
### Other supported operating systems
-- macOS
+- Android
- Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux)
+- macOS
> [!NOTE]
> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Microsoft Defender ATP for the integration to work.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index eb56826c55..9453feda1e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -3,7 +3,6 @@ title: Use network protection to help prevent connections to bad sites
description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
keywords: Network protection, exploits, malicious website, ip, domain, domains
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 3eb07ed66d..c07a143d91 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -105,7 +105,7 @@ Ensure that your devices:
Run threat and vulnerability management-related API calls to automate vulnerability management workflows. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
-See the following topics for related APIs:
+See the following articles for related APIs:
- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
- [Machine APIs](machine.md)
@@ -115,7 +115,7 @@ See the following topics for related APIs:
- [Vulnerability APIs](vulnerability.md)
- [List vulnerabilities by machine and software](get-all-vulnerabilities-by-machines.md)
-## Related topics
+## See also
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
index 2c94a9c19e..d51165a30f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
@@ -1,6 +1,6 @@
---
title: Offboard machine API
-description: Use this API to offboard a device from WDATP.
+description: Learn how to use an API to offboard a device from Windows Defender Advanced Threat Protection (WDATP).
keywords: apis, graph api, supported apis, collect investigation package
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
index 37c447d3fc..64b2b3236f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
@@ -1,8 +1,8 @@
---
title: Configure and manage Microsoft Defender ATP capabilities
ms.reviewer:
-description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, next generation protection, and security controls
-keywords: configure, manage, capabilities, attack surface reduction, next generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls
+description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, next-generation protection, and security controls
+keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -30,7 +30,7 @@ Configure and manage all the Microsoft Defender ATP capabilities to get the best
Topic | Description
:---|:---
[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
-[Configure next generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
+[Configure next-generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next-generation protection to catch all types of emerging threats.
[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP.
[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
index 03b4cbea92..699ec6442c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
@@ -68,4 +68,4 @@ This article provides resources to guide you on:
## Related topics
- [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuraiton-manager.md)
-- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
\ No newline at end of file
+- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
index c98c0a6c38..fd8438a07e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
@@ -18,22 +18,19 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-
# Custom detections overview
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions.
+With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts and response actions.
-Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
+Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
Custom detections provide:
- Alerts for rule-based detections built from advanced hunting queries
- Automatic response actions that apply to files and devices
->[!NOTE]
->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-
-## Related topic
-- [Create and manage custom detection rules](custom-detection-rules.md)
+## Related topics
+- [Create detection rules](custom-detection-rules.md)
+- [View and manage detection rules](custom-detections-manage.md)
- [Advanced hunting overview](advanced-hunting-overview.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
index 5e1fd0cad0..63ca10ace1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
@@ -1,6 +1,6 @@
---
title: Submit or Update Indicator API
-description: Use this API to submit or Update Indicator.
+description: Learn how to use the Submit or Update Indicator API to submit or update a new Indicator entity in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, submit, ti, indicator, update
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
index 8e62b93b44..56d83bd553 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -174,7 +174,7 @@ how the endpoint security suite should be enabled.
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable device vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
[Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 |
-| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:
-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.
- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
[Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 |
+| Next-generation protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:
-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.
- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
[Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 |
| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 |
| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
index fce90c63c2..4c7de91e8a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@@ -1,6 +1,6 @@
---
title: Pull Microsoft Defender ATP detections using REST API
-description: Pull detections from Microsoft Defender ATP REST API.
+description: Learn how call an Microsoft Defender ATP endpoint to pull detections in JSON format using the SIEM REST API.
keywords: detections, pull detections, rest api, request, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
index 11d05369ee..4435b74d94 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
@@ -1,59 +1,59 @@
----
-title: Recommendation methods and properties
-description: Retrieves top recent alerts.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Recommendation resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
-[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
-[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
-[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of devices associated with the security recommendation
-[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Recommendation ID
-productName | String | Related software name
-recommendationName | String | Recommendation name
-Weaknesses | Long | Number of discovered vulnerabilities
-Vendor | String | Related vendor name
-recommendedVersion | String | Recommended version
-recommendationCategory | String | Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityStack
-subCategory | String | Recommendation sub-category
-severityScore | Double | Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10)
-publicExploit | Boolean | Public exploit is available
-activeAlert | Boolean | Active alert is associated with this recommendation
-associatedThreats | String collection | Threat analytics report is associated with this recommendation
-remediationType | String | Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall"
-Status | Enum | Recommendation exception status. Possible values are: "Active" and "Exception"
-configScoreImpact | Double | Microsoft Secure Score for Devices impact
-exposureImpacte | Double | Exposure score impact
-totalMachineCount | Long | Number of installed devices
-exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities
-nonProductivityImpactedAssets | Long | Number of devices which are not affected
-relatedComponent | String | Related software component
+---
+title: Recommendation methods and properties
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Recommendation resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
+[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
+[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
+[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of devices associated with the security recommendation
+[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Recommendation ID
+productName | String | Related software name
+recommendationName | String | Recommendation name
+Weaknesses | Long | Number of discovered vulnerabilities
+Vendor | String | Related vendor name
+recommendedVersion | String | Recommended version
+recommendationCategory | String | Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityStack
+subCategory | String | Recommendation sub-category
+severityScore | Double | Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10)
+publicExploit | Boolean | Public exploit is available
+activeAlert | Boolean | Active alert is associated with this recommendation
+associatedThreats | String collection | Threat analytics report is associated with this recommendation
+remediationType | String | Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall"
+Status | Enum | Recommendation exception status. Possible values are: "Active" and "Exception"
+configScoreImpact | Double | Microsoft Secure Score for Devices impact
+exposureImpacte | Double | Exposure score impact
+totalMachineCount | Long | Number of installed devices
+exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities
+nonProductivityImpactedAssets | Long | Number of devices which are not affected
+relatedComponent | String | Related software component
diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md
index bc8b673887..40615f1991 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/score.md
@@ -1,40 +1,41 @@
----
-title: Score methods and properties
-description: Retrieves your organization's exposure score, device secure score, and exposure score by device group
-keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Score resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
-[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
-[List exposure score by device group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by device group.
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-Score | Double | The current score.
-Time | DateTime | The date and time in which the call for this API was made.
-RbacGroupName | String | The device group name.
+---
+title: Score methods and properties
+description: Retrieves your organization's exposure score, device secure score, and exposure score by device group
+keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Score resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+
+Method |Return Type |Description
+:---|:---|:---
+[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
+[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
+[List exposure score by device group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by device group.
+
+## Properties
+
+Property | Type | Description
+:---|:---|:---
+Score | Double | The current score.
+Time | DateTime | The date and time in which the call for this API was made.
+RbacGroupName | String | The device group name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md
index 0853d1f0d8..bacc9d839f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/software.md
@@ -1,49 +1,49 @@
----
-title: Software methods and properties
-description: Retrieves top recent alerts.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Software resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-
-Method |Return Type |Description
-:---|:---|:---
-[List software](get-software.md) | Software collection | List the organizational software inventory.
-[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
-[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
-[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of devices that are associated with the software ID.
-[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
-[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
-
-## Properties
-
-Property | Type | Description
-:---|:---|:---
-id | String | Software ID
-Name | String | Software name
-Vendor | String | Software vendor name
-Weaknesses | Long | Number of discovered vulnerabilities
-publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
-activeAlert | Boolean | Active alert is associated with this software
-exposedMachines | Long | Number of exposed devices
-impactScore | Double | Exposure score impact of this software
+---
+title: Software methods and properties
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Software resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+
+Method |Return Type |Description
+:---|:---|:---
+[List software](get-software.md) | Software collection | List the organizational software inventory.
+[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
+[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
+[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of devices that are associated with the software ID.
+[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
+[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
+
+## Properties
+
+Property | Type | Description
+:---|:---|:---
+id | String | Software ID
+Name | String | Software name
+Vendor | String | Software vendor name
+Weaknesses | Long | Number of discovered vulnerabilities
+publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
+activeAlert | Boolean | Active alert is associated with this software
+exposedMachines | Long | Number of exposed devices
+impactScore | Double | Exposure score impact of this software
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
index 692c6a9e61..a3c0638d1e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
@@ -120,6 +120,9 @@ This step of the setup process involves adding Microsoft Defender ATP to the exc
During this step of the setup process, you add Symantec and your other security solutions to the Microsoft Defender Antivirus exclusion list.
+> [!NOTE]
+> To get an idea of which processes and services to exclude, see Broadcom's [Processes and services used by Endpoint Protection 14](https://knowledge.broadcom.com/external/article/170706/processes-and-services-used-by-endpoint.html).
+
When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
- Path exclusions exclude specific files and whatever those files access.
- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
index 421805849d..7612d8d24a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
@@ -22,49 +22,84 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to quickly assess their security posture, covering the impact of emerging threats and their organizational resilience.
+With more sophisticated adversaries and new threats emerging frequently and prevalently, it's critical to be able to quickly:
-Threat analytics is a set of reports published by Microsoft security researchers as soon as emerging threats and outbreaks are identified. The reports help you assess the impact of threats to your environment and identify actions that can contain them.
+- Assess the impact of new threats
+- Review your resilience against or exposure to the threats
+- Identify the actions you can take to stop or contain the threats
-Watch this short video to quickly understand how threat analytics can help you track the latest threats and stop them.
+Threat analytics is a set of reports from expert Microsoft security researchers covering the most relevant threats, including:
+
+- Active threat actors and their campaigns
+- Popular and new attack techniques
+- Critical vulnerabilities
+- Common attack surfaces
+- Prevalent malware
+
+Each report provides a detailed analysis of a threat and extensive guidance on how to defend against the threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable security updates and recommended settings in place.
+
+Watch this short video to learn more about how threat analytics can help you track the latest threats and stop them.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bw1f]
## View the threat analytics dashboard
-The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It provides several overviews about the threats covered in the reports:
+The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It summarizes the threats in the following sections:
-- **Latest threats** — lists the most recently published threat reports, along with the number of devices with resolved and unresolved alerts.
-- **High-impact threats** — lists the threats that have had the highest impact on the organization in terms of the number of devices that have had related alerts, along with the number of devices with resolved and unresolved alerts.
-- **Threat summary** — shows the number of threats among the threats reported in threat analytics with actual alerts.
+- **Latest threats**—lists the most recently published threat reports, along with the number of devices with active and resolved alerts.
+- **High-impact threats**—lists the threats that have had the highest impact to the organization. This section ranks threats by the number of devices that have active alerts.
+- **Threat summary**—shows the overall impact of all the threats reported in threat analytics by showing the number of threats with active and resolved alerts.
+
+Select a threat from the dashboard to view the report for that threat.
-Select a threat from any of the overviews or from the table to view the report for that threat.
-
## View a threat analytics report
-Each threat report generally provides an overview of the threat and an analysis of the techniques and tools used by the threat. It also provides mitigation recommendations and detection information. It includes several cards that show dynamic data about how your organization is impacted by the threat and how prepared it is to stop the threat.
+Each threat analytics report provides information in three sections: **Overview**, **Analyst report**, and **Mitigations**.
-
+### Quickly understand a threat and assess its impact to your network in the overview
-### Organizational impact
-Each report includes cards designed to provide information about the organizational impact of a threat:
-- **Devices with alerts** — shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved.
-- **Devices with alerts over time** — shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
+The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices.
-### Organizational resilience
-Each report also includes cards that provide an overview of how resilient your organization can be against a given threat:
-- **Security configuration status** — shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings.
-- **Vulnerability patching status** — shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.
-- **Mitigation details** — lists specific actionable recommendations that can help you increase your organizational resilience. This card lists tracked mitigations, including recommended settings and vulnerability patches, along with the number of devices that don't have the mitigations in place.
+
+_Overview section of a threat analytics report_
-### Additional report details and limitations
+#### Organizational impact
+Each report includes charts designed to provide information about the organizational impact of a threat:
+- **Devices with alerts**—shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved.
+- **Devices with alerts over time**—shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
+
+#### Organizational resilience and exposure
+Each report includes charts that provide an overview of how resilient your organization is against a given threat:
+- **Security configuration status**—shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings.
+- **Vulnerability patching status**—shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.
+
+### Get expert insight from the analyst report
+Go to the **Analyst report** section to read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful [threat hunting](advanced-hunting-overview.md) guidance.
+
+
+_Analyst report section of a threat analytics report_
+
+### Review list of mitigations and the status of your devices
+In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes recommended settings and vulnerability patches. It also shows the number of devices that don't have these mitigations in place.
+
+Mitigation information in this section incorporates data from [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md), which also provides detailed drill-down information from various links in the report.
+
+
+_Mitigations section of a threat analytics report_
+
+
+## Additional report details and limitations
When using the reports, keep the following in mind:
-- Data is scoped based on your RBAC permissions. You will only see the status of devices that you have been granted access to on the RBAC.
-- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not reflected in the charts.
+- Data is scoped based on your role-based access control (RBAC) scope. You will see the status of devices in [groups that you can access](machine-groups.md).
+- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not shown in the charts.
- Mitigations don't guarantee complete resilience. The provided mitigations reflect the best possible actions needed to improve resiliency.
-- Devices are counted as "unavailable" if they have been unable to transmit data to the service.
-- Antivirus related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".
+- Devices are counted as "unavailable" if they have not transmitted data to the service.
+- Antivirus-related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".
+
+## Related topics
+- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
+- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
index 8f87ff3707..be0e27f27a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
@@ -7,7 +7,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
index 882df03a74..86607dd332 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
@@ -3,7 +3,6 @@ title: Troubleshoot exploit protection mitigations
keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install
description: Remove unwanted Exploit protection mitigations.
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
index b435c4b723..1118d17529 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
@@ -3,7 +3,6 @@ title: Troubleshoot problems with Network protection
description: Resources and sample code to troubleshoot issues with Network protection in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, microsoft defender atp, microsoft defender advanced threat protection
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 8c35924c4f..11aa392b29 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -55,9 +55,9 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.
-[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP.
+[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP.
[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
-[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates.
+[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs (security updates).
[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
## Threat and vulnerability management dashboard
@@ -68,12 +68,12 @@ Area | Description
[**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md) | See the security posture of the operating system, applications, network, accounts, and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page.
**Device exposure distribution** | See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
-**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
+**Top security recommendations** | See the collated security recommendations that are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list. Select **Show exceptions** for the list of recommendations that have an exception.
**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.
**Top exposed devices** | View exposed device names and their exposure level. Select a device name from the list to go to the device page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed devices. Select **Show more** to see the rest of the exposed devices list. From the devices list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate device.
-See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons) for more information on the icons used throughout the portal.
+For more information on the icons used throughout the portal, see [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons).
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index 19805c1e0b..2cfd0bfeb9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -30,7 +30,7 @@ Your exposure score is visible in the [Threat and vulnerability management dashb
- Detect and respond to areas that require investigation or action to improve the current state.
- Communicate with peers and management about the impact of security efforts.
-The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
+The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart give you a visual indication of a high cybersecurity threat exposure that you can investigate further.
@@ -38,7 +38,7 @@ The card gives you a high-level view of your exposure score trend over time. Any
Threat and vulnerability management introduces a new exposure score metric, which visually represents how exposed your devices are to imminent threats.
-The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
+The exposure score is continuously calculated on each device in the organization. It is influenced by the following factors:
- Weaknesses, such as vulnerabilities discovered on the device
- External and internal threats such as public exploit code and security alerts
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
index 83e5537bff..0823575cb9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
@@ -1,6 +1,6 @@
---
title: Overview of Microsoft Secure Score for Devices in Microsoft Defender Security Center
-description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls
+description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls.
keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, threat and vulnerability management, security controls, improvement opportunities, security configuration score over time, security posture, baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -35,12 +35,24 @@ Your score for devices is visible in the [threat and vulnerability management da
Select a category to go to the [**Security recommendations**](tvm-security-recommendation.md) page and view the relevant recommendations.
+## Turn on the Microsoft Secure Score connector
+
+Forward Microsoft Defender ATP signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data.
+
+Changes might take up to a few hours to reflect in the dashboard.
+
+1. In the navigation pane, go to **Settings** > **Advanced features**
+
+2. Scroll down to **Microsoft Secure Score** and toggle the setting to **On**.
+
+3. Select **Save preferences**.
+
## How it works
>[!NOTE]
> Microsoft Secure Score for Devices currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.
-The data in the Microsoft Secure Score for Devices card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
+The data in the Microsoft Secure Score for Devices card is the product of meticulous and ongoing vulnerability discovery process. It is aggregated with configuration discovery assessments that continuously:
- Compare collected configurations to the collected benchmarks to discover misconfigured assets
- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction)
@@ -49,9 +61,9 @@ The data in the Microsoft Secure Score for Devices card is the product of meticu
## Improve your security configuration
-You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
+Improve your security configuration by remediating issues from the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities.
-1. From the Microsoft Secure Score for Devices card in the threat and vulnerability management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
+1. From the Microsoft Secure Score for Devices card in the threat and vulnerability management dashboard, select the one of the categories. You'll view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.
@@ -59,15 +71,15 @@ You can improve your security configuration when you remediate issues from the s
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up.
-4. **Submit request**. You will see a confirmation message that the remediation task has been created.
+4. **Submit request**. You'll see a confirmation message that the remediation task has been created.
5. Save your CSV file.
-6. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
+6. Send a follow-up email to your IT Administrator and allow the time that you've allotted for the remediation to propagate in the system.
-7. Review the **Microsoft Secure Score for Devices** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your Microsoft Secure Score for Devices should increase.
+7. Review the **Microsoft Secure Score for Devices** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you've addressed won't be listed there anymore. Your Microsoft Secure Score for Devices should increase.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index a94e2b07c4..6673d476df 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -26,7 +26,7 @@ ms.topic: conceptual
>[!NOTE]
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
-After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
+After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), start creating security tasks. You can create tasks through the integration with Microsoft Intune where remediation tickets are created.
Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
@@ -39,7 +39,7 @@ You can access the Remediation page a few different ways:
### Navigation menu
-Go to the threat and vulnerability management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization.
+Go to the threat and vulnerability management navigation menu and select **Remediation**. It will open the list of remediation activities and exceptions found in your organization.
### Top remediation activities in the dashboard
@@ -49,7 +49,7 @@ View **Top remediation activities** in the [threat and vulnerability management
## Remediation activities
-When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
+When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created that can be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete.
@@ -66,8 +66,8 @@ The exceptions you've filed will show up in the **Remediation** page, in the **E
You can take the following actions on an exception:
-- Cancel - You can cancel the exceptions you've filed any time
-- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded
+- Cancel - You can cancel the exceptions you've filed anytime
+- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change. It adversely affects the exposure impact associated with a recommendation that had previously been excluded.
The following statuses will be a part of an exception:
@@ -89,7 +89,7 @@ The exception impact shows on both the Security recommendations page column and
### View exceptions in other places
-Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard to open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status.
+Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. It will open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index 3555d2490e..3b9cd84b1d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -28,13 +28,13 @@ ms.topic: conceptual
Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance.
-Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
+Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
## How it works
Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time.
-- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
+- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations show the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
- **Breach likelihood** - Your organization's security posture and resilience against threats
@@ -54,15 +54,15 @@ View related security recommendations in the following places:
### Navigation menu
-Go to the threat and vulnerability management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization.
+Go to the threat and vulnerability management navigation menu and select **Security recommendations**. The page contains a list of security recommendations for the threats and vulnerabilities found in your organization.
### Top security recommendations in the threat and vulnerability management dashboard
-In a given day as a Security Administrator, you can take a look at the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
+In a given day as a Security Administrator, you can take a look at the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side by side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
-The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation.
+The top security recommendations list the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details.
## Security recommendations overview
@@ -74,7 +74,7 @@ The color of the **Exposed devices** graph changes as the trend changes. If the
### Icons
-Useful icons also quickly calls your attention to:
+Useful icons also quickly call your attention to:
-  possible active alerts
-  associated public exploits
-  recommendation insights
@@ -85,13 +85,13 @@ Select the security recommendation that you want to investigate or process.
-From the flyout, you can do any of the following:
+From the flyout, you can choose any of the following options:
-- **Open software page** - Open the software page to get more context on the software and how it is distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution.
+- **Open software page** - Open the software page to get more context on the software and how it's distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution.
- [**Remediation options**](tvm-security-recommendation.md#request-remediation) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
-- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet.
+- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet.
>[!NOTE]
>When a change is made on a device, it typically takes two hours for the data to be reflected in the Microsoft Defender Security Center. However, it may sometimes take longer.
@@ -137,7 +137,7 @@ There are many reasons why organizations create exceptions for a recommendation.
When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
-1. Select a security recommendation you would like create an exception for, and then **Exception options**.
+1. Select a security recommendation you would like to create an exception for, and then **Exception options**.
2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
@@ -171,30 +171,30 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
## Find and remediate software or software versions which have reached end-of-support (EOS)
-End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
+End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions with ended support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
-It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates.
+It's crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end-of-support and update versions that are no longer supported. It's best to create and implement a plan **before** the end of support dates.
-To find software or software versions which have reached end-of-support:
+To find software or software versions that are no longer supported:
1. From the threat and vulnerability management menu, navigate to **Security recommendations**.
2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**.
-3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page.
+3. You'll see a list of recommendations related to software with ended support, software versions that are end of support, or versions with upcoming end of support. These tags are also visible in the [software inventory](tvm-software-inventory.md) page.
### List of versions and dates
-To view a list of version that have reached end of support, or end or support soon, and those dates, follow the below steps:
+To view a list of versions that have reached end of support, or end or support soon, and those dates, follow the below steps:
-1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected.
+1. A message will appear in the security recommendation flyout for software with versions that have reached end of support, or will reach end of support soon.
-2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support.
+2. Select the **version distribution** link to go to the software drill-down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support.
@@ -202,7 +202,7 @@ To view a list of version that have reached end of support, or end or support so
-After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats.
+Once you identify which software and software versions are vulnerable due to their end-of-support status, you must decide whether to update or remove them from your organization. Doing so will lower your organizations exposure to vulnerabilities and advanced persistent threats.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index d0e00649f5..d157c8610f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -1,6 +1,6 @@
---
title: Software inventory in threat and vulnerability management
-description: Microsoft Defender ATP threat and vulnerability management's software inventory page shows how many weaknesses and vulnerabilities have been detected in software.
+description: The software inventory page for Microsoft Defender ATP's threat and vulnerability management shows how many weaknesses and vulnerabilities have been detected in software.
keywords: threat and vulnerability management, microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -23,26 +23,26 @@ ms.topic: conceptual
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-The software inventory in threat and vulnerability management is a list of all the software in your organization, including details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.
+The software inventory in threat and vulnerability management is a list of all the software in your organization. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.
## How it works
-In the field of discovery, we are leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md).
+In the field of discovery, we're leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md).
-Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
+Since it's real time, in a matter of minutes, you'll see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
## Navigate to the Software inventory page
-You can access the Software inventory page by selecting **Software inventory** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md).
+Access the Software inventory page by selecting **Software inventory** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md).
View software on specific devices in the individual devices pages from the [devices list](machines-view-overview.md).
## Software inventory overview
-The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support.
+The **Software inventory** page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can filter the list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support.
-Select the software that you want to investigate and a flyout panel opens up with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**.
+Select the software that you want to investigate. A flyout panel will open with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**.
@@ -56,8 +56,8 @@ You can view software pages a few different ways:
A full page will appear with all the details of a specific software and the following information:
-- Side panel with vendor information, prevalence of the software in the organization (including number of devices it is installed on, and exposed devices that are not patched), whether and exploit is available, and impact to your exposure score
-- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed devices
+- Side panel with vendor information, prevalence of the software in the organization (including number of devices it's installed on, and exposed devices that aren't patched), whether and exploit is available, and impact to your exposure score
+- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs with the number of exposed devices
- Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the devices that the software is installed on, and the specific versions of the software with the number of devices that have each version installed and number of vulnerabilities.
@@ -67,17 +67,17 @@ You can view software pages a few different ways:
We now show evidence of where we detected a specific software on a device from the registry, disk or both.
You can find it on any devices found in the [devices list](machines-view-overview.md) in a section called "Software Evidence."
-From the Microsoft Defender Security Center navigation panel, go to **Devices list** > select the name of a device to open the device page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence.
+From the Microsoft Defender Security Center navigation panel, go to the **Devices list**. Select the name of a device to open the device page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence.
## Report inaccuracy
-You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information.
+Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated.
1. Open the software flyout on the Software inventory page.
2. Select **Report inaccuracy**.
-3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
+3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details about the inaccuracy.
4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
index 381f126c5b..d29f6dfc63 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
@@ -1,58 +1,58 @@
----
-title: Supported operating systems and platforms for threat and vulnerability management
-description: Before you begin, ensure that you meet the operating system or platform requisites for threat and vulnerability management so the activities in your all devices are properly accounted for.
-keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score
-search.appverid: met150
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-# Supported operating systems and platforms - threat and vulnerability management
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-Before you begin, ensure that you meet the following operating system or platform requisites for threat and vulnerability management so the activities in your devices are properly accounted for.
-
->[!NOTE]
->The supported systems and platforms for threat and vulnerability management may be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list.
-
-Operating system | Security assessment support
-:---|:---
-Windows 7 | Operating System (OS) vulnerabilities
-Windows 8.1 | Not supported
-Windows 10 1607-1703 | Operating System (OS) vulnerabilities
-Windows 10 1709+ |Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2019 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-MacOS | Not supported (planned)
-Linux | Not supported (planned)
-
-## Related topics
-
-- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
-- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation and exception](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+---
+title: Supported operating systems and platforms for threat and vulnerability management
+description: Before you begin, ensure that you meet the operating system or platform requisites for threat and vulnerability management so the activities in your all devices are properly accounted for.
+keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score
+search.appverid: met150
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+# Supported operating systems and platforms - threat and vulnerability management
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
+Before you begin, ensure that you meet the following operating system or platform requisites for threat and vulnerability management so the activities in your devices are properly accounted for.
+
+>[!NOTE]
+>The supported systems and platforms for threat and vulnerability management may be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list.
+
+Operating system | Security assessment support
+:---|:---
+Windows 7 | Operating System (OS) vulnerabilities
+Windows 8.1 | Not supported
+Windows 10 1607-1703 | Operating System (OS) vulnerabilities
+Windows 10 1709+ |Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+Windows Server 2019 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
+macOS | Not supported (planned)
+Linux | Not supported (planned)
+
+## Related topics
+
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation and exception](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
+- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index d82ae3d95c..37a974d932 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -27,7 +27,7 @@ ms.topic: conceptual
Threat and vulnerability management uses the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
-The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
+The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network:
@@ -52,13 +52,13 @@ Go to the threat and vulnerability management navigation menu and select **Weakn
1. Go to the global search drop-down menu.
2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you're looking for.
-3. Select the CVE and a flyout panel opens up with more information, including the vulnerability description, details, threat insights, and exposed devices.
+3. Select the CVE to open a flyout panel with more information, including the vulnerability description, details, threat insights, and exposed devices.
To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then select search.
## Weaknesses overview
-If exposed devices exist, the next step is to remediate the vulnerabilities in those devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you are not at risk.
+Remediate the vulnerabilities in exposed devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you aren't at risk.
@@ -69,10 +69,10 @@ View related breach and threat insights in the **Threat** column when the icons
>[!NOTE]
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon  and breach insight icon .
-The breach insights icon is highlighted if there is a vulnerability found in your organization.
+The breach insights icon is highlighted if there's a vulnerability found in your organization.
-The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit or connected to specific advanced persistent campaigns or activity groups. Threat Analytics report links are provided that you can read with zero-day exploitation news, disclosures, or related security advisories.
+The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there is a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories.
@@ -88,11 +88,11 @@ The "OS Feature" category is shown in relevant scenarios.
### Top vulnerable software in the dashboard
-1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
+1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software, along with threat information and a high-level view of device exposure over time.
-2. Select the software you want to investigate to go to a drill down page.
+2. Select the software you want to investigate to go to a drilldown page.
3. Select the **Discovered vulnerabilities** tab.
4. Select the vulnerability you want to investigate for more information on vulnerability details
@@ -116,19 +116,19 @@ View related weaknesses information in the device page.
#### CVE Detection logic
-Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the device page) that shows the detection logic and source.
+Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. The new section is called "Detection Logic" (in any discovered vulnerability in the device page) and shows the detection logic and source.
-The "OS Feature" category is also shown in relevant scenarios. For example, a CVE affects devices that run a vulnerable OS, only if a specific OS component is enabled on these devices. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, we’ll attach this CVE only to the Windows Server 2019 devices with DNS capability enabled in their OS.
+The "OS Feature" category is also shown in relevant scenarios. A CVE would affect devices that run a vulnerable OS only if a specific OS component is enabled. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, we’ll only attach this CVE to the Windows Server 2019 devices with the DNS capability enabled in their OS.
## Report inaccuracy
-You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information.
+Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated.
1. Open the CVE on the Weaknesses page.
-2. Select **Report inaccuracy**.
-3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
+2. Select **Report inaccuracy** and a flyout pane will open.
+3. Select the inaccuracy category from the drop-down menu and fill in your email address and inaccuracy details.
4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index d58c080f49..4514bd1e98 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -30,19 +30,21 @@ ms.topic: article
The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
-1. In the navigation pane, select **Settings > Roles**.
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with a Security administrator or Global administrator role assigned.
-2. Select **Add item**.
+2. In the navigation pane, select **Settings > Roles**.
-3. Enter the role name, description, and permissions you'd like to assign to the role.
+3. Select **Add item**.
-4. Select **Next** to assign the role to an Azure AD Security group.
+4. Enter the role name, description, and permissions you'd like to assign to the role.
-5. Use the filter to select the Azure AD group that you'd like to add to this role to.
+5. Select **Next** to assign the role to an Azure AD Security group.
-6. **Save and close**.
+6. Use the filter to select the Azure AD group that you'd like to add to this role to.
-7. Apply the configuration settings.
+7. **Save and close**.
+
+8. Apply the configuration settings.
> [!IMPORTANT]
> After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created.
@@ -81,19 +83,27 @@ For more information on the available commands, see [Investigate devices using L
## Edit roles
-1. Select the role you'd like to edit.
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with Security administrator or Global administrator role assigned.
-2. Click **Edit**.
+2. In the navigation pane, select **Settings > Roles**.
-3. Modify the details or the groups that are assigned to the role.
+3. Select the role you'd like to edit.
-4. Click **Save and close**.
+4. Click **Edit**.
+
+5. Modify the details or the groups that are assigned to the role.
+
+6. Click **Save and close**.
## Delete roles
-1. Select the role you'd like to delete.
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with Security administrator or Global administrator role assigned.
-2. Click the drop-down button and select **Delete role**.
+2. In the navigation pane, select **Settings > Roles**.
+
+3. Select the role you'd like to delete.
+
+4. Click the drop-down button and select **Delete role**.
## Related topic
diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
index 0a72f9fa7d..73f10d1488 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
@@ -49,7 +49,7 @@ Incident severity | Description
High (Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on devices.
Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
-Informational (Grey) | Informational incidents are those that might not be considered harmful to the network but might be good to keep track of.
+Informational (Grey) | Informational incidents might not be considered harmful to the network but might be good to keep track of.
## Assigned to
You can choose to filter the list by selecting assigned to anyone or ones that are assigned to you.
@@ -65,16 +65,15 @@ Use this filter to show incidents that contain sensitivity labels.
## Incident naming
-To understand the incident's scope at-a-glance, automatic incident naming, currently in public preview, generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories.
+To understand the incident's scope at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories.
For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
> [!NOTE]
-> Incidents that existed prior the rollout of automatic incident naming will not have their name changed.
+> Incidents that existed prior the rollout of automatic incident naming will retain their name.
-Learn more about [turning on preview features](preview.md#turn-on-preview-features).
-## Related topics
+## See also
- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
- [Manage incidents](manage-incidents.md)
- [Investigate incidents](investigate-incidents.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
index 73aeb36a61..15ec215f1c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
@@ -1,50 +1,50 @@
----
-title: Vulnerability methods and properties
-description: Retrieves vulnerability information
-keywords: apis, graph api, supported apis, get, vulnerability
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Vulnerability resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
-[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
-[List devices by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of devices that are associated with the vulnerability ID
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Vulnerability ID
-Name | String | Vulnerability title
-Description | String | Vulnerability description
-Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical”
-cvssV3 | Double | CVSS v3 score
-exposedMachines | Long | Number of exposed devices
-publishedOn | DateTime | Date when vulnerability was published
-updatedOn | DateTime | Date when vulnerability was updated
-publicExploit | Boolean | Public exploit exists
-exploitVerified | Boolean | Exploit is verified to work
-exploitInKit | Boolean | Exploit is part of an exploit kit
-exploitTypes | String collection | Exploit impact. Possible values are: “Denial of service”, “Local privilege escalation”, “Denial of service”
-exploitUris | String collection | Exploit source URLs
+---
+title: Vulnerability methods and properties
+description: Retrieves vulnerability information
+keywords: apis, graph api, supported apis, get, vulnerability
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Vulnerability resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
+[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
+[List devices by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of devices that are associated with the vulnerability ID
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Vulnerability ID
+Name | String | Vulnerability title
+Description | String | Vulnerability description
+Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical”
+cvssV3 | Double | CVSS v3 score
+exposedMachines | Long | Number of exposed devices
+publishedOn | DateTime | Date when vulnerability was published
+updatedOn | DateTime | Date when vulnerability was updated
+publicExploit | Boolean | Public exploit exists
+exploitVerified | Boolean | Exploit is verified to work
+exploitInKit | Boolean | Exploit is part of an exploit kit
+exploitTypes | String collection | Exploit impact. Possible values are: “Denial of service”, “Local privilege escalation”, “Denial of service”
+exploitUris | String collection | Exploit source URLs
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 4f0891df0c..3956891c0c 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -33,29 +33,29 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
Description |
-Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen
- | Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreenWindows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen |
+Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen
+ | Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreenWindows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen |
At least Windows Server 2012, Windows 8 or Windows RT |
This policy setting turns on Microsoft Defender SmartScreen. If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site). If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on. If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. |
-Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control |
-Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control |
-Windows 10, version 1703 |
-This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.This setting does not protect against malicious content from USB devices, network shares or other non-internet sources. Important: Using a trustworthy browser helps ensure that these protections work as expected. |
+Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control |
+Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control |
+Windows 10, version 1703 |
+This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.This setting does not protect against malicious content from USB devices, network shares or other non-internet sources. Important: Using a trustworthy browser helps ensure that these protections work as expected. |
-Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreenWindows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen |
+Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreenWindows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen |
Microsoft Edge on Windows 10 or later |
This policy setting turns on Microsoft Defender SmartScreen. If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on. If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. |
-Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for filesWindows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files Windows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files |
+Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for filesWindows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files Windows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files |
Microsoft Edge on Windows 10, version 1511 or later |
This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files. If you enable this setting, it stops employees from bypassing the warning, stopping the file download. If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files. |
-Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sitesWindows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites Windows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites |
+Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sitesWindows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites Windows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites |
Microsoft Edge on Windows 10, version 1511 or later |
This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites. If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site. If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site. |
@@ -90,11 +90,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
Windows 10 |
-- URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
-- Data type. Integer
-- Allowed values:
-- 0 . Turns off Microsoft Defender SmartScreen in Edge.
-- 1. Turns on Microsoft Defender SmartScreen in Edge.
+- URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
+- Data type. Integer
+- Allowed values:
+- 0 . Turns off Microsoft Defender SmartScreen in Edge.
+- 1. Turns on Microsoft Defender SmartScreen in Edge.
|
@@ -102,11 +102,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
| Windows 10, version 1703 |
-- URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
-- Data type. Integer
-- Allowed values:
-- 0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
-- 1. Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.
+- URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
+- Data type. Integer
+- Allowed values:
+- 0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
+- 1. Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.
|
@@ -114,11 +114,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
| Windows 10, version 1703 |
-- URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
-- Data type. Integer
-- Allowed values:
-- 0 . Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
-- 1. Turns on Microsoft Defender SmartScreen in Windows for app and file execution.
+- URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
+- Data type. Integer
+- Allowed values:
+- 0 . Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
+- 1. Turns on Microsoft Defender SmartScreen in Windows for app and file execution.
|
@@ -126,11 +126,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
| Windows 10, version 1703 |
-- URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
-- Data type. Integer
-- Allowed values:
-- 0 . Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
-- 1. Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.
+- URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
+- Data type. Integer
+- Allowed values:
+- 0 . Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
+- 1. Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.
|
@@ -138,11 +138,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
| Windows 10, Version 1511 and later |
-- URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
-- Data type. Integer
-- Allowed values:
-- 0 . Employees can ignore Microsoft Defender SmartScreen warnings.
-- 1. Employees can't ignore Microsoft Defender SmartScreen warnings.
+- URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
+- Data type. Integer
+- Allowed values:
+- 0 . Employees can ignore Microsoft Defender SmartScreen warnings.
+- 1. Employees can't ignore Microsoft Defender SmartScreen warnings.
|
@@ -150,11 +150,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
| Windows 10, Version 1511 and later |
-- URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
-- Data type. Integer
-- Allowed values:
-- 0 . Employees can ignore Microsoft Defender SmartScreen warnings for files.
-- 1. Employees can't ignore Microsoft Defender SmartScreen warnings for files.
+- URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
+- Data type. Integer
+- Allowed values:
+- 0 . Employees can ignore Microsoft Defender SmartScreen warnings for files.
+- 1. Employees can't ignore Microsoft Defender SmartScreen warnings for files.
|
@@ -170,19 +170,19 @@ To better help you protect your organization, we recommend turning on and using
| Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen |
-Enable. Turns on Microsoft Defender SmartScreen. |
+Enable. Turns on Microsoft Defender SmartScreen. |
| Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites |
-Enable. Stops employees from ignoring warning messages and continuing to a potentially malicious website. |
+Enable. Stops employees from ignoring warning messages and continuing to a potentially malicious website. |
| Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files |
-Enable. Stops employees from ignoring warning messages and continuing to download potentially malicious files. |
+Enable. Stops employees from ignoring warning messages and continuing to download potentially malicious files. |
| Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreen |
-Enable with the Warn and prevent bypass option. Stops employees from ignoring warning messages about malicious files downloaded from the Internet. |
+Enable with the Warn and prevent bypass option. Stops employees from ignoring warning messages about malicious files downloaded from the Internet. |
@@ -193,23 +193,23 @@ To better help you protect your organization, we recommend turning on and using
|
| Browser/AllowSmartScreen |
-1. Turns on Microsoft Defender SmartScreen. |
+1. Turns on Microsoft Defender SmartScreen. |
| Browser/PreventSmartScreenPromptOverride |
-1. Stops employees from ignoring warning messages and continuing to a potentially malicious website. |
+1. Stops employees from ignoring warning messages and continuing to a potentially malicious website. |
| Browser/PreventSmartScreenPromptOverrideForFiles |
-1. Stops employees from ignoring warning messages and continuing to download potentially malicious files. |
+1. Stops employees from ignoring warning messages and continuing to download potentially malicious files. |
| SmartScreen/EnableSmartScreenInShell |
-1. Turns on Microsoft Defender SmartScreen in Windows. Requires at least Windows 10, version 1703. |
+1. Turns on Microsoft Defender SmartScreen in Windows. Requires at least Windows 10, version 1703. |
| SmartScreen/PreventOverrideForFilesInShell |
-1. Stops employees from ignoring warning messages about malicious files downloaded from the Internet. Requires at least Windows 10, version 1703. |
+1. Stops employees from ignoring warning messages about malicious files downloaded from the Internet. Requires at least Windows 10, version 1703. |
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 15bf8bc91c..eaef387dbf 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -311,9 +311,9 @@ The following table lists EMET features in relation to Windows 10 features.
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index d726f7ff56..905bf8c06a 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -351,7 +351,7 @@ The following table details the hardware requirements for both virtualization-ba
Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled |
Required to support virtualization-based security.
- NoteDevice Guard can be enabled without using virtualization-based security.
+ NoteDevice Guard can be enabled without using virtualization-based security.
@@ -533,7 +533,7 @@ If the TPM ownership is not known but the EK exists, the client library will pro
As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
-> **Note:** For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net
+> **Note:** For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net
### Windows 10 Health Attestation CSP
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index f5a0e5c08f..c93ec93b11 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -6,7 +6,6 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-ms.localizationpriority: medium
author: dansimp
ms.date: 09/17/2018
ms.reviewer:
@@ -91,9 +90,9 @@ In other words, the hotfix in each KB article provides the necessary code and fu
| |Default SDDL |Translated SDDL| Comments
|---|---|---|---|
-|Windows Server 2016 domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.|
+|Windows Server 2016 (or later) domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.|
|Earlier domain controller |-|-|No access check is performed by default.|
-|Windows 10, version 1607 non-domain controller|O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) DACL: • Revision: 0x02 • Size: 0x0020 • Ace Count: 0x001 • Ace[00]------------------------- AceType:0x00 (ACCESS\_ALLOWED_ACE_TYPE) AceSize:0x0018 InheritFlags:0x00 Access Mask:0x00020000 AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
+|Windows 10, version 1607 (or later) non-domain controller|O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) DACL: • Revision: 0x02 • Size: 0x0020 • Ace Count: 0x001 • Ace[00]------------------------- AceType:0x00 (ACCESS\_ALLOWED_ACE_TYPE) AceSize:0x0018 InheritFlags:0x00 Access Mask:0x00020000 AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
|Earlier non-domain controller |-|-|No access check is performed by default.|
## Policy management
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
index 7ac5a2faeb..1f35434f95 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
@@ -59,12 +59,12 @@ You can perform this task by using the Group Policy Management Console for an Ap
- Use an installed packaged app as a reference |
+ Use an installed packaged app as a reference |
If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule. |
You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you are creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference. |
- Use a packaged app installer as a reference |
+ Use a packaged app installer as a reference |
If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name and package version of the installer to define the rule. |
Your company has developed a number of internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share and choose the installer for the Payroll app as a reference to create your rule. |
@@ -87,30 +87,30 @@ You can perform this task by using the Group Policy Management Console for an Ap
- Applies to Any publisher |
- This is the least restrictive scope condition for an Allow rule. It permits every packaged app to run or install.
- Conversely, if this is a Deny rule, then this option is the most restrictive because it denies all apps from installing or running. |
+ Applies to Any publisher |
+ This is the least restrictive scope condition for an Allow rule. It permits every packaged app to run or install.
+ Conversely, if this is a Deny rule, then this option is the most restrictive because it denies all apps from installing or running. |
You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app. |
- Applies to a specific Publisher |
+ Applies to a specific Publisher |
This scopes the rule to all apps published by a particular publisher. |
You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope. |
- Applies to a Package name |
+ Applies to a Package name |
This scopes the rule to all packages that share the publisher name and package name as the reference file. |
You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope. |
- Applies to a Package version |
+ Applies to a Package version |
This scopes the rule to a particular version of the package. |
You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer. |
Applying custom values to the rule |
- Selecting the Use custom values check box allows you to adjust the scope fields for your particular circumstance. |
- You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the Use custom values check box and edit the package name field by adding “Microsoft.Bing*” as the Package name. |
+ Selecting the Use custom values check box allows you to adjust the scope fields for your particular circumstance. |
+ You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the Use custom values check box and edit the package name field by adding “Microsoft.Bing*” as the Package name. |
|
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
index 3cac5abbce..c43cf96fee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
@@ -99,9 +99,9 @@ The following table provides an example of how to list applications for each bus
|
->Note: AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
+>Note: AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
-Event processing
+Event processing
As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record:
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index 90bf198903..35e51ee350 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -277,7 +277,7 @@ The following table is an example of what to consider and record.
|
-Policy maintenance policy
+Policy maintenance policy
When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies.
The following table is an example of what to consider and record.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
index 5bfe8d38ed..1d132ac242 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
@@ -131,7 +131,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
-Event processing policy
+Event processing policy
@@ -169,7 +169,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
-Policy maintenance policy
+Policy maintenance policy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
index 7baf71b5df..a8bfeff845 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
@@ -119,7 +119,7 @@ If your organization supports multiple Windows operating systems, app control po
AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see Requirements to use AppLocker.
- NoteIf you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.
+ NoteIf you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
index 610fcc1a0c..f051177f0c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
@@ -14,7 +14,6 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
-ms.assetid: 10c3597f-f44c-4c8e-8fe5-105d4ac016a6
ms.reviewer:
---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
index 2ddcbb332e..eab62e36b7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
@@ -119,7 +119,7 @@ The following table compares AppLocker to Software Restriction Policies.
|
-Application control function differences
+Application control function differences
The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker.
@@ -141,7 +141,7 @@ The following table compares the application control functions of Software Restr
SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003. |
AppLocker policies apply only to those supported operating system versions and editions listed in Requirements to use AppLocker. But these systems can also use SRP.
- NoteUse different GPOs for SRP and AppLocker rules.
+ NoteUse different GPOs for SRP and AppLocker rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index a7e35f839e..da15b10af4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -3,9 +3,6 @@ title: Create a code signing cert for Windows Defender Application Control (Win
description: Learn how to set up a publicly-issued code signing certificate, so you can sign catalog files or WDAC policies internally.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 266e60b744..ae0cd53f63 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -3,9 +3,7 @@ title: Understand Windows Defender Application Control policy design decisions
description: Understand Windows Defender Application Control policy design decisions.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
manager: dansimp
-ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -16,7 +14,6 @@ ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
-manager: dansimp
ms.date: 02/08/2018
---
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
index 555168716a..f49176ee48 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
@@ -3,9 +3,6 @@ title: Use code signing to simplify application control for classic Windows appl
description: With embedded signing, your WDAC policies typically do not have to be updated when an app is updated. To set this up, you can choose from a variety of methods.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
index d050e42b00..766037be4b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
@@ -3,8 +3,6 @@ title: Use the Device Guard Signing Portal in the Microsoft Store for Business
description: You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
-manager: dansimp
ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
@@ -15,7 +13,6 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
-ms.author: dansimp
manager: dansimp
ms.date: 02/19/2019
---
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index 5bbcb531fa..f5a09fc5c6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -3,9 +3,6 @@ title: Use signed policies to protect Windows Defender Application Control again
description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
index 43cc718d71..79a167e2a1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
@@ -3,7 +3,6 @@ title: Use a Windows Defender Application Control policy to control specific plu
description: WDAC policies can be used not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.prod: w10
@@ -15,8 +14,6 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
-ms.author: dansimp
-manager: dansimp
ms.date: 05/03/2018
---
diff --git a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
index 4ca95e5608..0533ec00f5 100644
--- a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
+++ b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
@@ -1,5 +1,10 @@
-# [The Microsoft Defender Security Center app](windows-defender-security-center.md)
+---
+ms.author: dansimp
+author: dansimp
+title: The Microsoft Defender Security Center app
+---
+# [The Microsoft Defender Security Center app](windows-defender-security-center.md)
## [Customize the Microsoft Defender Security Center app for your organization](wdsc-customize-contact-information.md)
## [Hide Microsoft Defender Security Center app notifications](wdsc-hide-notifications.md)
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
index 2ab6468f1e..3179f10cb2 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
@@ -3,7 +3,6 @@ title: Account protection in the Windows Security app
description: Use the Account protection section to manage security for your account and sign in to Microsoft.
keywords: account protection, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide, Windows Defender SmartScreen, SmartScreen Filter, Windows SmartScreen
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index 001c490193..bbfe0a7bd0 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -3,7 +3,6 @@ title: App & browser control in the Windows Security app
description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index cb2c999276..1611fdc1c9 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -3,7 +3,6 @@ title: Customize Windows Security contact information
description: Provide information to your employees on how to contact your IT department when a security issue occurs
keywords: wdsc, security center, defender, notification, customize, contact, it department, help desk, call, help site
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index d02b829376..ca606e3a6b 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -3,7 +3,6 @@ title: Device & performance health in the Windows Security app
description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
keywords: wdsc, windows update, storage, driver, device, installation, battery, health, status
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
index 2acf81e5cf..26a2da094f 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
@@ -3,7 +3,6 @@ title: Device security in the Windows Security app
description: Use the Device security section to manage security built into your device, including virtualization-based security.
keywords: device security, device guard, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
index d785a3f420..47bf414bc9 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
@@ -3,7 +3,6 @@ title: Family options in the Windows Security app
description: Hide the Family options section in enterprise environments
keywords: wdsc, family options, hide, suppress, remove, disable, uninstall, kids, parents, safety, parental, child, screen time
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
index 141a5c002f..4209ff2f58 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -3,11 +3,9 @@ title: Firewall and network protection in the Windows Security app
description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
keywords: wdsc, firewall, windows defender firewall, network, connections, domain, private network, publish network, allow firewall, firewall rule, block firewall
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index 7210da90bf..e4ee0c83a3 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -3,7 +3,6 @@ title: Hide notifications from the Windows Security app
description: Prevent Windows Security app notifications from appearing on user endpoints
keywords: defender, security center, app, notifications, av, alerts
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
index df2646c94e..f3c4b5e3d9 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -3,7 +3,6 @@ title: Virus and threat protection in the Windows Security app
description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
index 5431868198..6be93c64cb 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
@@ -3,7 +3,6 @@ title: Manage Windows Security in Windows 10 in S mode
description: Windows Security settings are different in Windows 10 in S mode
keywords: windows 10 in s mode, windows 10 s, windows 10 s mode, wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index 0f263a291a..a3bf04355b 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -3,11 +3,9 @@ title: The Windows Security app
description: The Windows Security app brings together common Windows security features into one place
keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/TOC.md b/windows/security/threat-protection/windows-firewall/TOC.md
index e3271818c1..e5edff503e 100644
--- a/windows/security/threat-protection/windows-firewall/TOC.md
+++ b/windows/security/threat-protection/windows-firewall/TOC.md
@@ -1,110 +1,179 @@
# [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
-## [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md)
-## [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
-## [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
-## [Design Guide](windows-firewall-with-advanced-security-design-guide.md)
-### [Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
-### [Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
-#### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
-#### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
-#### [Require Encryption](require-encryption-when-accessing-sensitive-network-resources.md)
-#### [Restrict Access](restrict-access-to-only-specified-users-or-devices.md)
-### [Mapping Goals to a Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
-#### [Basic Design](basic-firewall-policy-design.md)
-#### [Domain Isolation Design](domain-isolation-policy-design.md)
-#### [Server Isolation Design](server-isolation-policy-design.md)
-#### [Certificate-based Isolation Design](certificate-based-isolation-policy-design.md)
-### [Evaluating Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
-#### [Basic Design Example](firewall-policy-design-example.md)
-#### [Domain Isolation Design Example](domain-isolation-policy-design-example.md)
-#### [Server Isolation Design Example](server-isolation-policy-design-example.md)
-#### [Certificate-based Isolation Design Example](certificate-based-isolation-policy-design-example.md)
-### [Designing a Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
-#### [Gathering the Info You Need](gathering-the-information-you-need.md)
-##### [Network](gathering-information-about-your-current-network-infrastructure.md)
-##### [Active Directory](gathering-information-about-your-active-directory-deployment.md)
-##### [Computers](gathering-information-about-your-devices.md)
-##### [Other Relevant Information](gathering-other-relevant-information.md)
-#### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-devices.md)
-### [Planning Your Design](planning-your-windows-firewall-with-advanced-security-design.md)
-#### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
-#### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
-##### [Exemption List](exemption-list.md)
-##### [Isolated Domain](isolated-domain.md)
-##### [Boundary Zone](boundary-zone.md)
-##### [Encryption Zone](encryption-zone.md)
-#### [Planning Server Isolation Zones](planning-server-isolation-zones.md)
-#### [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
+
+## [Plan deployment]()
+
+### [Design guide](windows-firewall-with-advanced-security-design-guide.md)
+
+### [Design process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
+
+### [Implementation goals]()
+#### [Identify implementation goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+#### [Protect devices from unwanted network traffic](protect-devices-from-unwanted-network-traffic.md)
+#### [Restrict access to only trusted devices](restrict-access-to-only-trusted-devices.md)
+#### [Require encryption](require-encryption-when-accessing-sensitive-network-resources.md)
+#### [Restrict access](restrict-access-to-only-specified-users-or-devices.md)
+
+### [Implementation designs]()
+#### [Mapping goals to a design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+
+#### [Basic firewall design](basic-firewall-policy-design.md)
+##### [Basic firewall design example](firewall-policy-design-example.md)
+
+
+#### [Domain isolation design](domain-isolation-policy-design.md)
+##### [Domain isolation design example](domain-isolation-policy-design-example.md)
+
+
+#### [Server isolation design](server-isolation-policy-design.md)
+##### [Server Isolation design example](server-isolation-policy-design-example.md)
+
+
+#### [Certificate-based isolation design](certificate-based-isolation-policy-design.md)
+##### [Certificate-based Isolation design example](certificate-based-isolation-policy-design-example.md)
+
+### [Design planning]()
+#### [Planning your design](planning-your-windows-firewall-with-advanced-security-design.md)
+
+#### [Planning settings for a basic firewall policy](planning-settings-for-a-basic-firewall-policy.md)
+
+#### [Planning domain isolation zones]()
+##### [Domain isolation zones](planning-domain-isolation-zones.md)
+##### [Exemption list](exemption-list.md)
+##### [Isolated domain](isolated-domain.md)
+##### [Boundary zone](boundary-zone.md)
+##### [Encryption zone](encryption-zone.md)
+
+#### [Planning server isolation zones](planning-server-isolation-zones.md)
+
+#### [Planning certificate-based authentication](planning-certificate-based-authentication.md)
##### [Documenting the Zones](documenting-the-zones.md)
-##### [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
-###### [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
-###### [Planning Network Access Groups](planning-network-access-groups.md)
+
+##### [Planning group policy deployment for your isolation zones](planning-group-policy-deployment-for-your-isolation-zones.md)
+###### [Planning isolation groups for the zones](planning-isolation-groups-for-the-zones.md)
+###### [Planning network access groups](planning-network-access-groups.md)
+
###### [Planning the GPOs](planning-the-gpos.md)
####### [Firewall GPOs](firewall-gpos.md)
######## [GPO_DOMISO_Firewall](gpo-domiso-firewall.md)
-####### [Isolated Domain GPOs](isolated-domain-gpos.md)
+####### [Isolated domain GPOs](isolated-domain-gpos.md)
######## [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md)
######## [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md)
-####### [Boundary Zone GPOs](boundary-zone-gpos.md)
+####### [Boundary zone GPOs](boundary-zone-gpos.md)
######## [GPO_DOMISO_Boundary](gpo-domiso-boundary.md)
-####### [Encryption Zone GPOs](encryption-zone-gpos.md)
+####### [Encryption zone GPOs](encryption-zone-gpos.md)
######## [GPO_DOMISO_Encryption](gpo-domiso-encryption.md)
-####### [Server Isolation GPOs](server-isolation-gpos.md)
-###### [Planning GPO Deployment](planning-gpo-deployment.md)
-### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
-## [Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md)
-### [Planning to Deploy](planning-to-deploy-windows-firewall-with-advanced-security.md)
-### [Implementing Your Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
-### [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
-### [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
-### [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)
-### [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)
-### [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)
-### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
-#### [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)
-#### [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)
-#### [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)
-#### [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)
-### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
-#### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
-#### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
-### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
-### [Procedures Used in This Guide](procedures-used-in-this-guide.md)
-#### [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
-#### [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
-#### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
-#### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
-#### [Configure Authentication Methods](configure-authentication-methods.md)
-#### [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)
-#### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
-#### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)
-#### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
-#### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
-#### [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
-#### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
-#### [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
-#### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
-#### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
-#### [Create a Group Policy Object](create-a-group-policy-object.md)
-#### [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
-#### [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
-#### [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
-#### [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
-#### [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
-#### [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
-#### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
-#### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
-#### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
-#### [Create Windows Firewall rules in Intune](create-windows-firewall-rules-in-intune.md)
-#### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
-#### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
-#### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
-#### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
-#### [Modify GPO Filters](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
-#### [Open IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
-#### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall.md)
-#### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
-#### [Open Windows Firewall](open-windows-firewall-with-advanced-security.md)
-#### [Restrict Server Access](restrict-server-access-to-members-of-a-group-only.md)
-#### [Enable Windows Firewall](turn-on-windows-firewall-and-configure-default-behavior.md)
-#### [Verify Network Traffic](verify-that-network-traffic-is-authenticated.md)
+####### [Server isolation GPOs](server-isolation-gpos.md)
+
+###### [Planning GPO deployment](planning-gpo-deployment.md)
+
+
+### [Planning to deploy](planning-to-deploy-windows-firewall-with-advanced-security.md)
+
+
+## [Deployment guide]()
+### [Deployment overview](windows-firewall-with-advanced-security-deployment-guide.md)
+
+### [Implementing your plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
+
+### [Basic firewall deployment]()
+#### [Checklist: Implementing a basic firewall policy design](checklist-implementing-a-basic-firewall-policy-design.md)
+
+
+
+### [Domain isolation deployment]()
+#### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
+
+
+
+### [Server isolation deployment]()
+#### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
+
+
+
+### [Certificate-based authentication]()
+#### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
+
+
+
+## [Best practices]()
+### [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
+### [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
+### [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md)
+
+
+## [How-to]()
+### [Add Production devices to the membership group for a zone](add-production-devices-to-the-membership-group-for-a-zone.md)
+### [Add test devices to the membership group for a zone](add-test-devices-to-the-membership-group-for-a-zone.md)
+### [Assign security group filters to the GPO](assign-security-group-filters-to-the-gpo.md)
+### [Change rules from request to require mode](Change-Rules-From-Request-To-Require-Mode.Md)
+### [Configure authentication methods](Configure-authentication-methods.md)
+### [Configure data protection (Quick Mode) settings](configure-data-protection-quick-mode-settings.md)
+### [Configure Group Policy to autoenroll and deploy certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
+### [Configure key exchange (main mode) settings](configure-key-exchange-main-mode-settings.md)
+### [Configure the rules to require encryption](configure-the-rules-to-require-encryption.md)
+### [Configure the Windows Firewall log](configure-the-windows-firewall-log.md)
+### [Configure the workstation authentication certificate template](configure-the-workstation-authentication-certificate-template.md)
+### [Configure Windows Firewall to suppress notifications when a program is blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
+### [Confirm that certificates are deployed correctly](confirm-that-certificates-are-deployed-correctly.md)
+### [Copy a GPO to create a new GPO](copy-a-gpo-to-create-a-new-gpo.md)
+### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
+### [Create a Group Policy Object](create-a-group-policy-object.md)
+### [Create an authentication exemption list rule](create-an-authentication-exemption-list-rule.md)
+### [Create an authentication request rule](create-an-authentication-request-rule.md)
+### [Create an inbound ICMP rule](create-an-inbound-icmp-rule.md)
+### [Create an inbound port rule](create-an-inbound-port-rule.md)
+### [Create an inbound program or service rule](create-an-inbound-program-or-service-rule.md)
+### [Create an outbound port rule](create-an-outbound-port-rule.md)
+### [Create an outbound program or service rule](create-an-outbound-program-or-service-rule.md)
+### [Create inbound rules to support RPC](create-inbound-rules-to-support-rpc.md)
+### [Create WMI filters for the GPO](create-wmi-filters-for-the-gpo.md)
+### [Create Windows Firewall rules in Intune](create-windows-firewall-rules-in-intune.md)
+### [Enable predefined inbound rules](enable-predefined-inbound-rules.md)
+### [Enable predefined outbound rules](enable-predefined-outbound-rules.md)
+### [Exempt ICMP from authentication](exempt-icmp-from-authentication.md)
+### [Link the GPO to the domain](link-the-gpo-to-the-domain.md)
+### [Modify GPO filters](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
+### [Open IP security policies](open-the-group-policy-management-console-to-ip-security-policies.md)
+### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall.md)
+### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+### [Open Windows Firewall](open-windows-firewall-with-advanced-security.md)
+### [Restrict server access](restrict-server-access-to-members-of-a-group-only.md)
+### [Enable Windows Firewall](turn-on-windows-firewall-and-configure-default-behavior.md)
+### [Verify Network Traffic](verify-that-network-traffic-is-authenticated.md)
+
+
+## [References]()
+### [Checklist: Creating Group Policy objects](checklist-creating-group-policy-objects.md)
+### [Checklist: Creating inbound firewall rules](checklist-creating-inbound-firewall-rules.md)
+### [Checklist: Creating outbound firewall rules](checklist-creating-outbound-firewall-rules.md)
+### [Checklist: Configuring basic firewall settings](checklist-configuring-basic-firewall-settings.md)
+
+
+### [Checklist: Configuring rules for the isolated domain](checklist-configuring-rules-for-the-isolated-domain.md)
+### [Checklist: Configuring rules for the boundary zone](checklist-configuring-rules-for-the-boundary-zone.md)
+### [Checklist: Configuring rules for the encryption zone](checklist-configuring-rules-for-the-encryption-zone.md)
+### [Checklist: Configuring rules for an isolated server zone](checklist-configuring-rules-for-an-isolated-server-zone.md)
+
+### [Checklist: Configuring rules for servers in a standalone isolated server zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
+### [Checklist: Creating rules for clients of a standalone isolated server zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
+
+
+### [Appendix A: Sample GPO template files for settings used in this guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
+
+
+
+## [Troubleshooting]()
+### [Troubleshooting UWP app connectivity issues in Windows Firewall](troubleshooting-uwp-firewall.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
index d74524355b..32918a0147 100644
--- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
@@ -1,6 +1,6 @@
---
title: Add Production Devices to the Membership Group for a Zone (Windows 10)
-description: Add Production Devices to the Membership Group for a Zone
+description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
index c79ea27f4e..6bfc87a6c3 100644
--- a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
@@ -1,6 +1,6 @@
---
title: Add Test Devices to the Membership Group for a Zone (Windows 10)
-description: Add Test Devices to the Membership Group for a Zone
+description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected.
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
index a0422c4a14..b9c0f35fc2 100644
--- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@@ -1,6 +1,6 @@
---
title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10)
-description: Appendix A Sample GPO Template Files for Settings Used in this Guide
+description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO).
ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
index b41fba1e87..663f7ba800 100644
--- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
@@ -1,6 +1,6 @@
---
title: Assign Security Group Filters to the GPO (Windows 10)
-description: Assign Security Group Filters to the GPO
+description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers.
ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
index 0b313e0d05..81e8194d88 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
@@ -1,6 +1,6 @@
---
title: Boundary Zone GPOs (Windows 10)
-description: Boundary Zone GPOs
+description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md
index 05d8ac588f..849fd51e8b 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md
@@ -1,6 +1,6 @@
---
title: Boundary Zone (Windows 10)
-description: Boundary Zone
+description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security.
ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
index efa67c42bc..45b1bdfe0f 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
@@ -1,6 +1,6 @@
---
title: Certificate-based Isolation Policy Design Example (Windows 10)
-description: Certificate-based Isolation Policy Design Example
+description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security.
ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
index 71775ab476..38ec0654bb 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Certificate-based Isolation Policy Design
+# Certificate-based isolation policy design
**Applies to**
- Windows 10
@@ -35,7 +35,7 @@ For Windows devices that are part of an Active Directory domain, you can use Gro
For more info about this design:
-- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
- To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md).
@@ -45,4 +45,4 @@ For more info about this design:
- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
-**Next:** [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
+
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
index 2163ee0015..9bc976625b 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
@@ -1,6 +1,6 @@
---
title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10)
-description: Checklist Configuring Rules for an Isolated Server Zone
+description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain.
ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
index 8d8d97e772..4a8272c0a4 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
@@ -1,6 +1,6 @@
---
title: Checklist Configuring Rules for the Boundary Zone (Windows 10)
-description: Checklist Configuring Rules for the Boundary Zone
+description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
index 5c265b66ef..b9406909c6 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
@@ -1,6 +1,6 @@
---
title: Checklist Configuring Rules for the Encryption Zone (Windows 10)
-description: Checklist Configuring Rules for the Encryption Zone
+description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
index 260980b98d..dce673dded 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
@@ -1,6 +1,6 @@
---
title: Checklist Configuring Rules for the Isolated Domain (Windows 10)
-description: Checklist Configuring Rules for the Isolated Domain
+description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
index 151e5017f4..4bea4169a2 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
@@ -1,6 +1,6 @@
---
title: Checklist Creating Group Policy Objects (Windows 10)
-description: Checklist Creating Group Policy Objects
+description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS.
ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
index 9c392608a3..4b04bec98e 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
@@ -1,6 +1,6 @@
---
title: Checklist Creating Inbound Firewall Rules (Windows 10)
-description: Checklist Creating Inbound Firewall Rules
+description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
index 10f025a062..4b03a9a468 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
@@ -1,6 +1,6 @@
---
title: Checklist Creating Outbound Firewall Rules (Windows 10)
-description: Checklist Creating Outbound Firewall Rules
+description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
index 4d6b02ef58..6e7e1f12f2 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10)
-description: Checklist Implementing a Certificate-based Isolation Policy Design
+description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design.
ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894
ms.reviewer:
ms.author: dansimp
@@ -25,13 +25,14 @@ ms.date: 08/17/2017
This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.
->**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist
+> [!NOTE]
+> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist
**Checklist: Implementing certificate-based authentication**
| Task | Reference |
| - | - |
-| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
+| Review important concepts and examples for certificate-based authentication to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| |
| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)|
| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)|
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
index 139618cb53..f9ac702f70 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Checklist Implementing a Domain Isolation Policy Design (Windows 10)
-description: Checklist Implementing a Domain Isolation Policy Design
+description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design.
ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20
ms.reviewer:
ms.author: dansimp
@@ -25,7 +25,8 @@ ms.date: 08/17/2017
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
->**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
+> [!NOTE]
+> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
@@ -33,7 +34,7 @@ The procedures in this section use the Group Policy MMC snap-ins to configure th
| Task | Reference |
| - | - |
-| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Domain Isolation Policy Design](domain-isolation-policy-design.md) [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
+| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security implementation goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Domain Isolation Policy Design](domain-isolation-policy-design.md) [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)|
| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)|
| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)|
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
index 05aad0007e..5428613f80 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10)
-description: Checklist Implementing a Standalone Server Isolation Policy Design
+description: Use these tasks to create a server isolation policy design that is not part of an isolated domain. See references to concepts and links to other checklists.
ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3
ms.reviewer:
ms.author: dansimp
@@ -27,13 +27,14 @@ This checklist contains procedures for creating a server isolation policy design
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
->**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
+> [!NOTE]
+> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
**Checklist: Implementing a standalone server isolation policy design**
| Task | Reference |
| - | - |
-| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Server Isolation Policy Design](server-isolation-policy-design.md) [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) [Planning Server Isolation Zones](planning-server-isolation-zones.md) |
+| Review important concepts and examples for the server isolation policy design to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Server Isolation Policy Design](server-isolation-policy-design.md) [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) [Planning Server Isolation Zones](planning-server-isolation-zones.md) |
| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)|
| Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)|
| Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
index 1537a9a193..547685f707 100644
--- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
+++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
@@ -1,6 +1,6 @@
---
title: Configure Authentication Methods (Windows 10)
-description: Configure Authentication Methods
+description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
index 70452597e6..886c851257 100644
--- a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
@@ -1,6 +1,6 @@
---
title: Configure Data Protection (Quick Mode) Settings (Windows 10)
-description: Configure Data Protection (Quick Mode) Settings
+description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone.
ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
index c16f30452b..c619cda63c 100644
--- a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
+++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
@@ -1,6 +1,6 @@
---
title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10)
-description: Configure Group Policy to Autoenroll and Deploy Certificates
+description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network.
ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
index b8743e2e69..7666bdc174 100644
--- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
@@ -1,6 +1,6 @@
---
title: Configure Key Exchange (Main Mode) Settings (Windows 10)
-description: Configure Key Exchange (Main Mode) Settings
+description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security.
ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
index 7fde7baa03..ca7c77dfd2 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
@@ -1,6 +1,6 @@
---
title: Configure the Rules to Require Encryption (Windows 10)
-description: Configure the Rules to Require Encryption
+description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that do not use encryption for zones that require encryption.
ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
index 537198bd08..8cb54165e1 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -1,6 +1,6 @@
---
title: Configure the Windows Defender Firewall Log (Windows 10)
-description: Configure the Windows Defender Firewall Log
+description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC.
ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
index 61f12fe05d..927053f40c 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
@@ -1,6 +1,6 @@
---
title: Configure the Workstation Authentication Template (Windows 10)
-description: Configure the Workstation Authentication Certificate Template
+description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations.
ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
index 566425e4b8..65704e92f5 100644
--- a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
+++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
@@ -1,6 +1,6 @@
---
title: Confirm That Certificates Are Deployed Correctly (Windows 10)
-description: Confirm That Certificates Are Deployed Correctly
+description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations.
ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
index e9c8024043..51ecd3fcb2 100644
--- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
@@ -1,6 +1,6 @@
---
title: Copy a GPO to Create a New GPO (Windows 10)
-description: Copy a GPO to Create a New GPO
+description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices.
ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
index 5e5b2b22d9..35f885a1ee 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
@@ -1,6 +1,6 @@
---
title: Create a Group Account in Active Directory (Windows 10)
-description: Create a Group Account in Active Directory
+description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console.
ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
index b790f7d1ac..f003f3c604 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
@@ -1,6 +1,6 @@
---
title: Create a Group Policy Object (Windows 10)
-description: Create a Group Policy Object
+description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group.
ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
index 2f97c1e3a7..bdcad85769 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Authentication Exemption List Rule (Windows 10)
-description: Create an Authentication Exemption List Rule
+description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies.
ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
index 2c0470e6c8..914c035aa9 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Inbound ICMP Rule (Windows 10)
-description: Create an Inbound ICMP Rule
+description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 267b940a-79d9-4322-b53b-81901e357344
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
index 2c3d3fccae..89db14ccae 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Inbound Port Rule (Windows 10)
-description: Create an Inbound Port Rule
+description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
index 401e8de3f6..c2d887fe0d 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Inbound Program or Service Rule (Windows 10)
-description: Create an Inbound Program or Service Rule
+description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules.
ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
index 19ced05694..db459ab562 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Outbound Port Rule (Windows 10)
-description: Create an Outbound Port Rule
+description: Learn to block outbound traffic on a port by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
index 84b71ac1f8..e44f10923b 100644
--- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
+++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
@@ -1,6 +1,6 @@
---
title: Create Inbound Rules to Support RPC (Windows 10)
-description: Create Inbound Rules to Support RPC
+description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index e7201d21c3..9b88cddfe3 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -1,6 +1,6 @@
---
title: Create Windows Firewall rules in Intune (Windows 10)
-description: Explains how to create Windows Firewall rules in Intune
+description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune.
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index 57292a294e..ebcd8943b9 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -1,6 +1,6 @@
---
title: Create WMI Filters for the GPO (Windows 10)
-description: Create WMI Filters for the GPO
+description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows.
ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
index d7bed686fa..b4f3c5a658 100644
--- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
@@ -1,6 +1,6 @@
---
title: Determining the Trusted State of Your Devices (Windows 10)
-description: Determining the Trusted State of Your Devices
+description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security.
ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
index 0fa1893aa6..6ed3a0bf2a 100644
--- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
@@ -1,6 +1,6 @@
---
title: Documenting the Zones (Windows 10)
-description: Documenting the Zones
+description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security.
ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
index d0e345f2c5..bdc9a665db 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
@@ -1,6 +1,6 @@
---
title: Domain Isolation Policy Design Example (Windows 10)
-description: Domain Isolation Policy Design Example
+description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security.
ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
index 948932fb53..ab6c8e4327 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Domain Isolation Policy Design (Windows 10)
-description: Domain Isolation Policy Design
+description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain.
ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66
ms.reviewer:
ms.author: dansimp
@@ -50,8 +50,8 @@ Characteristics of this design, as shown in the diagram, include the following:
- Untrusted non-domain members (area D) - Devices that are not managed by your organization and have an unknown security configuration must have access only to those devices required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted Devices and your organization's devices.
After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the devices in your organization.
-
->**Important:** This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented.
+> [!IMPORTANT]
+> This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented.
This design can be applied to Devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules.
@@ -59,7 +59,7 @@ In order to expand the isolated domain to include Devices that cannot be part of
For more info about this design:
-- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
- To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md).
diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
index 17c9f0d4ee..92491a2ab8 100644
--- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
+++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
@@ -1,6 +1,6 @@
---
title: Enable Predefined Outbound Rules (Windows 10)
-description: Enable Predefined Outbound Rules
+description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security.
ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
index 1a2eab4b13..33338e8b52 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
@@ -1,6 +1,6 @@
---
title: Encryption Zone GPOs (Windows 10)
-description: Encryption Zone GPOs
+description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security.
ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md
index ced058672b..097cbdf870 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md
@@ -1,6 +1,6 @@
---
title: Encryption Zone (Windows 10)
-description: Encryption Zone
+description: Learn how to create an encryption zone to contain devices that host very sensitive data and require that the sensitive network traffic be encrypted.
ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
index 4293f9cc59..5b87eef36e 100644
--- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
@@ -1,6 +1,6 @@
---
title: Exempt ICMP from Authentication (Windows 10)
-description: Exempt ICMP from Authentication
+description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security.
ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md
index f66bc68daa..eb4909a401 100644
--- a/windows/security/threat-protection/windows-firewall/exemption-list.md
+++ b/windows/security/threat-protection/windows-firewall/exemption-list.md
@@ -1,6 +1,6 @@
---
title: Exemption List (Windows 10)
-description: Learn the ins and outs of exemption lists on a secured network using Windows 10.
+description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions.
ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
index 1af381ba0e..e40d0eddc7 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
@@ -1,6 +1,6 @@
---
title: Firewall GPOs (Windows 10)
-description: Firewall GPOs
+description: In this example, a Group Policy Object is linked to the domain container because the domain controllers are not part of the isolated domain.
ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
index 5127569bc4..ca7bc12d6f 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
@@ -1,6 +1,6 @@
---
-title: Firewall Policy Design Example (Windows 10)
-description: Firewall Policy Design Example
+title: Basic Firewall Policy Design Example (Windows 10)
+description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security.
ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Firewall Policy Design Example
+# Basic Firewall Policy Design Example
**Applies to**
- Windows 10
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
index cd4b6c6d78..56c50d121a 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
@@ -1,6 +1,6 @@
---
title: Gathering Information about Your Active Directory Deployment (Windows 10)
-description: Gathering Information about Your Active Directory Deployment
+description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment.
ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
index 2feb5a2fd1..0d8532e07e 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
@@ -1,6 +1,6 @@
---
title: Gathering Information about Your Devices (Windows 10)
-description: Gathering Information about Your Devices
+description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment.
ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
index 5d29784f77..44b471961b 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
@@ -1,6 +1,6 @@
---
title: Gathering Other Relevant Information (Windows 10)
-description: Gathering Other Relevant Information
+description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization.
ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
index 89fc8ac3c0..da4b632a34 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
@@ -1,6 +1,6 @@
---
title: Gathering the Information You Need (Windows 10)
-description: Gathering the Information You Need
+description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment.
ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
index 006015b36a..ca757eeba4 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
@@ -1,6 +1,6 @@
---
title: GPO\_DOMISO\_Boundary (Windows 10)
-description: GPO\_DOMISO\_Boundary
+description: This example GPO supports devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices.
ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
index e16a7ecc32..ee39cb7790 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
@@ -1,6 +1,6 @@
---
title: GPO\_DOMISO\_Encryption\_WS2008 (Windows 10)
-description: GPO\_DOMISO\_Encryption\_WS2008
+description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests.
ms.assetid: 84375480-af6a-4c79-aafe-0a37115a7446
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
index e44b50dd82..3cba8b312c 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
@@ -1,6 +1,6 @@
---
title: GPO\_DOMISO\_Firewall (Windows 10)
-description: GPO\_DOMISO\_Firewall
+description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools.
ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
index 5e3a16c452..96725d8ff3 100644
--- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -1,6 +1,6 @@
---
-title: Identify Goals for your WFAS Deployment (Windows 10)
-description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) Deployment Goals
+title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows 10)
+description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals
ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba
ms.reviewer:
ms.author: dansimp
@@ -17,22 +17,21 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals
-
+# Identifying Windows Defender Firewall with Advanced Security implementation goals
**Applies to**
- Windows 10
- Windows Server 2016
-Correctly identifying your Windows Defender Firewall with Advanced Security deployment goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall deployment goals presented in this guide that are relevant to your scenarios.
+Correctly identifying your Windows Defender Firewall with Advanced Security implementation goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your implementation goals. Prioritize and, if possible, combine your implementation goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall implementation goals presented in this guide that are relevant to your scenarios.
-The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall deployment goals:
+The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall implementation goals:
| Deployment goal tasks | Reference links |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Evaluate predefined Windows Defender Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined deployment goals: - [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
- [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
- [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
- [Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
|
-| Map one goal or a combination of the predefined deployment goals to an existing Windows Defender Firewall with Advanced Security design. | - [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
|
-| Based on the status of your current infrastructure, document your deployment goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. | - [Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
- [Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)
|
+| Evaluate predefined Windows Defender Firewall with Advanced Security implementation goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined implementation goals: - [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
- [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
- [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
- [Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
|
+| Map one goal or a combination of the predefined implementation goals to an existing Windows Defender Firewall with Advanced Security design. | - [Mapping Your implementation goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
|
+| Based on the status of your current infrastructure, document your implementation goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. | - [Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
- [Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)
|
diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index c56fd15494..841c88ae5d 100644
--- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -48,7 +48,7 @@ Use the following parent checklists in this section of the guide to become famil
- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
-- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
+- [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
- [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
index 84999a6bd2..a07f984898 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
@@ -1,6 +1,6 @@
---
title: Isolated Domain GPOs (Windows 10)
-description: Isolated Domain GPOs
+description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security.
ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md
index bb06dc1bff..90b121b86e 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md
@@ -1,6 +1,6 @@
---
title: Isolated Domain (Windows 10)
-description: Isolated Domain
+description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication.
ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
index 1a5d115e8a..169d59a2df 100644
--- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
+++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
@@ -1,6 +1,6 @@
---
title: Isolating Microsoft Store Apps on Your Network (Windows 10)
-description: Isolating Microsoft Store Apps on Your Network
+description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
index 3b40dbd662..9f710aa000 100644
--- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
+++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
@@ -1,6 +1,6 @@
---
title: Link the GPO to the Domain (Windows 10)
-description: Link the GPO to the Domain
+description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security.
ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
index 9c73c224b9..314389955f 100644
--- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
@@ -1,6 +1,6 @@
---
-title: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design (Windows 10)
-description: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design
+title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows 10)
+description: Mapping your implementation goals to a Windows Firewall with Advanced Security design
ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22
ms.reviewer:
ms.author: dansimp
@@ -17,17 +17,17 @@ ms.topic: conceptual
ms.date: 04/19/2017
---
-# Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design
+# Mapping your implementation goals to a Windows Firewall with Advanced Security design
**Applies to**
- Windows 10
- Windows Server 2016
-After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.
+After you finish reviewing the existing Windows Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.
+> [!IMPORTANT]
+> The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design.
->**Important:** The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design.
-
-Use the following table to determine which Windows Firewall with Advanced Security design maps to the appropriate combination of Windows Firewall with Advanced Security deployment goals for your organization. This table refers only to the Windows Firewall with Advanced Security designs as described in this guide. However, you can create a hybrid or custom Windows Firewall with Advanced Security design by using any combination of the Windows Firewall with Advanced Security deployment goals to meet the needs of your organization.
+Use the following table to determine which Windows Firewall with Advanced Security design maps to the appropriate combination of Windows Firewall with Advanced Security implementation goals for your organization. This table refers only to the Windows Firewall with Advanced Security designs as described in this guide. However, you can create a hybrid or custom Windows Firewall with Advanced Security design by using any combination of the Windows Firewall with Advanced Security implementation goals to meet the needs of your organization.
| Deployment Goals | Basic Firewall Policy Design | Domain Isolation Policy Design | Server Isolation Policy Design | Certificate-based Isolation Policy Design |
| - |- | - | - | - |
diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
index b055c8d636..9a78732eb3 100644
--- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
+++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
@@ -1,6 +1,6 @@
---
title: Modify GPO Filters (Windows 10)
-description: Modify GPO Filters to Apply to a Different Zone or Version of Windows
+description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security.
ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
index e00e35ccff..63c6cbf6d2 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
@@ -1,6 +1,6 @@
---
title: Open the Group Policy Management Console to IP Security Policies (Windows 10)
-description: Open the Group Policy Management Console to IP Security Policies
+description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system.
ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
index bce220a506..134a6bb928 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
@@ -1,6 +1,6 @@
---
-title: Open a GPO to Windows Defender Firewall (Windows 10)
-description: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
+title: Group Policy Management of Windows Defender Firewall (Windows 10)
+description: Group Policy Management of Windows Defender Firewall with Advanced Security
ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 04/02/2017
---
-# Open the Group Policy Management Console to Windows Defender Firewall
+# Group Policy Management of Windows Defender Firewall
**Applies to**
- Windows 10
diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
index cbf3fd9257..3d67c96d9d 100644
--- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
@@ -1,6 +1,6 @@
---
title: Open Windows Defender Firewall with Advanced Security (Windows 10)
-description: Open Windows Defender Firewall with Advanced Security
+description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group.
ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
index 100858ecbe..b2b2a0467b 100644
--- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
@@ -1,6 +1,6 @@
---
title: Planning Certificate-based Authentication (Windows 10)
-description: Planning Certificate-based Authentication
+description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication.
ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
index f37a7ebdea..5a7fcb44a2 100644
--- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
@@ -1,6 +1,6 @@
---
title: Planning Domain Isolation Zones (Windows 10)
-description: Planning Domain Isolation Zones
+description: Learn how to use information you have gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security.
ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
index 188f4f2556..831200cf48 100644
--- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
@@ -1,6 +1,6 @@
---
title: Planning GPO Deployment (Windows 10)
-description: Planning GPO Deployment
+description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory.
ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
index 991bdcec0d..22f031c902 100644
--- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
@@ -1,6 +1,6 @@
---
title: Planning Group Policy Deployment for Your Isolation Zones (Windows 10)
-description: Planning Group Policy Deployment for Your Isolation Zones
+description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment.
ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
index 2183c3f911..cef2c16969 100644
--- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
@@ -1,6 +1,6 @@
---
title: Planning Isolation Groups for the Zones (Windows 10)
-description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs
+description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs.
ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
index 3043878e04..5cb6ff075c 100644
--- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
+++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
@@ -1,6 +1,6 @@
---
title: Planning Network Access Groups (Windows 10)
-description: Planning Network Access Groups
+description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security.
ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
index f42eca057b..b1af014fa5 100644
--- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
@@ -1,6 +1,6 @@
---
title: Planning Server Isolation Zones (Windows 10)
-description: Planning Server Isolation Zones
+description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
index 8138bd8ee1..5a8cd1a017 100644
--- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
@@ -1,6 +1,6 @@
---
title: Planning Settings for a Basic Firewall Policy (Windows 10)
-description: Planning Settings for a Basic Firewall Policy
+description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices.
ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
index 78c49adcca..80b776ca44 100644
--- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
@@ -1,6 +1,6 @@
---
title: Planning the GPOs (Windows 10)
-description: Planning the GPOs
+description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout.
ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index 6992965186..2caa25566a 100644
--- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -1,6 +1,6 @@
---
title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows 10)
-description: Planning Your Windows Defender Firewall with Advanced Security Design
+description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment.
ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
index 2d37487be2..643f41ab14 100644
--- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
@@ -1,6 +1,6 @@
---
title: Procedures Used in This Guide (Windows 10)
-description: Procedures Used in This Guide
+description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide.
ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
index a3ca3c4b6e..a05d8eb5a3 100644
--- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
@@ -1,6 +1,6 @@
---
-title: Protect Devices from Unwanted Network Traffic (Windows 10)
-description: Protect Devices from Unwanted Network Traffic
+title: Protect devices from unwanted network traffic (Windows 10)
+description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy.
ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 04/19/2017
---
-# Protect Devices from Unwanted Network Traffic
+# Protect devices from unwanted network traffic
**Applies to**
- Windows 10
diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index 4f5c2b1cb0..a79aedce9d 100644
--- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -1,6 +1,6 @@
---
title: Require Encryption When Accessing Sensitive Network Resources (Windows 10)
-description: Require Encryption When Accessing Sensitive Network Resources
+description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted.
ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index cbdd8e51d9..27007f7718 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -1,6 +1,6 @@
---
-title: Restrict Access to Only Trusted Devices (Windows 10)
-description: Restrict Access to Only Trusted Devices
+title: Restrict access to only trusted devices (Windows 10)
+description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices.
ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Restrict Access to Only Trusted Devices
+# Restrict access to only trusted devices
**Applies to**
- Windows 10
@@ -27,7 +27,8 @@ Your organizational network likely has a connection to the Internet. You also li
To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Defender Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method.
->**Note:** Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain.
+> [!NOTE]
+> Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain.
The protection provided by domain isolation can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations.
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
index dbffb1b8f1..8286d47f26 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
@@ -1,6 +1,6 @@
---
title: Server Isolation GPOs (Windows 10)
-description: Server Isolation GPOs
+description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security.
ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
index b93e884682..daba2b5e2c 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
@@ -1,6 +1,6 @@
---
title: Server Isolation Policy Design Example (Windows 10)
-description: Server Isolation Policy Design Example
+description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company.
ms.assetid: 337e5f6b-1ec5-4b83-bee5-d0aea1fa5fc6
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
index 1eeea3dc76..d5c4333424 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Server Isolation Policy Design (Windows 10)
-description: Server Isolation Policy Design
+description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group.
ms.assetid: f93f65cd-b863-461e-ab5d-a620fd962c9a
ms.reviewer:
ms.author: dansimp
@@ -43,13 +43,14 @@ Characteristics of this design include the following:
To add support for server isolation, you must ensure that the authentication methods are compatible with the requirements of the isolated server. For example, if you want to authorize user accounts that are members of a NAG in addition to authorizing computer accounts, you must enable both user and computer authentication in your connection security rules.
->**Important:** This design builds on the [Domain Isolation Policy Design](domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented.
+> [!IMPORTANT]
+> This design builds on the [Domain Isolation Policy Design](domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented.
This design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules.
For more info about this design:
-- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
- To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
new file mode 100644
index 0000000000..6071427eda
--- /dev/null
+++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
@@ -0,0 +1,1328 @@
+---
+title: Troubleshooting UWP App Connectivity Issues in Windows Firewall
+description: Troubleshooting UWP App Connectivity Issues in Windows Firewall
+
+ms.reviewer:
+ms.author: dansimp
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: dansimp
+manager: dansimp
+ms.collection: M365-security-compliance
+ms.topic: troubleshooting
+---
+
+# Troubleshooting UWP App Connectivity Issues
+
+This document is intended to help network admins, support engineers, and developers to
+investigate UWP app network connectivity issues.
+
+This document guides you through steps to debug Universal Windows Platform (UWP) app network connectivity issues by providing practical examples.
+
+## Typical causes of connectivity issues
+
+UWP app network connectivity issues are typically caused by:
+
+1. The UWP app was not permitted to receive loopback traffic. This must be configured. By default, UWP apps are not allowed to receive loopback traffic.
+2. The UWP app is missing the proper capability tokens.
+3. The private range is configured incorrectly. For example, the private range is set incorrectly through GP/MDM policies, etc.
+
+To understand these causes more thoroughly, there are several concepts to review.
+
+The traffic of network packets (what's permitted and what’s not) on Windows is determined by the Windows Filtering Platform (WFP). When a UWP app
+or the private range is configured incorrectly, it affects how the UWP app’s network traffic will be processed by WFP.
+
+When a packet is processed by WFP, the characteristics of that packet must explicitly match all the conditions of a filter to either be permitted or dropped to its target address. Connectivity issues typically happen when the packet does not match any of the filter conditions, leading the packet to be dropped by a default block filter. The presence of the default block
+filters ensures network isolation for UWP applications. Specifically, it guarantees a network drop for a packet that does not have the correct capabilities for the resource it is trying to reach. This ensures the application’s granular access to each resource type and preventing the application from escaping its environment.
+
+For more information on the filter arbitration algorithm and network isolation,
+see [Filter
+Arbitration](https://docs.microsoft.com/windows/win32/fwp/filter-arbitration)
+and
+[Isolation](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation).
+
+The following sections cover debugging case examples for loopback and non-loopback UWP app network connectivity issues.
+
+> [!NOTE]
+> As improvements to debugging and diagnostics in the Windows Filtering Platform are made, the trace examples in this document may not exactly match the
+traces collected on previous releases of Windows.
+
+## Debugging UWP App Loopback scenarios
+
+If you need to establish a TCP/IP connection between two processes on the same host where one of them is a UWP app, you must enable loopback.
+
+To enable loopback for client outbound connections, run the following at a command prompt:
+
+```console
+CheckNetIsolation.exe LoopbackExempt -a -n=
+```
+
+To enable loopback for server inbound connections, run the following at a
+command prompt:
+```console
+CheckNetIsolation.exe LoopbackExempt -is -n=
+```
+You can ensure loopback is enabled by checking the appx manifests of both the sender and receiver.
+
+For more information about loopback scenarios, see [Communicating with
+localhost
+(loopback)](https://docs.microsoft.com/windows/iot-core/develop-your-app/loopback).
+
+## Debugging Live Drops
+
+If the issue happened recently, but you find you are not able to reproduce the issue, go to Debugging Past Drops for the appropriate trace commands.
+
+If you can consistently reproduce the issue, then you can run the following in an admin command prompt to gather a fresh trace:
+
+```console
+Netsh wfp capture start keywords=19
+
+Netsh wfp capture stop
+```
+
+These commands generate a wfpdiag.cab. Inside the .cab exists a wfpdiag.xml, which contains any allow or drop netEvents and filters that existed during that repro. Without “keywords=19”, the trace will only collect drop netEvents.
+
+Inside the wfpdiag.xml, search for netEvents which have
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP as the netEvent type. To find the relevant drop events, search for the drop events with matching destination IP address,
+package SID, or application ID name. The characters in the application ID name
+will be separated by periods:
+
+```XML
+(ex)
+
+
+\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e...
+
+
+```
+
+The netEvent will have more information about the packet that was dropped including information about its capabilities, the filter that dropped the packet, and much more.
+
+## Case 1: UWP app connects to Internet target address with all capabilities
+
+In this example, the UWP app successfully connects to bing.com
+[2620:1ec:c11::200].
+
+A packet from a UWP app needs the correct networking capability token for the resource it is trying to reach.
+
+In this scenario, the app could successfully send a packet to the Internet target because it had an Internet capability token.
+
+The following shows the allow netEvent of the app connecting to the target IP. The netEvent contains information about the packet including its local address,
+remote address, capabilities, etc.
+
+**Classify Allow netEvent, Wfpdiag-Case-1.xml**
+```xml
+
+
+ 2020-05-21T17:25:59.070Z
+
+ - FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ - FWPM_NET_EVENT_FLAG_APP_ID_SET
+ - FWPM_NET_EVENT_FLAG_USER_ID_SET
+ - FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ - FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V6
+ 6
+ 2001:4898:30:3:256c:e5ba:12f3:beb1
+ 2620:1ec:c11::200
+52127
+443
+0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+S-1-5-21-2993214446-1947230185-131795049-1000
+FWP_AF_INET6
+S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+0
+
+
+FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW
+
+ 125918
+ 50
+ 0
+ 1
+ 1
+
+
+
+0000000000000000
+
+ - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
+ - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+ - FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
+
+0
+
+
+ -
+ 125918
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_PERMIT
+
+ -
+ 121167
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
+
+
+```
+
+The following is the filter that permitted the packet to be sent to the target
+address according to the **terminatingFiltersInfo** in the **netEvent**. This packet was
+allowed by Filter #125918, from the InternetClient Default Rule.
+
+**InternetClient Default Rule Filter #125918, Wfpdiag-Case-1.xml**
+```xml
+-
+ {3389708e-f7ae-4ebc-a61a-f659065ab24e}
+
+ InternetClient Default Rule
+ InternetClient Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ ad2b000000000000
+ .+......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V6
+ FWPM_SUBLAYER_MPSSVC_WSH
+ FWP_EMPTY
+
+
+
-
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+ -
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_BYTE_ARRAY16_TYPE
+ ::
+
+
+ FWP_BYTE_ARRAY16_TYPE
+ ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+
+
+
+ -
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 125918
+
+ FWP_UINT64
+ 103079219136
+
+
+```
+
+**Capabilities Condition in Filter \#125918, Wfpdiag-Case-1.xml**
+```xml
+-
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+```
+This is the condition for checking capabilities in this filter.
+
+The important part of this condition is **S-1-15-3-1**, which is the capability SID
+for **INTERNET_CLIENT** privileges.
+
+From the **netEvent** capabilities section,
+capabilities from netEvent, Wfpdiag-Case-1.xml.
+```xml
+
+ - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
- FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+ - FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
+
+```
+This shows the packet came from an app with an Internet client token (**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**) which matches the capability SID in the
+filter. All the other conditions are also met for the filter, so the packet is
+allowed.
+
+Something to note is that the only capability token required for the packet to
+reach bing.com was the Internet client token, even though this example showed
+the packet having all capabilities.
+
+## Case 2: UWP APP cannot reach Internet target address and has no capabilities
+
+In this example, the UWP app is unable to connect to bing.com
+[2620:1ec:c11::200].
+
+The following is a drop netEvent that was captured in the trace.
+
+**Classify Drop netEvent, Wfpdiag-Case-2.xml**
+```xml
+
+
+2020-03-30T23:53:09.720Z
+
+ - FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ - FWPM_NET_EVENT_FLAG_APP_ID_SET
+ - FWPM_NET_EVENT_FLAG_USER_ID_SET
+ - FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ - FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+FWP_IP_VERSION_V6
+6
+2001:4898:1a:1045:8469:3351:e6e2:543
+2620:1ec:c11::200
+63187
+443
+0
+
+5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0034002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...4...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+S-1-5-21-2788718703-1626973220-3690764900-1000
+FWP_AF_INET6
+S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+0
+
+
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+68893
+50
+0
+1
+1
+MS_FWP_DIRECTION_OUT
+false
+
+0
+0
+
+
+
+0000000000000000
+
+0
+
+
+-
+68893
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+FWP_ACTION_BLOCK
+
+-
+68879
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+FWP_ACTION_PERMIT
+
+
+
+
+```
+The first thing that you should check in the **netEvent** is the capabilities
+field. In this example, the capabilities field is empty, indicating that the
+UWP app was not configured with any capability tokens to allow it to connect to
+a network.
+
+**Internal Fields from netEvent, Wfpdiag-Case-2.xml**
+```xml
+
+
+0000000000000000
+
+0
+
+
+-
+68893
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+FWP_ACTION_BLOCK
+
+-
+68879
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+FWP_ACTION_PERMIT
+
+
+
+```
+The **netEvent** also shows information about the filter that explicitly dropped this packet, like the **FilterId**, listed under classify drop.
+
+**Classify Drop from netEvent, Wfpdiag-Case-2.xml**
+```xml
+
+68893
+50
+0
+1
+1
+MS_FWP_DIRECTION_OUT
+false
+
+0
+0
+
+```
+If you search for the filter #68893 in Wfpdiag-Case2.xml, you'll see that
+the packet was dropped by a Block Outbound Default Rule filter.
+
+**Block Outbound Default Rule Filter #68893, Wfpdiag-Case-2.xml**
+
+```xml
+-
+ {6d51582f-bcf8-42c4-afc9-e2ce7155c11b}
+/t
+ **Block Outbound Default Rule**
+ Block Outbound Default Rule
+
+
+ {4b153735-1049-4480-aab4-d1b9bdc03710}
+
+ b001000000000000
+ ........
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V6
+ {b3cdd441-af90-41ba-a745-7c6008ff2300}
+
+ FWP_EMPTY
+
+
+
-
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+
+ FWP_ACTION_BLOCK
+
+
+ 0
+
+ 68893
+
+ FWP_UINT64
+ 68719476736
+
+
+```
+
+A packet will reach a default block filter if the packet was unable to match any of the conditions of other filters, and not allowed by the other filters in
+the same sublayer.
+
+If the packet had the correct capability token,
+**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**, it would have matched a condition for a
+non-default block filter and would have been permitted to reach bing.com.
+Without the correct capability tokens, the packet will be explicitly dropped by
+a default block outbound filter.
+
+## Case 3: UWP app cannot reach Internet target address without Internet Client capability
+
+In this example, the app is unable to connect to bing.com [2620:1ec:c11::200].
+
+The app in this scenario only has private network capabilities (Client and
+Server). The app is trying to connect to an Internet resource (bing.com), but
+only has a private network token. Therefore, the packet will be dropped.
+
+**Classify Drop netEvent, Wfpdiag-Case-3.xml**
+```xml
+
+
+2020-03-31T16:57:18.570Z
+
+- FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+- FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+- FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+- FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+- FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+- FWPM_NET_EVENT_FLAG_APP_ID_SET
+- FWPM_NET_EVENT_FLAG_USER_ID_SET
+- FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+- FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+FWP_IP_VERSION_V6
+6
+2001:4898:1a:1045:9c65:7805:dd4a:cc4b
+2620:1ec:c11::200
+64086
+443
+0
+
+5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0035002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...5...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+S-1-5-21-2788718703-1626973220-3690764900-1000
+FWP_AF_INET6
+S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+0
+
+
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+68893
+50
+0
+1
+1
+MS_FWP_DIRECTION_OUT
+false
+
+0
+0
+
+
+
+0000000000000000
+****
+**- FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
**
+****
+0
+
+
+-
+68893
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+FWP_ACTION_BLOCK
+
+-
+68879
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+FWP_ACTION_PERMIT
+
+
+
+
+```
+
+## Case 4: UWP app cannot reach Intranet target address without Private Network capability
+
+In this example, the UWP app is unable to reach the Intranet target address,
+10.50.50.50, because it does not have a Private Network capability.
+
+**Classify Drop netEvent, Wfpdiag-Case-4.xml**
+```xml
+
+
+ 2020-05-22T21:29:28.601Z
+
+ - FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ - FWPM_NET_EVENT_FLAG_APP_ID_SET
+ - FWPM_NET_EVENT_FLAG_USER_ID_SET
+ - FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ - FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V4
+ 6
+ 10.216.117.17
+ 10.50.50.50
+ 52998
+ 53
+ 0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+ S-1-5-21-2993214446-1947230185-131795049-1000
+ FWP_AF_INET
+ S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+ 0
+
+
+ FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+ 121180
+ 48
+ 0
+ 1
+ 1
+ MS_FWP_DIRECTION_OUT
+ false
+
+ 0
+ 0
+
+
+
+ 0000000000000000
+
+ - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
+ - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+
+ 0
+
+
+ -
+ 121180
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_BLOCK
+
+ -
+ 121165
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
+
+
+```
+## Case 5: UWP app cannot reach “Intranet” target address with Private Network capability
+
+In this example, the UWP app is unable to reach the Intranet target address,
+10.1.1.1, even though it has a Private Network capability token.
+
+**Classify Drop netEvent, Wfpdiag-Case-5.xml**
+```xml
+
+
+ 2020-05-22T20:54:53.499Z
+
+ - FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ - FWPM_NET_EVENT_FLAG_APP_ID_SET
+ - FWPM_NET_EVENT_FLAG_USER_ID_SET
+ - FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ - FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V4
+ 6
+ 10.216.117.17
+ 10.1.1.1
+ 52956
+ 53
+ 0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+ S-1-5-21-2993214446-1947230185-131795049-1000
+ FWP_AF_INET
+ S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+ 0
+
+
+ FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+ 121180
+ 48
+ 0
+ 1
+ 1
+ MS_FWP_DIRECTION_OUT
+ false
+
+ 0
+ 0
+
+
+
+ 0000000000000000
+
+ - FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
+
+ 0
+
+
+ -
+ 121180
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_BLOCK
+
+ -
+ 121165
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
+
+
+```
+The following shows the filter that blocked the event:
+
+**Block Outbound Default Rule Filter \#121180, Wfpdiag-Case-5.xml**
+
+```xml
+-
+ {e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6}
+
+ Block Outbound Default Rule
+ Block Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ c029000000000000
+ .)......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
-
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+
+ FWP_ACTION_BLOCK
+
+
+ 0
+
+ 121180
+
+ FWP_UINT64
+ 274877906944
+
+
+```
+If the target was in the private range, then it should have been allowed by a
+PrivateNetwork Outbound Default Rule filter.
+
+The following PrivateNetwork Outbound Default Rule filters have conditions for matching Intranet IP addresses. Since the expected Intranet target address,
+10.1.1.1, is not included in these filters it becomes clear that the address is not in the private range. Check the policies that configure the private range
+on the device (MDM, Group Policy, etc.) and make sure it includes the private target address you wanted to reach.
+
+**PrivateNetwork Outbound Default Rule Filters, Wfpdiag-Case-5.xml**
+```xml
+-
+ {fd65507b-e356-4e2f-966f-0c9f9c1c6e78}
+
+ PrivateNetwork Outbound Default Rule
+ PrivateNetwork Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ f22d000000000000
+ .-......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
-
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+ -
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1.1.1.1
+
+
+ -
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 129656
+
+ FWP_UINT64
+ 144115600392724416
+
+
+ -
+ {b11b4f8a-222e-49d6-8d69-02728681d8bc}
+
+ PrivateNetwork Outbound Default Rule
+ PrivateNetwork Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ f22d000000000000
+ .-......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
-
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+ -
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_UINT32
+ 172.16.0.0
+
+
+ FWP_UINT32
+ 172.31.255.255
+
+
+
+
+ -
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 129657
+
+ FWP_UINT64
+ 36029209335832512
+
+
+-
+ {21cd82bc-6077-4069-94bf-750e5a43ca23}
+
+ PrivateNetwork Outbound Default Rule
+ PrivateNetwork Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ f22d000000000000
+ .-......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
-
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+ -
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_UINT32
+ 192.168.0.0
+
+
+ FWP_UINT32
+ 192.168.255.255
+
+
+
+
+ -
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 129658
+
+ FWP_UINT64
+ 36029209335832512
+
+
+```
+## Debugging Past Drops
+
+If you are debugging a network drop from the past or from a remote machine, you
+may have traces already collected from Feedback Hub, such as nettrace.etl and
+wfpstate.xml. Once nettrace.etl is converted, nettrace.txt will have the
+netEvents of the reproduced event, and wfpstate.xml will contain the filters
+that were present on the machine at the time.
+
+If you do not have a live repro or traces already collected, you can still
+collect traces after the UWP network connectivity issue has happened by running
+these commands in an admin command prompt
+
+```xml
+
+ Netsh wfp show netevents
+ Netsh wfp show state
+```
+
+**Netsh wfp show netevents** creates netevents.xml, which contains the past
+net events. **Netsh wfp show state** creates wfpstate.xml, which contains
+the current filters present on the machine.
+
+Unfortunately, collecting traces after the UWP network connectivity issue is not
+always reliable.
+
+NetEvents on the device are stored in a buffer. Once that buffer has reached
+maximum capacity, the buffer will overwrite older net events. Due to the buffer
+overwrite, it is possible that the collected netevents.xml will not contain the
+net event associated with the UWP network connectivity issue. It could have been ov
+overwritten. Additionally, filters on the device can get deleted and re-added
+with different filterIds due to miscellaneous events on the device. Because of
+this, a **filterId** from **netsh wfp show netevents** may not necessarily match any
+filter in **netsh wfp show state** because that **filterId** may be outdated.
+
+If you can reproduce the UWP network connectivity issue consistently, we
+recommend using the commands from Debugging Live Drops instead.
+
+Additionally, you can still follow the examples from Debugging Live Drops
+section using the trace commands in this section, even if you do not have a live
+repro. The **netEvents** and filters are stored in one file in Debugging Live Drops
+as opposed to two separate files in the following Debugging Past Drops examples.
+
+## Case 7: Debugging Past Drop - UWP app cannot reach Internet target address and has no capabilities
+
+In this example, the UWP app is unable to connect to bing.com.
+
+Classify Drop Net Event, NetEvents-Case-7.xml
+
+```xml
+-
+
+2020-05-04T22:04:07.039Z
+
+
- FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+- FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+- FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+- FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+- FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+- FWPM_NET_EVENT_FLAG_APP_ID_SET
+- FWPM_NET_EVENT_FLAG_USER_ID_SET
+- FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+- FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+FWP_IP_VERSION_V4
+6
+10.195.36.30
+204.79.197.200
+57062
+443
+0
+
+5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310032002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.2...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+S-1-5-21-1578316205-4060061518-881547182-1000
+FWP_AF_INET
+S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+0
+
+
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+206064
+48
+0
+1
+1
+MS_FWP_DIRECTION_OUT
+false
+
+0
+0
+
+
+
+0000000000000000
+
+0
+
+
+-
+206064
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+FWP_ACTION_BLOCK
+
+-
+206049
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+FWP_ACTION_PERMIT
+
+
+
+
+```
+
+The Internal fields lists no active capabilities, and the packet is dropped at
+filter 206064.
+
+This is a default block rule filter, meaning the packet passed through every
+filter that could have allowed it, but because conditions didn’t match for any
+those filters, the packet fell to the filter which blocks any packet that the
+Security Descriptor doesn’t match.
+
+**Block Outbound Default Rule Filter \#206064, FilterState-Case-7.xml**
+
+```xml
+-
+{f138d1ad-9293-478f-8519-c3368e796711}
+
+Block Outbound Default Rule
+Block Outbound Default Rule
+
+
+FWPM_PROVIDER_MPSSVC_WSH
+
+2e65000000000000
+.e......
+
+FWPM_LAYER_ALE_AUTH_CONNECT_V4
+FWPM_SUBLAYER_MPSSVC_WSH
+
+FWP_EMPTY
+
+
+
-
+FWPM_CONDITION_ALE_PACKAGE_ID
+FWP_MATCH_NOT_EQUAL
+
+FWP_SID
+S-1-0-0
+
+
+
+
+FWP_ACTION_BLOCK
+
+
+0
+
+206064
+
+FWP_UINT64
+274877906944
+
+
+```
+## Case 8: Debugging Past Drop - UWP app connects to Internet target address with all capabilities
+
+In this example, the UWP app successfully connects to bing.com [204.79.197.200].
+
+**Classify Allow Net Event, NetEvents-Case-8.xml**
+
+```xml
+-
+
+ 2020-05-04T18:49:55.101Z
+
+
- FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ - FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ - FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ - FWPM_NET_EVENT_FLAG_APP_ID_SET
+ - FWPM_NET_EVENT_FLAG_USER_ID_SET
+ - FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ - FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V4
+ 6
+ 10.195.36.30
+ 204.79.197.200
+ 61673
+ 443
+ 0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+ S-1-5-21-1578316205-4060061518-881547182-1000
+ FWP_AF_INET
+ S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+ 0
+
+
+ FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW
+
+ 208757
+ 48
+ 0
+ 1
+ 1
+
+
+
+ 0000000000000000
+
+ - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
+ - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+ - FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
+
+ 0
+
+
+ -
+ 208757
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_PERMIT
+
+ -
+ 206049
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
+
+
+```
+All capabilities are enabled and the resulting filter determining the flow of the packet is 208757.
+
+The filter stated above with action permit:
+
+**InternetClient Default Rule Filter \#208757, FilterState-Case-8.xml**
+```xml
+-
+ {e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5}
+
+ InternetClient Default Rule
+ InternetClient Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ e167000000000000
+ .g......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
-
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+ -
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_UINT32
+ 0.0.0.0
+
+
+ FWP_UINT32
+ 255.255.255.255
+
+
+
+
+ -
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+ -
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 208757
+
+ FWP_UINT64
+ 412316868544
+
+
+```
+The capabilities field in a netEvent was added to the traces in the Windows 10
+May 2019 Update.
diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
index 26796b6814..0449d6b01f 100644
--- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
+++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
@@ -20,13 +20,12 @@ ms.author: dansimp
Designing any deployment starts by performing several important tasks:
-- [Identifying Your Windows Defender Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+- [Identifying your windows defender firewall with advanced security design goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
-- [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+- [Mapping your implementation goals to a Windows Defender Firewall with Advanced Security design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
-- [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
-After you identify your deployment goals and map them to a Windows Defender Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
+After you identify your implementation goals and map them to a Windows Defender Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
- [Designing A Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
index 7cbeb23689..a7178f39fe 100644
--- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
+++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
@@ -1,6 +1,6 @@
---
title: Verify That Network Traffic Is Authenticated (Windows 10)
-description: Verify That Network Traffic Is Authenticated
+description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication.
ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
index d91723c3d2..ddb0304065 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
@@ -1,6 +1,6 @@
---
-title: Deploy Windows Defender Firewall with Advanced Security (Windows 10)
-description: Windows Defender Firewall with Advanced Security Deployment Guide
+title: Windows Defender Firewall with Advanced Security deployment overview (Windows 10)
+description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network.
ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Windows Defender Firewall with Advanced Security Deployment Guide
+# Windows Defender Firewall with Advanced Security deployment overview
**Applies to**
- Windows 10
@@ -46,8 +46,8 @@ After you select your design and gather the required information about the zones
- [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
Use the checklists in [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design.
-
->**Caution:** We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies.
+> [!CAUTION]
+> We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies.
In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or device accounts that are members of an excessive number of groups; this can result in network connectivity problems if network protocol limits are exceeded.
@@ -61,10 +61,4 @@ This guide does not provide:
- Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication.
-## Overview of Windows Defender Firewall with Advanced Security
-
-Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
-
-The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
-
For more information about Windows Defender Firewall with Advanced Security, see [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md).
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
index 70c8912478..d6b2ed3cde 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender Firewall with Advanced Security Design Guide (Windows 10)
-description: Windows Defender Firewall with Advanced Security Design Guide
+title: Windows Defender Firewall with Advanced Security design guide (Windows 10)
+description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise.
ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51
ms.reviewer:
ms.author: dansimp
@@ -17,8 +17,7 @@ ms.topic: conceptual
ms.date: 10/05/2017
---
-# Windows Defender Firewall with Advanced Security
-Design Guide
+# Windows Defender Firewall with Advanced Security design guide
**Applies to**
- Windows 10
@@ -40,7 +39,7 @@ Windows Defender Firewall should be part of a comprehensive security solution th
To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Defender Firewall, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory.
-You can use the deployment goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those presented here:
+You can use the implementation goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those presented here:
- **Basic firewall policy design**. Restricts network traffic in and out of your devices to only that which is needed and authorized.
@@ -68,9 +67,8 @@ Deployment Guide at these locations:
| Topic | Description
| - | - |
| [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) | Learn how to get started with the Windows Defender Firewall with Advanced Security design process. |
-| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Defender Firewall with Advanced Security deployment goals. |
-| [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Defender Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. |
-| [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) | Learn how to use Windows Defender Firewall to improve the security of the computers connected to the network. |
+| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Defender Firewall with Advanced Security implementation goals. |
+| [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Defender Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. |
| [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. |
| [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. |
| [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) | You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). |
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 3261e0545f..9718aa85cf 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -1,6 +1,6 @@
---
title: Windows Defender Firewall with Advanced Security (Windows 10)
-description: Windows Defender Firewall with Advanced Security
+description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -25,10 +25,17 @@ ms.custom: asr
This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
+## Overview of Windows Defender Firewall with Advanced Security
+
+Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
+
+The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
+
+
+
## Feature description
-Windows Defender Firewall with Advanced Security
-is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy.
+Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy.
## Practical applications
@@ -41,12 +48,4 @@ To help address your organizational network security challenges, Windows Defende
- **Extends the value of existing investments.** Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
-## In this section
-| Topic | Description
-| - | - |
-| [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Defender Firewall configuration to isolate the network access of Microsoft Store apps that run on devices. |
-| [Securing End-to-End IPsec Connections by Using IKEv2](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. |
-| [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Defender Firewall. |
-| [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Defender Firewall with Advanced Security. |
-| [Windows Defender Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Defender Firewall with Advanced Security. |
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index fa85062872..e7b8a53f7a 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -35,7 +35,7 @@ The following video provides an overview of Windows Sandbox.
## Prerequisites
-- Windows 10 Pro or Enterprise build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*)
+- Windows 10 Pro, Enterprise or Education build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*)
- AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4 GB of RAM (8 GB recommended)
@@ -48,7 +48,7 @@ The following video provides an overview of Windows Sandbox.
2. Enable virtualization on the machine.
- If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
- - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
**Set -VMProcessor -VMName \ -ExposeVirtualizationExtensions $true**
+ - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
**Set-VMProcessor -VMName \ -ExposeVirtualizationExtensions $true**
1. Use the search bar on the task bar and type **Turn Windows Features on and off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
- If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2.
diff --git a/windows/whats-new/get-started-with-1709.md b/windows/whats-new/get-started-with-1709.md
index 2b22a606de..c2522f3e4c 100644
--- a/windows/whats-new/get-started-with-1709.md
+++ b/windows/whats-new/get-started-with-1709.md
@@ -1,6 +1,6 @@
---
title: Get started with Windows 10, version 1709
-description: Learn the dos and don'ts for getting started with Windows 10, version 1709.
+description: Learn about features, review requirements, and plan your deployment of Windows 10, version 1709, including IT Pro content, release information, and history.
keywords: ["get started", "windows 10", "fall creators update", "1709"]
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index ba0090d559..309ce421df 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -1,7 +1,7 @@
---
title: What's new in Windows 10, version 1809
ms.reviewer:
-description: New and updated features in Windows 10, version 1809
+description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803.
keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 October 2018 Update"]
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index 8518f5c4af..8c86914b6b 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -124,6 +124,16 @@ The following [Delivery Optimization](https://docs.microsoft.com/windows/deploym
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue leveraging deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215).
+## Networking
+
+### Wi-Fi 6 and WPA3
+
+Windows now supports the latest Wi-Fi standards with [Wi-Fi 6 and WPA3](https://support.microsoft.com/help/4562575/windows-10-faster-more-secure-wifi). Wi-Fi 6 gives you better wireless coverage and performance with added security. WPA3 provides improved Wi-Fi security and secures open networks.
+
+### TEAP
+
+In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](https://docs.microsoft.com/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea).
+
## Virtualization
### Windows Sandbox
| | | | |