Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

windows/client-management/TOC.md

@@ -4,6 +4,7 @@
 ## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
 ## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
 ## [New policies for Windows 10](new-policies-for-windows-10.md)
+## [Windows 10 default media removal policy](change-default-removal-policy-external-storage-media.md)
 ## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
 ## [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md)
 ## [What version of Windows am I running](windows-version-search.md)

windows/client-management/change-default-removal-policy-external-storage-media.md

@@ -0,0 +1,50 @@
+---
+title: Windows 10 default media removal policy
+description: In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal."
+ms.prod: w10
+author: Teresa-Motiv
+ms.author: v-tea
+ms.date: 12/13/2019
+ms.prod: w10
+ms.topic: article
+ms.custom: 
+- CI 111493
+- CSSTroubleshooting
+audience: ITPro
+ms.localizationpriority: medium
+manager: kaushika
+---
+
+# Change in default removal policy for external storage media in Windows 10, version 1809
+
+Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**.
+
+In earlier versions of Windows, the default policy was **Better performance**.
+
+You can change the policy setting for each external device, and the policy that you set remains in effect if you disconnect the device and then connect it again to the same computer port.
+
+## More information
+
+You can use the storage device policy setting to change the manner in which Windows manages storage devices to better meet your needs. The policy settings have the following effects:
+
+* **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance.
+* **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish.
+   > [!IMPORTANT]  
+   > If you use the **Better performance** policy, you must use the Safely Remove Hardware process to remove the device. If you remove or disconnect the device without following the safe removal instructions, you risk losing data.
+
+   > [!NOTE]  
+   > If you select **Better performance**, we recommend that you also select **Enable write caching on the device**.
+
+To change the policy for an external storage device:
+
+1. Connect the device to the computer.
+2. Right-click **Start**, then select **File Explorer**.
+3. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**).
+4. Right-click **Start**, then select **Disk Management**.
+5. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**.
+  
+   ![In Disk Management, right-click the device and click Properties.](./images/change-def-rem-policy-1.png)
+  
+6. Select **Policies**, and then select the policy you want to use.
+  
+   ![Policy options for disk management](./images/change-def-rem-policy-2.png)

windows/client-management/change-history-for-client-management.md

@@ -9,7 +9,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
-ms.date: 12/06/2018
+ms.date: 12/13/2019
 ms.reviewer: 
 manager: dansimp
 ms.topic: article
@@ -19,6 +19,12 @@ ms.topic: article
 
 This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
 
+## December 2019
+
+New or changed topic | Description
+--- | ---
+[Change in default removal policy for external storage media in Windows 10, version 1809](change-default-removal-policy-external-storage-media.md) | New
+
 ## December 2018
 
 New or changed topic | Description

windows/client-management/index.md

@@ -23,6 +23,7 @@ Learn about the administrative tools, tasks and best practices for managing Wind
 |[Connect to remote Azure Active Directory-joined PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
 |[Join Windows 10 Mobile to Azure AD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|
 |[New policies for Windows 10](new-policies-for-windows-10.md)| Listing of new group policy settings available in Windows 10|
+|[Windows 10 default media removal policy](change-default-removal-policy-external-storage-media.md) |In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal." |
 |[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
 | [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) | Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. |
 |[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options|

windows/security/information-protection/windows-information-protection/wip-learning.md

@@ -9,8 +9,8 @@ ms.mktglfcycl:
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: LauraWi
-ms.author: laurawi
+author: cabailey
+ms.author: cabailey
 manager: laurawi
 audience: ITPro
 ms.collection: M365-security-compliance

windows/security/threat-protection/microsoft-defender-atp/preview.md

@@ -46,10 +46,6 @@ The following features are included in the preview release:
 
 - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR>Report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).  
  
-- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference) <BR>Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase. 
- 
- - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) <BR>Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
-
 - [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR>See a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
 
 - [Machine health and compliance report](machine-reports.md)  The machine health and compliance report provides high-level information about the devices in your organization.

windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md

@@ -31,6 +31,10 @@ For more information preview features, see [Preview features](https://docs.micro
 
 - [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md) <BR> Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](endpoint-detection-response-mac-preview.md).
  
+- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference) <BR>Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase. 
+ 
+ - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) <BR>Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
+ 
 - [Threat & Vulnerability Management application end-of-life tag](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) <BR>Applications which have reached their end-of-life are tagged or labeled as such so you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
 
 ## October 2019

windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md

@@ -1,5 +1,5 @@
 ---
-title: Configure always-on real-time Windows Defender Antivirus protection
+title: Enable and configure Windows Defender Antivirus protection capabilities
 description: Enable and configure Windows Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning
 keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics
 search.product: eADQiWindows 10XVcnh
@@ -11,13 +11,13 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 11/13/2018
+ms.date: 12/16/2019
 ms.reviewer: 
 manager: dansimp
 ms.custom: nextgen
 ---
 
-# Enable and configure antivirus always-on protection and monitoring
+# Enable and configure Windows Defender Antivirus always-on protection in Group Policy
 
 **Applies to:**
 
@@ -25,50 +25,88 @@ ms.custom: nextgen
 
 Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
 
-These activities include events such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.
+These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.
 
-## Configure and enable always-on protection
+## Enable and configure always-on protection in Group Policy
 
-You can configure how always-on protection works with the Group Policy settings described in this section.
+You can use **Local Group Policy Editor** to enable and configure Windows Defender Antivirus always-on protection settings.
 
-To configure these settings:
+To enable and configure always-on protection:
 
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. Open **Local Group Policy Editor**. To do this:  
+    1. In your Windows 10 taskbar search box, type **gpedit**.
+    2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
+![GPEdit taskbar search result](images/gpedit-search.png)
+2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus**. 
+![Windows Defender Antivirus](images/gpedit-windows-defender-antivirus.png)
+3. Configure the Windows Defender Antivirus antimalware service policy settings. To do this:  
+    1. In the **Windows Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table:
 
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+    | Setting | Description | Default setting |
+    |-----------------------------|------------------------|-------------------------------|
+    | Allow antimalware service to startup with normal priority | You can lower the priority of the Windows Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
+    | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled |
 
-3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+    2. Configure the setting as appropriate, and click **OK**.
+    3. Repeat the previous steps for each setting in the table.
 
-4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK** and repeat for any other settings.
+4. Configure the Windows Defender Antivirus real-time protection policy settings. To do this:  
+    1. In the **Windows Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from the **Windows Defender Antivirus** tree on left pane, click **Real-time Protection**.
+    ![Windows Defender Antivirus Real-time Protection options](images/gpedit-real-time-protection.png)
+    2. In the **Real-time Protection** details pane on right, double-click the policy setting as specified in the following table:  
 
-Location | Setting | Description | Default setting (if not configured)
----|---|---|---
-Real-time protection | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled
-Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition Windows Defender SmartScreen, which scans files before and during downloading | Enabled
-Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled | Enabled
-Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
-Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled
-Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled
-Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions)
-Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Windows Defender Antivirus engine is asked to detect the activity | Enabled
-Root | Allow antimalware service to startup with normal priority | You can lower the priority of the Windows Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
-Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled
+    | Setting | Description | Default setting |
+    |-----------------------------|------------------------|-------------------------------|
+    | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity. | Enabled |
+    | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading. | Enabled |
+    | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). | Enabled |
+    | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring. | Enabled |
+    | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled. | Enabled |
+    | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes. | Enabled |
+    | Configure local setting override for turn on behavior monitoring | Configure a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
+    | Configure local setting override for scanning all downloaded files and attachments | Configure a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
+    | Configure local setting override for monitoring file and program activity on your computer | Configure a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
+    | Configure local setting override to turn on real-time protection | Configure a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
+    | Configure local setting override for monitoring for incoming and outgoing file activity | Configure a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. | Enabled |
+    | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) |
 
-## Disable real-time protection
+    3. Configure the setting as appropriate, and click **OK**.
+    4. Repeat the previous steps for each setting in the table.
+
+5. Configure the Windows Defender Antivirus scanning policy setting. To do this:  
+    1. From the **Windows Defender Antivirus** tree on left pane, click **Scan**.
+    ![Windows Defender Antivirus Scan options](images/gpedit-windows-defender-antivirus-scan.png)
+
+    2. In the **Scan** details pane on right, double-click the policy setting as specified in the following table:
+
+    | Setting | Description | Default setting |
+    |-----------------------------|------------------------|-------------------------------|    
+    | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Windows Defender Antivirus engine is asked to detect the activity. | Enabled |
+
+    3. Configure the setting as appropriate, and click **OK**.
+6. Close **Local Group Policy Editor**.
+
+
+## Disable real-time protection in Group Policy
 > [!WARNING]
-> Disabling real-time protection will drastically reduce the protection on your endpoints and is not recommended.
+> Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended.
 
-The main real-time protection capability is enabled by default, but you can disable it with Group Policy:
+The main real-time protection capability is enabled by default, but you can disable it by using **Local Group Policy Editor**.
 
-### Use Group Policy to disable real-time protection
+To disable real-time protection in Group policy:  
+1. Open **Local Group Policy Editor**.
+    1. In your Windows 10 taskbar search box, type **gpedit**.
+    2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
 
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2.  In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Real-time Protection**.
 
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+3. In the **Real-time Protection** details pane on right, double-click **Turn off real-time protection**.
+![Turn off real-time protection](images/gpedit-turn-off-real-time-protection.png)
 
-3. Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**.
-
-4. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**.
+4. In the **Turn off real-time protection** setting window, set the option to **Enabled**.
+![Turn off real-time protection enabled](images/gpedit-turn-off-real-time-protection-enabled.png)
+5. Click **OK**.
+6. Close **Local Group Policy Editor**.
 
 ## Related articles