@@ -136,18 +136,18 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
>[!IMPORTANT]
->The Windows AutoPilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
->Except for clean install scenarios such as traditional bare metal and Windows AutoPilot, all the methods described can optionally migrate apps and settings to the new OS.
+>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
+>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
## Modern deployment methods
Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience.
-### Windows AutoPilot
+### Windows Autopilot
-Windows AutoPilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows AutoPilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
+Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
-For more information about Windows AutoPilot, see [Overview of Windows AutoPilot](https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows AutoPilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/).
+For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/).
### In-place upgrade
diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md
index de3ae148a3..e455be3daf 100644
--- a/windows/deployment/windows-10-enterprise-subscription-activation.md
+++ b/windows/deployment/windows-10-enterprise-subscription-activation.md
@@ -23,6 +23,7 @@ With Windows 10 version 1703 (also known as the Creator’s Update), both Window
Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-whatis).
See the following topics in this article:
+- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later.
- [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment.
- [Requirements](#requirements): Prerequisites to use the Windows 10 Enterprise subscription model.
- [Benefits](#benefits): Advantages of Windows 10 Enterprise + subscription-based licensing.
@@ -31,6 +32,14 @@ See the following topics in this article:
For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
+## Inherited Activation
+
+Inherited Activation is a new feature available in Windows 10, version 1803 that allows Windows 10 virtual machines to inherit activation state from their Windows 10 host.
+
+When a user with Windows 10 E3 or E5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM.
+
+To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later.
+
## The evolution of deployment
>The original version of this section can be found at [Changing between Windows SKUs](https://blogs.technet.microsoft.com/mniehaus/2017/10/09/changing-between-windows-skus/).
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 4ac1cc5a28..108816df6c 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -730,7 +730,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Ignore any warnings that are displayed. The computer will automatically reboot upon completion.
-9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and supress the post-DHCP-install alert:
+9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert:
Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
new file mode 100644
index 0000000000..baa990f899
--- /dev/null
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -0,0 +1,75 @@
+---
+title: Windows 10 Pro in S mode
+description: Overview of Windows 10 Pro in S mode, switching options, and system requirements
+keywords: Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: deploy
+ms.date: 04/30/2018
+author: Mikeblodge
+---
+
+# Windows 10 Pro/Enterprise in S mode
+
+S mode is an enhanced security mode of Windows 10. Windows 10 Pro and Enterprise in S mode powers affordable, cloud-ready devices that are simple, secure, and efficient. Users can get started quickly, thanks to self-service deployment and a familiar Windows experience. Low-price S mode devices offer tailored solutions for kiosks, digital signs, and task work. If your device is running Windows 10, version 1709, or Windows 10, version 1803, you can switch from Windows 10 in S mode to Windows 10 Pro.
+
+## Benefits of Windows 10 Pro in S mode:
+
+- **Microsoft-verified security** - It reduces risk of malware and exploitations because only Microsoft-verified apps can be installed including Windows Defender Antivirus.
+- **Performance that lasts** - Provides all-day battery life to keep workers on task and not tripping over cords. Also, verified apps won’t degrade device performance over time.
+- **Streamlined for speed** - Offers faster log-in times with Windows Hello. Plus, workers get all the exclusive Windows innovations including Cortana and Windows Ink.
+
+| |Home |S mode |Pro/Pro Education |Enterprise/Education |
+|---------|:---:|:---:|:---:|:---:|
+|Start Menu/Hello/Cortana/
Windows Ink/Microsoft Edge | X | X | X | X |
+|Store apps (including Windows
desktop bridge apps) | X | X | X | X |
+|Windows Update | X | X | X | X |
+|Device Encryption | X | X | X | X |
+|BitLocker | | X | X | X |
+|Windows Update for Business | | X | X | X |
+|Microsoft Store for Education | | X | X | X |
+|Mobile Device Management
and Azure AD join | | X | X | X |
+|Group Policy management and
Active Directory Domain Services | | | X | X |
+|Desktop (Windows 32) Apps | X | | X | X |
+|Change App Defaults
Search/Browser/Photos/etc. | X | | X | X |
+|Credential Guard | | | | X |
+|Device Guard | | | | X |
+
+## Keep Line of Business apps functioning with Desktop Bridge
+Worried about your LOB apps not working in S mode? Using Desktop Bridge will enable you to convert your Line of Business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Windows Store or existing channels.
+
+[Explore Desktop Bridge](https://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-root)
+
+>[!NOTE]
+>The only way to revert to Windows 10 in S mode is to perform a BMR factory reset. This will allow you to reimage a device.
+
+### Windows 10 in S mode is safe, secure, and fast.
+We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store or by using Autopilot.
+
+## How to switch
+If you’re running Windows 10, version 1709 or version 1803, you can switch to Windows 10 Pro through the Microsoft Store for Business. Devices running version 1803 will only be able to switch through the Store one device at a time.
+
+1. Sign into the Microsoft Store using your Microsoft account.
+2. Search for "Switch to Windows 10 Pro."
+3. In the offer, click **Buy** or **Get**.
+You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro. Your device will restart during this process.
+
+You can use Autopilot to switch devices running Windows 10, version 1709. The only requirement is that the devices be enrolled in Intune.
+
+1. In the Intune admin portal, select the quantity of devices you want to switch.
+2. Click the Assign Device link.
+3. In the Assign Switch field, select the device name you would like to switch
+4. Click the continue button.
+
+You will now see the devices you switched listed under Switched Devices.
+
+> [!IMPORTANT]
+> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a BMR factory reset.
+
+## Related topics
+
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
+[Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)
+[Introdiction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/en-us/intune/what-is-intune)
diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md
index 865fa18cce..3bdaf3e0ba 100644
--- a/windows/deployment/windows-autopilot/TOC.md
+++ b/windows/deployment/windows-autopilot/TOC.md
@@ -1,8 +1,8 @@
-# [Overview of Windows AutoPilot](windows-10-autopilot.md)
+# [Overview of Windows Autopilot](windows-10-autopilot.md)
-## [The Windows AutoPilot Deployment Program in Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
-## [The Windows AutoPilot Deployment Program in Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
-## [The Windows AutoPilot Deployment Program in Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
-## [The Windows AutoPilot Deployment Program in Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
-## [Demo the Windows AutoPilot Deployment Program on a Virtual Machine](windows-10-autopilot-demo-vm.md)
+## [The Windows Autopilot Deployment Program in Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
+## [The Windows Autopilot Deployment Program in Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
+## [The Windows Autopilot Deployment Program in Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
+## [The Windows Autopilot Deployment Program in Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
+## [Demo the Windows Autopilot Deployment Program on a Virtual Machine](windows-10-autopilot-demo-vm.md)
diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md b/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md
index 505982b0d1..9efe482c59 100644
--- a/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md
+++ b/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md
@@ -1,6 +1,6 @@
---
-title: Demo the Windows AutoPilot Deployment Program on a Virtual Machine
-description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows AutoPilot deployment
+title: Demo the Windows Autopilot Deployment Program on a Virtual Machine
+description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ ms.author: daniha
ms.date: 12/21/2017
---
-# Demo the Windows AutoPilot Deployment Program on a Virtual Machine
+# Demo the Windows Autopilot Deployment Program on a Virtual Machine
**Applies to**
- Windows 10
-In this topic you'll learn how to set-up a Windows AutoPilot deployment for a Virtual Machine using Hyper-V.
+In this topic you'll learn how to set-up a Windows Autopilot deployment for a Virtual Machine using Hyper-V.
## Prerequisites
@@ -27,7 +27,7 @@ These are the thing you'll need on your device to get started:
* Internet access (see [Network connectivity requirements](windows-10-autopilot.md#network-connectivity-requirements))
* Hypervisor needs to be unoccupied, or used by Hyper-V, as we will be using Hyper-V to create the Virtual Machine
-See additional prerequisites in the [Windows AutoPilot overview topic](windows-10-autopilot.md#prerequisites).
+See additional prerequisites in the [Windows Autopilot overview topic](windows-10-autopilot.md#prerequisites).
## Create your Virtual Machine
@@ -49,10 +49,10 @@ Now that Hyper-V is enabled, proceed to create your Virtual Machine.
Open a PowerShell prompt **as an administrator** and run the following:
```powershell
-New-VMSwitch -Name AutoPilotExternal -NetAdapterName -AllowManagementOS $true
-New-VM -Name WindowsAutoPilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutoPilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutoPilotExternal
-Add-VMDvdDrive -Path -VMName WindowsAutoPilot
-Start-VM -VMName WindowsAutoPilot
+New-VMSwitch -Name AutopilotExternal -NetAdapterName -AllowManagementOS $true
+New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
+Add-VMDvdDrive -Path -VMName WindowsAutopilot
+Start-VM -VMName WindowsAutopilot
```
>[!IMPORTANT]
@@ -61,14 +61,14 @@ Start-VM -VMName WindowsAutoPilot
### Install Windows 10
-Now that the Virtual Machine was created and started, open **Hyper-V Manager** and connect to the **WindowsAutoPilot** Virtual Machine.
+Now that the Virtual Machine was created and started, open **Hyper-V Manager** and connect to the **WindowsAutopilot** Virtual Machine.
Make sure the Virtual Machine booted from the installation media you've provided and complete the Windows installation process.
Once the installation is complete, create a checkpoint. You will create multiple checkpoints throughout this process, which you can later use to go through the process again.
To create the checkpoint, open a PowerShell prompt **as an administrator** and run the following:
```powershell
-Checkpoint-VM -Name WindowsAutoPilot -SnapshotName "Finished Windows install"
+Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
```
## Capture your Virtual Machine's hardware ID
@@ -78,8 +78,8 @@ On the newly created Virtual Machine, open a PowerShell prompt **as an administr
md c:\HWID
Set-Location c:\HWID
Set-ExecutionPolicy Unrestricted
-Install-Script -Name Get-WindowsAutoPilotInfo
-Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
+Install-Script -Name Get-WindowsAutopilotInfo
+Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
```
>[!NOTE]
@@ -87,34 +87,34 @@ Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
### Mount the Virtual Hard Drive (VHD)
-To gain access to the AutoPilotHWID.csv that contains the hardware ID, stop the Virtual Machine to unlock the Virtual Hard Drive.
+To gain access to the AutopilotHWID.csv that contains the hardware ID, stop the Virtual Machine to unlock the Virtual Hard Drive.
To do that, on your device (**not** on the Virtual Machine), open a PowerShell prompt **as an administrator** and run the following:
```powershell
-Stop-VM -VMName WindowsAutoPilot
+Stop-VM -VMName WindowsAutopilot
```
Once the Virtual Machine has stopped, create a checkpoint:
```powershell
-Checkpoint-VM -Name WindowsAutoPilot -SnapshotName "HWID captured"
+Checkpoint-VM -Name WindowsAutopilot -SnapshotName "HWID captured"
```
With the checkpoint created, continue to mount the VHD:
```powershell
-Mount-VHD -path (Get-VMHardDiskDrive -VMName WindowsAutoPilot).Path
+Mount-VHD -path (Get-VMHardDiskDrive -VMName WindowsAutopilot).Path
```
-Once mounted, navigate to the new drive and copy **AutoPilotHWID.csv** to a location on your device.
+Once mounted, navigate to the new drive and copy **AutopilotHWID.csv** to a location on your device.
Before you proceed, unmount the VHD to unlock it and start the Virtual Machine:
```powershell
-Dismount-VHD -path (Get-VMHardDiskDrive -VMName WindowsAutoPilot).Path
-Start-VM -VMName WindowsAutoPilot
+Dismount-VHD -path (Get-VMHardDiskDrive -VMName WindowsAutopilot).Path
+Start-VM -VMName WindowsAutopilot
```
## Reset Virtual Machine back to Out-Of-Box-Experience (OOBE)
-With the hardware ID captured, prepare your Virtual Machine for Windows AutoPilot deployment by resetting it back to OOBE.
+With the hardware ID captured, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**.
@@ -158,11 +158,11 @@ For the purposes of this demo, select **All** under the **MDM user scope** and c
## Register your Virtual Machine to your organization
-Navigate to [Microsoft Store for Business device management](https://businessstore.microsoft.com/en-us/manage/devices). Click on **Add devices** and select the **AutoPilotHWID.csv** you've saved earlier. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your Virtual Machine added.
+Navigate to [Microsoft Store for Business device management](https://businessstore.microsoft.com/en-us/manage/devices). Click on **Add devices** and select the **AutopilotHWID.csv** you've saved earlier. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your Virtual Machine added.
-## Create and assign a Windows AutoPilot deployment profile
+## Create and assign a Windows Autopilot deployment profile
Navigate to [Windows enrollment in Microsoft Intune](https://portal.azure.com/#blade/Microsoft_Intune_Enrollment/OverviewBlade/windowsEnrollment).
@@ -170,13 +170,13 @@ Make sure to sync the device you've just registered, by clicking on **Devices**
-### Create a Windows AutoPilot deployment profile
+### Create a Windows Autopilot deployment profile
Click on **Deployment profiles** under **Windows Autopilot Deployment Program (Preview)** and select **Create profile**.
-In the **Create profile** blade, set the name to **AutoPilot Intune Demo**, click on **Out-of-box experience (OOBE)** and configure the following:
+In the **Create profile** blade, set the name to **Autopilot Intune Demo**, click on **Out-of-box experience (OOBE)** and configure the following:
| Setting name | Value |
|---|---|
|Privacy Settings|Hide|
@@ -187,15 +187,15 @@ Click on **Save** and **Create**.
-### Assign a Windows AutoPilot deployment profile
+### Assign a Windows Autopilot deployment profile
-With the deployment profile created, go back to **Devices** under **Windows Autopilot Deployment Program (Preview)** and select your Virtual Machine. Click on **Assign profile** and in the **Assign Profile** blade select **AutoPilot Intune Demo** under the **AutoPilot profile**. Click on **Assign**.
+With the deployment profile created, go back to **Devices** under **Windows Autopilot Deployment Program (Preview)** and select your Virtual Machine. Click on **Assign profile** and in the **Assign Profile** blade select **Autopilot Intune Demo** under the **Autopilot profile**. Click on **Assign**.
-
+
Wait a few minutes for all changes to apply.
-## See Windows AutoPilot in action
+## See Windows Autopilot in action
By now, your Virtual Machine should be back to OOBE. Make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding)
, otherwise those changes might not show up.
@@ -204,6 +204,6 @@ Once you select a language and a keyboard layout, your company branded sign-in s
-Windows AutoPilot will now take over to automatically join your Virtual Machine into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
+Windows Autopilot will now take over to automatically join your Virtual Machine into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
Missing something in this topic? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-autopilot-demo-vm.md).
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot.md b/windows/deployment/windows-autopilot/windows-10-autopilot.md
index 86055c3cf1..f935924770 100644
--- a/windows/deployment/windows-autopilot/windows-10-autopilot.md
+++ b/windows/deployment/windows-autopilot/windows-10-autopilot.md
@@ -1,6 +1,6 @@
---
-title: Overview of Windows AutoPilot
-description: This topic goes over Windows AutoPilot and how it helps setup OOBE Windows 10 devices.
+title: Overview of Windows Autopilot
+description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,32 +12,32 @@ ms.author: daniha
ms.date: 12/13/2017
---
-# Overview of Windows AutoPilot
+# Overview of Windows Autopilot
**Applies to**
- Windows 10
-Windows AutoPilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.
+Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.
This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
-## Benefits of Windows AutoPilot
+## Benefits of Windows Autopilot
-Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows AutoPilot introduces a new approach.
+Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows Autopilot introduces a new approach.
From the users' perspective, it only takes a few simple operations to make their device ready to use.
From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated.
-## Windows AutoPilot Scenarios
+## Windows Autopilot Scenarios
### Cloud-Driven
-The Cloud-Driven scenario enables you to pre-register devices through the Windows AutoPilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side.
+The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side.
-#### The Windows AutoPilot Deployment Program experience
+#### The Windows Autopilot Deployment Program experience
-The Windows AutoPilot Deployment Program enables you to:
+The Windows Autopilot Deployment Program enables you to:
* Automatically join devices to Azure Active Directory (Azure AD)
* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites))
* Restrict the Administrator account creation
@@ -48,7 +48,7 @@ The Windows AutoPilot Deployment Program enables you to:
* [Devices must be registered to the organization](#device-registration-and-oobe-customization)
* [Company branding needs to be configured](#configure-company-branding-for-oobe)
-* [Network connectivity to cloud services used by Windows AutoPilot](#network-connectivity-requirements)
+* [Network connectivity to cloud services used by Windows Autopilot](#network-connectivity-requirements)
* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
* Devices must have access to the internet
* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
@@ -71,7 +71,7 @@ MDM enrollment ensures policies are applied, apps are installed and setting are
In order to register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf.
-If you would like to capture that information by yourself, you can use the [Get-WindowsAutoPilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo), which will generate a .csv file with the device's hardware ID.
+If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID.
Once devices are registered, these are the OOBE customization options available for Windows 10, starting with version 1703:
* Skipping Work or Home usage selection (*Automatic*)
@@ -83,7 +83,7 @@ Once devices are registered, these are the OOBE customization options available
For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options:
* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
-* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
+* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
* [Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
##### Configure company branding for OOBE
@@ -101,7 +101,7 @@ In order for your devices to be auto-enrolled into MDM management, MDM auto-enro
#### Network connectivity requirements
-The Windows AutoPilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices.
+The Windows Autopilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices.
To manage devices behind firewalls and proxy servers, the following URLs need to be accessible:
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index 43202e6dde..cb339d35c0 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -1,5 +1,5 @@
# [Windows 10 and Windows 10 Mobile](index.md)
-## [Get started](/windows/whats-new/get-started-with-1709)
+## [Get started](/windows/whats-new/whats-new-windows-10-version-1803)
## [What's new](/windows/whats-new)
## [Deployment](/windows/deployment)
## [Configuration](/windows/configuration)
diff --git a/windows/hub/index.md b/windows/hub/index.md
index 40d4c2db5e..aada436128 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -8,7 +8,7 @@ author: greg-lindsay
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.date: 03/28/2018
+ms.date: 04/30/2018
---
# Windows 10 and Windows 10 Mobile
@@ -18,8 +18,7 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
-> [!video https://www.microsoft.com/en-us/videoplayer/embed/43942201-bec9-4f8b-8ba7-2d9bfafa8bba?autoplay=false]
-
+> [!video https://www.youtube.com/embed/LFiP73slWew?autoplay=false]
diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
index 5f5563cbb6..872058c8f7 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
@@ -12,14 +12,15 @@ ms.date: 10/19/2017
# Configure Windows Defender Application Guard policy settings
-**Applies to:**
-- Windows 10 Enterpise edition, version 1709
-
Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
Application Guard uses both network isolation and application-specific settings.
### Network isolation settings
+
+**Applies to:**
+- Windows 10 Enterpise edition, version 1709 or higher
+
These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
>[!NOTE]
@@ -37,10 +38,10 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|Name|Supported versions|Description|Options|
|-----------|------------------|-----------|-------|
-|Configure Windows Defender Application Guard clipboard settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard.
**Important**
Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
-|Configure Windows Defender Application Guard print settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.
**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
-|Allow Persistence|At least Windows 10 Enterprise|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**Note**
If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**- Open a command-line program and navigate to Windows/System32.
- Type `wdagtool.exe cleanup`.
The container environment is reset, retaining only the employee-generated data. - Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
The container environment is reset, including discarding all employee-generated data.
|
-|Turn on Windows Defender Application Guard in Enterprise Mode|At least Windows 10 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.
**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
-
-
+|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Professional, 1803|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard.
**Important**
Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
+|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Professional, 1803|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher
Windows 10 Professional, 1803|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.
**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Professional, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**Note**
If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**- Open a command-line program and navigate to Windows/System32.
- Type `wdagtool.exe cleanup`.
The container environment is reset, retaining only the employee-generated data. - Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
The container environment is reset, including discarding all employee-generated data.
|
+|Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.
**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
+|Allow files to download to host operating system|Windows 10 Enterprise, 1803|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.
**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
+|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803
(experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.
**Important**
Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
index 387b02dde9..d970e7206f 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
@@ -50,3 +50,10 @@ Answering frequently asked questions about Windows Defender Application Guard (A
|---|----------------------------|
|**Q:** |Why aren’t employees able to see their Extensions in the Application Guard Edge session?|
|**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.|
+
+
+| | |
+|---|----------------------------|
+|**Q:** |How do I configure WDAG to work with my network proxy (IP-Literal Addresses)?|
+|**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to WDAG in RS3 (1709) and RS4 (1803).|
+
diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
index c6bf82932c..1d9426c339 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
@@ -10,17 +10,23 @@ ms.author: lizross
ms.date: 10/19/2017
---
-# Prepare and install Windows Defender Application Guard
-
-**Applies to:**
-- Windows 10 Enterprise edition, version 1709
-
## Prepare to install Windows Defender Application Guard
Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
-- **Standalone mode.** Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario.
+**Standalone mode**
-- **Enterprise-managed mode.** You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container.
+Applies to:
+- Windows 10 Enterprise edition, version 1709 or higher
+- Windows 10 Professional edition, version 1803
+
+Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario.
+
+**Enterprise-managed mode**
+
+Applies to:
+- Windows 10 Enterprise edition, version 1709 or higher
+
+You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests tooad non-enterprise domain(s) in the container.
The following diagram shows the flow between the host PC and the isolated container.
diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
index 7b79f26762..30f2490010 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -13,7 +13,8 @@ ms.date: 11/09/2017
# System requirements for Windows Defender Application Guard
**Applies to:**
-- Windows 10 Enterprise edition, version 1709
+- Windows 10 Enterprise edition, version 1709 or higher
+- Windows 10 Professional edition, version 1803
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
@@ -36,6 +37,6 @@ Your environment needs the following software to run Windows Defender Applicatio
|Software|Description|
|--------|-----------|
-|Operating system|Windows 10 Enterprise edition, version 1709|
+|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803|
|Browser|Microsoft Edge and Internet Explorer|
-|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)
**-OR-**
[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)
**-OR-**
[Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)
**-OR-**
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
+|Management system
(only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)
**-OR-**
[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)
**-OR-**
[Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)
**-OR-**
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
index 62c3b16138..d11e0dc92e 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
@@ -18,6 +18,7 @@ ms.date: 04/24/2018
- Windows Server 2012 R2
- Windows Server 2016
+- Windows Server, version 1803
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
@@ -29,6 +30,7 @@ Windows Defender ATP extends support to also include the Windows Server operatin
Windows Defender ATP supports the onboarding of the following servers:
- Windows Server 2012 R2
- Windows Server 2016
+- Windows Server, version 1803
## Onboard Windows Server 2012 R2 and Windows Server 2016
@@ -80,6 +82,35 @@ Once completed, you should see onboarded servers in the portal within an hour.
| winatp-gw-neu.microsoft.com | 443 |
| winatp-gw-weu.microsoft.com | 443 |
+## Onboard Windows Server 2012 R2 and Windows Server 2016
+
+You’ll be able to onboard in the same method available for Windows 10 client machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
+
+1. Install the latest Windows Server Insider build on a machine. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver).
+
+2. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
+
+3. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
+
+ a. Set the following registry entry:
+ - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
+ - Name: ForceDefenderPassiveMode
+ - Value: 1
+
+ b. Run the following PowerShell command to verify that the passive mode was configured:
+
+ ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```
+
+ c. Confirm that a recent event containing the passive mode event is found:
+
+ 
+
+4. Run the following command to check if Windows Defender AV is installed:
+
+ ```sc query Windefend```
+
+ If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
+
## Offboard servers
You have two options to offboard servers from the service:
- Uninstall the MMA agent
diff --git a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md
index da135efb65..472a8abc15 100644
--- a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md
@@ -43,4 +43,4 @@ Set the baselines for calculating the score of Windows Defender security control
- [Update data retention settings for Windows Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md)
- [Configure alert notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
-- [Configure advanced features in Windows Defender ATP](/advanced-features-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
+- [Configure advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index af0f9887a7..63395308fe 100644
--- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -47,6 +47,7 @@ The following features are included in the preview release:
Windows Defender ATP supports the onboarding of the following servers:
- Windows Server 2012 R2
- Windows Server 2016
+ - Windows Server, version 1803
- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph.
diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
index c6c4102eb5..8fce3d5f13 100644
--- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
@@ -297,6 +297,9 @@ For more information, see [Windows Defender Firewall with Advanced Security](htt
### BitLocker optimization
For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for BitLocker is fulfilled.
+>[!IMPORTANT]
+>This security control is only applicable for machines with Windows 10, version 1803 or later.
+
#### Minimum baseline configuration setting for BitLocker
- Ensure all supported internal drives are encrypted
- Ensure that all suspended protection on drives resume protection
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 889d969f79..02ccecc491 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -9,9 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
-author: iaanw
-ms.author: iawilt
-ms.date: 11/30/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 04/01/2018
---
@@ -76,6 +76,11 @@ Block Office applications from injecting code into other processes | 75668C1F-73
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
+Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
+Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
+Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
+Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version.
@@ -147,7 +152,37 @@ Malware can use macro code in Office files to import and load Win32 DLLs, which
This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs.
+### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
+
+This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
+
+- Executable files (such as .exe, .dll, or .scr)
+- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+
+### Rule: Use advanced protection against ransomware
+
+This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
+
+### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
+
+Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
+>[!IMPORTANT]
+>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
+
+### Rule: Block process creations originating from PSExec and WMI commands
+
+This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
+
+>[!WARNING]
+>[Only use this rule if you are managing your devices with Intune or other MDM solution. If you use this rule with SCCM, it will prevent SCCM compliance rules from working, because this rule blocks the PSExec commands in SCCM.]
+
+### Rule: Block untrusted and unsigned processes that run from USB
+
+With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
+
+- Executable files (such as .exe, .dll, or .scr)
+- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
## Requirements
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index b046ee873b..c9fef6c9d8 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -9,9 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
-author: iaanw
-ms.author: iawilt
-ms.date: 11/09/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 04/01/2018
---
# Customize Attack surface reduction
@@ -69,6 +69,11 @@ Block Office applications from creating executable content | [!include[Check mar
Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D
Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+Block executable files from running unless they meet a prevalence, age, or trusted list criteria | [!include[Check mark yes](images/svg/check-yes.svg)] | 01443614-cd74-433a-b99e-2ecdc07bfc25
+Use advanced protection against ransomware | [!include[Check mark yes](images/svg/check-yes.svg)] | c1db55ab-c21a-4637-bb3f-a12568109d35
+Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
+Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
+Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index aafca3a295..0e8bf6b047 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -9,9 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
-author: iaanw
-ms.author: iawilt
-ms.date: 11/09/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 04/01/2018
---
@@ -59,6 +59,11 @@ Block Office applications from injecting code into other processes | 75668C1F-73
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
+Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
+Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
+Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
+Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md
index 11ef584f2a..22e6c40651 100644
--- a/windows/whats-new/TOC.md
+++ b/windows/whats-new/TOC.md
@@ -1,4 +1,5 @@
# [What's new in Windows 10](index.md)
+## [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md)
## [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md)
## [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md)
## [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md)
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
index 63f5964ba8..e37e313557 100644
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@@ -5,7 +5,7 @@ ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44
keywords: ["What's new in Windows 10", "Windows 10", "anniversary update", "contribute", "edit topic", "Creators Update", "Fall Creators Update"]
ms.prod: w10
author: TrudyHa
-ms.date: 10/16/2017
+ms.date: 04/30/2018
ms.localizationpriority: high
---
@@ -16,6 +16,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec
## In this section
+- [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md)
- [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md)
- [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md)
- [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md)
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index fba100bb3c..a58a02c87b 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -26,19 +26,19 @@ A brief description of new or updated features in this version of Windows 10 is
## Deployment
-### Windows AutoPilot
+### Windows Autopilot
-Windows AutoPilot is a zero touch experience for deploying Windows 10 devices. Configuration profiles can now be applied at the hardware vendor with devices being shipped directly to employees. For more information, see [Overview of Windows AutoPilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot).
+Windows Autopilot is a zero touch experience for deploying Windows 10 devices. Configuration profiles can now be applied at the hardware vendor with devices being shipped directly to employees. For more information, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot).
-You can also apply an AutoPilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows AutoPilot Deployment](https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices).
+You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices).
### Windows 10 Subscription Activation
Windows 10 Subscription Activation lets you deploy Windows 10 Enterprise in your organization with no keys and no reboots using a list of subscribed users. When a subscribed user signs in on their Windows 10 Pro device, features that are Enterprise-only are automatically enabled. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation).
-### Windows Automatic Redeployment
+### Autopilot Reset
-IT Pros can use Windows Automatic Redeployment to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Windows Automatic Redeployment](https://docs.microsoft.com/education/windows/windows-automatic-redeployment).
+IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
## Update
@@ -115,7 +115,7 @@ The minimum PIN length is being changed from 6 to 4, with a default of 6. For mo
Microsoft has released new [Windows security baselines](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/en-us/windows/device-security/security-compliance-toolkit-10).
### SMBLoris vulnerability
-An issue, known as “SMBLoris”, which could result in denial of service, has been addressed.
+An issue, known as “SMBLoris?, which could result in denial of service, has been addressed.
## Windows Analytics
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
new file mode 100644
index 0000000000..e246e4481c
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -0,0 +1,232 @@
+---
+title: What's new in Windows 10, version 1803
+description: New and updated IT Pro content about new features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update).
+keywords: ["What's new in Windows 10", "Windows 10", "April 2018 Update"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: greg-lindsay
+ms.date: 04/30/2018
+ms.localizationpriority: high
+---
+
+# What's new in Windows 10, version 1803 IT Pro content
+
+**Applies to**
+- Windows 10, version 1803
+
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1803, also known as the Windows 10 April 2018 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1709. Also see [What's New in Windows](https://docs.microsoft.com/en-us/windows-hardware/get-started/what-s-new-in-windows) hardware.
+
+The following 3-minute video summarizes some of the new features that are available in this release.
+
+
+
+> [!video https://www.youtube.com/embed/LFiP73slWew?autoplay=false]
+
+
+## Deployment
+
+### Windows Autopilot
+
+[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot) provides a modern device lifecycle management service powered by the cloud that delivers a zero touch experience for deploying Windows 10.
+
+Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.
+
+Windows Autopilot is now available with Surface, Lenovo, and Dell. Other OEM partners such as HP, Toshiba, Panasonic, and Fujitsu will support Autopilot in coming months. Check back here later for more information.
+
+### Windows 10 in S mode
+
+Windows 10 in S mode is now available on both Windows 10 Home and Pro PCs, and commercial customers will be able to deploy Windows 10 Enterprise in S mode - by starting with Windows 10 Pro in S mode and then activating Windows 10 Enterprise on the computer.
+
+Some additional information about Windows 10 in S mode:
+
+- Microsoft-verified. All of your applications are verified by Microsoft for security and performance.
+- Performance that lasts. Start-ups are quick, and S mode is built to keep them that way.
+- Choice and flexibility. Save your files to your favorite cloud, like OneDrive or DropBox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps[]
+- S mode, on a range of modern devices. Enjoy all the great Windows multi-tasking features, like snapping Windows, task view and virtual desktops on a range of S mode enabled devices.
+
+If you want to switch out of S mode, you will be able to do so at no charge, regardless of edition. Once you switch out of S mode, you cannot switch back.
+
+For more information, see [Windows 10 Pro/Enterprise in S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode).
+
+### Windows 10 kiosk and Kiosk Browser
+
+With this release you can easily deploy and manage kiosk devices with Microsoft Intune in single and multiple app scenarios. This includes the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below.
+
+- Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons.
+- Using Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policies
+- Support for multiple screens for digital signage use cases.
+- The ability to ensure all MDM configurations are enforced on the device prior to entering assigned access using the Enrollment Status page.
+- The ability to configure and run Shell Launcher in addition to existing UWP Store apps.
+- A simplified process for creating and configuring an auto-logon kiosk account so that a public kiosk automatically enters a desired state after a reboot, a critical security requirement for public-facing use cases.
+- For multi-user Firstline Worker kiosk devices, instead of specifying every user, it’s now possible to assign different assigned access configurations to Azure AD groups or Active Directory groups.
+- To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues.
+
+For more information, see:
+- [Making IT simpler with a modern workplace](https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/27/making-it-simpler-with-a-modern-workplace/)
+- [Simplifying kiosk management for IT with Windows 10](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Simplifying-kiosk-management-for-IT-with-Windows-10/ba-p/187691)
+
+### Windows 10 Subscription Activation
+
+With this release, Subscription Activation supports Inherited Activation. Inherited Activation allows Windows 10 virtual machines to inherit activation state from their Windows 10 host.
+
+For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation#inherited-activation).
+
+### DISM
+
+The following new DISM commands have been added to manage feature updates:
+
+ DISM /Online /Initiate-OSUninstall
+ – Initiates a OS uninstall to take the computer back to the previous installation of windows.
+ DISM /Online /Remove-OSUninstall
+ – Removes the OS uninstall capability from the computer.
+ DISM /Online /Get-OSUninstallWindow
+ – Displays the number of days after upgrade during which uninstall can be performed.
+ DISM /Online /Set-OSUninstallWindow
+ – Sets the number of days after upgrade during which uninstall can be performed.
+
+For more information, see [DISM operating system uninstall command-line options](https://review.docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
+
+### Windows Setup
+
+You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.
+
+Prerequisites:
+- Windows 10, version 1803 or later.
+- Windows 10 Enterprise or Pro
+
+For more information, see [Run custom actions during feature update](https://review.docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
+
+It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
+
+ /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]
+
+For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21)
+
+New command-line switches are also available to control BitLocker:
+
+ Setup.exe /BitLocker AlwaysSuspend
+ – Always suspend bitlocker during upgrade.
+ Setup.exe /BitLocker TryKeepActive
+ – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade.
+ Setup.exe /BitLocker ForceKeepActive
+ – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade.
+
+For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33)
+
+### SetupDiag
+
+[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed.
+
+SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
+
+### Windows Update for Business (WUfB)
+
+Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
+
+### Feature update improvements
+
+Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/).
+
+## Configuration
+
+### Co-management
+
+Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+
+For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/en-us/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
+
+### OS uninstall period
+
+The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period.
+
+### Windows Hello for Business
+
+[Windows Hello](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section.
+
+- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
+- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
+- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
+- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
+- New [public API](https://docs.microsoft.com/en-us/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
+- Is is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
+
+For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
+
+## Accessibility and Privacy
+
+### Accessibility
+
+"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros).
+
+### Privacy
+
+In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app.
+
+## Security
+
+### Security Baselines
+
+A draft of the new [security baseline for Windows 10 version 1803](https://blogs.technet.microsoft.com/secguide/2018/03/27/security-baseline-for-windows-10-v1803-redstone-4-draft/) has been published.
+
+### Windows Defender Antivirus
+
+Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus).
+
+### Windows Defender Exploit Guard
+
+Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center.
+
+For more information, see [Reduce attack surfaces with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
+
+### Windows Defender ATP
+
+[Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics:
+
+- [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
+- [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
+- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
+
+Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
+
+### Windows Defender Application Guard
+
+Windows Defender Application Guard has added support for Edge. For more information, see [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard#software-requirements)
+
+### Windows Defender Device Guard
+
+Configurable code integrity is being rebranded as Windows Defender Application Control. This is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide).
+
+### Windows Information Protection
+
+This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234).
+
+### Office 365 Ransomware Detection
+
+For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
+
+## Windows Analytics
+
+### Upgrade Readiness
+
+Upgrade Readiness has added the ability to assess Spectre and Meltdown protections on your devices. This addition allows you to see if your devices have Windows OS and firmware updates with Spectre and Meltdown mitigations installed, as well as whether your antivirus client is compatible with these updates. For more information, see [Upgrade Readiness now helps assess Spectre and Meltdown protections](https://blogs.technet.microsoft.com/upgradeanalytics/2018/02/13/upgrade-readiness-now-helps-assess-spectre-and-meltdown-protections/)
+
+### Update Compliance
+
+Update Compliance has added Delivery Optimization to assess the bandwidth consumption of Windows Updates. For more information, see [Delivery Optimization in Update Compliance](https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-delivery-optimization)
+
+### Device Health
+
+Device Health’s new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes. The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords— for a smooth migration to the password-less future. For more information, see [Using Device Health](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-using)
+
+## Microsoft Edge
+
+iOS and Android versions of Edge are now available. Support in [Windows Defender Application Guard](#windows-defender-application-guard) is also improved.
+
+
+## See Also
+
+[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
+[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
+[What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
+[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709.