diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index 8ef9349148..8d2b01f4b1 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -78,7 +78,8 @@ Specifies the time zone to be applied to the device. This is the standard Window
-
+Value type is String. Supported values:
+- Name of Standard Time Zone - for example, Pacific Standard Time, Mountain Standard Time.
@@ -101,4 +102,3 @@ Footnotes:
- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index ea81420b8b..74fc796879 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -81,6 +81,9 @@ This table shows the correct sequence for applying the various tasks to the file
|Add .NET and .NET cumulative updates | | | 24 |
|Export image | 8 | 17 | 25 |
+> [!NOTE]
+> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates).
+
### Multiple Windows editions
The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index e2b6404d14..13487eef17 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -29,8 +29,6 @@ Servicing stack updates provide fixes to the servicing stack, the component that
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
-For information about some changes to servicing stack updates, see [Simplifing Deployment of Servicing Stack Updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039) on the Windows IT Pro blog.
-
## When are they released?
Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."
@@ -44,7 +42,6 @@ Both Windows 10 and Windows Server use the cumulative update mechanism, in which
Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
-
## Is there any special guidance?
Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
@@ -58,3 +55,7 @@ Typically, the improvements are reliability and performance improvements that do
* Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
* Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine.
+
+
+## Simplifying on-premises deployment of servicing stack updates
+With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 4e77a4d513..8bf31e807a 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -66,6 +66,9 @@ To find your CommercialID within Azure:
Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance.
+> [!NOTE]
+> If you use or plan to use [Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview), follow the steps in [Enroll devices in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/enroll-devices) to also enroll devices to Update Compliance. You should be aware that the Commercial ID and Log Analytics workspace must be the same for both Desktop Analytics and Update Compliance.
+
> [!NOTE]
> After configuring devices via one of the two methods below, it can take up to 72 hours before devices are visible in the solution. Until then, Update Compliance will indicate it is still assessing devices.
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index a9ec6583a1..d497aeae62 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -134,7 +134,7 @@ For more details, check out the [Adopting Windows as a Service at Microsoft](htt
**Does Delivery Optimization work with WSUS?**: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
-**Which ports does Delivery Optimization use?**: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device, but you might need to set this port to accept inbound traffic through your firewall yourself. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
+**Which ports does Delivery Optimization use?**: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device, but you might need to set this port to accept inbound and outbound traffic through your firewall yourself. If you don't allow inbound and outbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
If you set up Delivery Optimization to create peer groups that include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets), it will use Teredo. For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index dfb923bbd4..4ca2874fab 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -101,7 +101,7 @@ You can use these variables within sections in the .xml files with `context=User
CSIDL_COMMON_STARTUP |
-The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup. |
+The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup. |
CSIDL_COMMON_TEMPLATES |
@@ -116,7 +116,7 @@ You can use these variables within sections in the .xml files with `context=User
Refers to the Appdata folder inside %DEFAULTUSERPROFILE%. |
-CSIDL_DEFAULT_LOCAL_APPDATA |
+CSIDL_DEFAULT_LOCAL_APPDATA |
Refers to the local Appdata folder inside %DEFAULTUSERPROFILE%. |
@@ -319,7 +319,7 @@ You can use these variables in the .xml files within sections with `context=User
CSIDL_CONTACTS |
-This refers to the Contacts folder in %CSIDL_PROFILE%. |
+This refers to the Contacts folder in %CSIDL_PROFILE%. |
CSIDL_CONTROLS |
@@ -339,7 +339,7 @@ You can use these variables in the .xml files within sections with `context=User
CSIDL_DRIVES |
-The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives. |
+The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives. |
CSIDL_FAVORITES |
@@ -379,7 +379,7 @@ You can use these variables in the .xml files within sections with `context=User
CSIDL_NETHOOD |
-A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts. |
+A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts. |
CSIDL_NETWORK |
@@ -467,5 +467,3 @@ You can use these variables in the .xml files within sections with `context=User
-
-
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index e9c419383d..1d42b159e5 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -29,6 +29,9 @@ ms.topic: article
>- Windows Server 2012
>- Windows Server 2016
>- Windows Server 2019
+>- Office 2013*
+>- Office 2016*
+>- Office 2019*
**Looking for retail activation?**
@@ -97,6 +100,17 @@ When a reactivation event occurs, the client queries AD DS for the activation o
1. Activate your KMS host key by phone or online (Figure 15).
+
+ > [!NOTE]
+ > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
+
+
+ - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
+
+ - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
+
+ - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
+
**Figure 15**. Choosing how to activate your product
@@ -115,6 +129,8 @@ To verify your Active Directory-based activation configuration, complete the fol
> [!NOTE]
> If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
+> To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool).
+
## See also
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index eb894fafdc..9fb64c43d7 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -91,6 +91,7 @@ For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products &
- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded.
- Azure Active Directory (Azure AD) available for identity management.
- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
+- Windows 10 per user licensing is not available for per device based licensing.
For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 2a553e3421..35853c7fd0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -35,7 +35,7 @@ ms.reviewer:
The Microsoft PIN reset services enables you to help users recover who have forgotten their PIN. Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
>[!IMPORTANT]
-> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and newer.
+> The Microsoft PIN reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809. The feature works with **Enterprise Edition** and **Pro Edition** with Windows 10, version 1903 and later.
### Onboarding the Microsoft PIN reset service to your Intune tenant
@@ -49,8 +49,10 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
+
> [!NOTE]
> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
+
5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index d7355b0c32..5a639e777f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 08/20/2018
+ms.date: 02/19/2021
ms.reviewer:
---
# Configure Hybrid Windows Hello for Business: Group Policy
@@ -55,7 +55,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
8. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**.
9. Select **Enabled** from the **Configuration Model** list.
-10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
+10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box.
11. Select the **Update certificates that use certificate templates** check box.
12. Click **OK**. Close the **Group Policy Management Editor**.
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index a9eed379da..5fdc489294 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -25,14 +25,16 @@ MBSA was largely used in situations where neither Microsoft Update nor a local W
A script can help you with an alternative to MBSA’s patch-compliance checking:
- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script.
+
For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0).
For example:
[](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
-[](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be)
+[](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0/Content/Scan-UpdatesOffline.ps1)
-The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
+The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) ([wsusscn2.cab](https://go.microsoft.com/fwlink/?LinkID=74689)) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
+
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers.
## More Information
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 3c97136983..531fd81b5c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: tewchen, pahuijbr, shwjha
manager: dansimp
-ms.date: 02/09/2021
+ms.date: 02/24/2021
ms.technology: mde
---
@@ -81,13 +81,13 @@ The table in this section summarizes the functionality and features that are ava
> [!IMPORTANT]
> Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode.
-|Protection |Active mode |Passive mode |EDR in block mode |Disabled or uninstalled |
-|:---|:---|:---|:---|:---|
-| [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No [[3](#fn3)] | No | No |
-| [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | No | Yes |
-| [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | Yes | Yes | Yes | No |
-| [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | See note [[4](#fn4)] | Yes | No |
-| [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No |
+|Protection |Active mode |Passive mode |Disabled or uninstalled |
+|:---|:---|:---|:---|
+| [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No [[3](#fn3)] | No |
+| [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | Yes |
+| [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | Yes | Yes | No |
+| [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | See note [[4](#fn4)] | No |
+| [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | No |
(3) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index 60b5e96c41..938a3e95a4 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -1,6 +1,6 @@
---
-title: FAQ - Microsoft Defender Application Guard (Windows 10)
-description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
+title: Microsoft Defender Application Guard FAQ (Windows 10)
+description: See frequently asked questions and answers for Microsoft Defender Application Guard.
ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 01/21/2021
+ms.date: 03/01/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -19,11 +19,9 @@ ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Answering frequently asked questions about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
+This article lists frequently asked questions and answers about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
-## Frequently Asked Questions
-
-### Can I enable Application Guard on machines equipped with 4-GB RAM?
+## Can I enable Application Guard on machines equipped with 4-GB RAM?
We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
@@ -32,29 +30,29 @@ We recommend 8-GB RAM for optimal performance but you can use the following regi
`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
-### Can employees download documents from the Application Guard Edge session onto host devices?
+## Can employees download documents from the Application Guard Edge session onto host devices?
In Windows 10 Enterprise edition 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
-In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
+In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host device. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
-### Can employees copy and paste between the host device and the Application Guard Edge session?
+## Can employees copy and paste between the host device and the Application Guard Edge session?
Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.
-### Why don't employees see their Favorites in the Application Guard Edge session?
+## Why don't employees see their Favorites in the Application Guard Edge session?
To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.
-### Why aren’t employees able to see their Extensions in the Application Guard Edge session?
+## Why aren’t employees able to see their extensions in the Application Guard Edge session?
-Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.
+Currently, the Application Guard Edge session doesn't support extensions. However, we're closely monitoring your feedback about this.
-### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
+## How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
-### Which Input Method Editors (IME) in 19H1 are not supported?
+## Which Input Method Editors (IME) in 19H1 are not supported?
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard.
- Vietnam Telex keyboard
@@ -70,31 +68,31 @@ The following Input Method Editors (IME) introduced in Windows 10, version 1903
- Odia phonetic keyboard
- Punjabi phonetic keyboard
-### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
+## I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
-### What is the WDAGUtilityAccount local account?
+## What is the WDAGUtilityAccount local account?
This account is part of Application Guard beginning with Windows 10, version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.
-### How do I trust a subdomain in my site list?
+## How do I trust a subdomain in my site list?
-To trust a subdomain, you must precede your domain with two dots, for example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
+To trust a subdomain, you must precede your domain with two dots. For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
-### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
+## Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
-### Is there a size limit to the domain lists that I need to configure?
+## Is there a size limit to the domain lists that I need to configure?
Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383-B limit.
-### Why does my encryption driver break Microsoft Defender Application Guard?
+## Why does my encryption driver break Microsoft Defender Application Guard?
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
-### Why do the Network Isolation policies in Group Policy and CSP look different?
+## Why do the Network Isolation policies in Group Policy and CSP look different?
There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
@@ -104,64 +102,64 @@ For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
-### Why did Application Guard stop working after I turned off hyperthreading?
+## Why did Application Guard stop working after I turned off hyperthreading?
If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
-### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
+## Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
-### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach PAC file?
+## Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach PAC file?
This is a known issue. To mitigate this you need to create two firewall rules.
For guidance on how to create a firewall rule by using group policy, see:
- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
-First rule (DHCP Server):
+### First rule (DHCP Server)
+
1. Program path: `%SystemRoot%\System32\svchost.exe`
2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
3. Protocol UDP
4. Port 67
-Second rule (DHCP Client)
+### Second rule (DHCP Client)
+
This is the same as the first rule, but scoped to local port 68.
-In the Microsoft Defender Firewall user interface go through the following steps:
+
+In the Microsoft Defender Firewall user interface, take the following steps:
1. Right click on inbound rules, create a new rule.
2. Choose **custom rule**.
3. Program path: `%SystemRoot%\System32\svchost.exe`.
-4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
+4. Protocol Type: UDP, Specific ports: 68, Remote port: any.
5. Any IP addresses.
6. Allow the connection.
7. All profiles.
-8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
-9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
+8. The new rule should show up in the user interface. Right-click on the rule, and then select **Properties**.
+9. In the **Programs and services** tab, under **Services**, select **settings**.
+10. Choose **Apply to this Service**, and then select **Internet Connection Sharing (ICS) Shared Access**.
-### Why can I not launch Application Guard when Exploit Guard is enabled?
+## Why can I not launch Application Guard when Exploit Guard is enabled?
There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
-
-### How can I have ICS in enabled state yet still use Application Guard?
+## How can I have ICS in enabled state yet still use Application Guard?
ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
-
2. Disable IpNat.sys from ICS load as follows:
`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
-
3. Configure ICS (SharedAccess) to enabled as follows:
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
-
4. (This is optional) Disable IPNAT as follows:
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
-
5. Reboot the device.
-### Why doesn't the container fully load when device control policies are enabled?
-Allow-listed items must be configured as "allowed" in the Group Policy Object ensure AppGuard works properly.
+## Why doesn't the container fully load when device control policies are enabled?
+
+Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure Application Guard works properly. This is a prerequisite. If the device installations have already been blocked by device control policies, the OS must be reinstalled to resolve this issue.
Policy: Allow installation of devices that match any of these device IDs
- `SCSI\DiskMsft____Virtual_Disk____`
@@ -180,8 +178,6 @@ Policy: Allow installation of devices that match any of these device IDs
Policy: Allow installation of devices using drivers that match these device setup classes
- `{71a27cdd-812a-11d0-bec7-08002be2092f}`
-
-
## See also
[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
index 4adca6674f..034d227013 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
@@ -13,7 +13,7 @@ ms.topic: article
author: dansimp
ms.author: dansimp
ms.custom: nextgen
-ms.date: 02/18/2021
+ms.date: 02/24/2021
ms.reviewer:
manager: dansimp
ms.technology: mde
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 5aabbdddd6..f5c7c3085a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -11,7 +11,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
-ms.date: 02/11/2021
+ms.date: 03/01/2021
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -37,7 +37,7 @@ In endpoint protection solutions, a false positive is an entity, such as a file
-Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address them by using the following process:
+Microsoft Defender for Endpoint enables your security operations team to fine-tune your security settings and help address and reduce false positives. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use the following process:
1. [Review and classify alerts](#part-1-review-and-classify-alerts)
2. [Review remediation actions that were taken](#part-2-review-remediation-actions)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 046a880398..50c80fed5b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -228,6 +228,7 @@ This table lists the individual **Mitigations** (and **Audits**, when available)
| Mitigation type | Applies to | Mitigation cmdlet parameter keyword | Audit mode cmdlet parameter |
| :-------------- | :--------- | :---------------------------------- | :-------------------------- |
| Control flow guard (CFG) | System and app-level | `CFG`, `StrictCFG`, `SuppressExports` | Audit not available |
+| Hardware-enforced Stack Protection | System and app-level | `UserShadowStack`, `UserShadowStackStrictMode` | `AuditUserShadowStack` |
| Data Execution Prevention (DEP) | System and app-level | `DEP`, `EmulateAtlThunks` | Audit not available |
| Force randomization for images (Mandatory ASLR) | System and app-level | `ForceRelocateImages` | Audit not available |
| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | `BottomUp`, `HighEntropy` | Audit not available
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/ios-whatsnew.md
new file mode 100644
index 0000000000..b8d75b40e7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-whatsnew.md
@@ -0,0 +1,36 @@
+---
+title: What's new in Microsoft Defender for Endpoint for iOS
+description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint for iOS.
+keywords: microsoft, defender, atp, mac, installation, macos, whatsnew
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: m365-security
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: sunasing
+author: sunasing
+ms.localizationpriority: medium
+manager: sunasing
+audience: ITPro
+ms.collection:
+ - m365-security-compliance
+ - m365initiative-defender-endpoint
+ms.topic: conceptual
+ms.technology: mde
+---
+
+# What's new in Microsoft Defender for Endpoint for iOS
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+## 1.1.15010101
+
+- With this version, we are announcing support for iPadOS/iPad devices.
+- Bug fixes.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index e017a9cca2..eece58b177 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -161,6 +161,7 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list
```
+
For example, if you chose *prod* channel:
```bash
@@ -346,6 +347,8 @@ Download the onboarding package from Microsoft Defender Security Center:
mdatp threat list
```
+ If the test file isn't detected and quarantined, it might be labeled as an allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md).
+
## Installer script
Alternatively, you can use an automated [installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh) provided in our [public GitHub repository](https://github.com/microsoft/mdatp-xplat/).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
index 111a241a5c..a226495d3e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
@@ -257,6 +257,30 @@ Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
```
+## Testing
+
+Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on a newly onboarded device:
+
+- Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command):
+
+ ```bash
+ mdatp health --field real_time_protection_enabled
+ ```
+
+- Open a Terminal window. Copy and execute the following command:
+
+ ```bash
+ curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
+ ```
+
+- The file should have been quarantined by Defender for Endpoint for Linux. Use the following command to list all the detected threats:
+
+ ```bash
+ mdatp threat list
+ ```
+
+If the test file isn't detected and quarantined, it might be labeled as an allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md).
+
## Log installation issues
See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
index f3363b34dd..c9005d568a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
@@ -55,7 +55,7 @@ Download the onboarding package from Microsoft Defender Security Center:
-4. From a command prompt, verify that you have the file.
+4. From a command prompt, verify that you have the file.
```bash
ls -l
@@ -228,9 +228,33 @@ If the product is not healthy, the exit code (which can be checked through `echo
- 1 if the device isn't onboarded yet.
- 3 if the connection to the daemon cannot be established.
+## Testing
+
+Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on a newly onboarded device:
+
+- Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command):
+
+ ```bash
+ mdatp health --field real_time_protection_enabled
+ ```
+
+- Open a Terminal window. Copy and execute the following command:
+
+ ```bash
+ curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
+ ```
+
+- The file should have been quarantined by Defender for Endpoint for Linux. Use the following command to list all the detected threats:
+
+ ```bash
+ mdatp threat list
+ ```
+
+If the test file isn't detected and quarantined, it might be labeled as an allowed threat. See the [allowedThreats](linux-preferences.md#allowed-threats) option and the structure of the configuration profile at [Set preferences for Microsoft Defender for Endpoint for Linux](linux-preferences.md).
+
## Log installation issues
- For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Log installation issues](linux-resources.md#log-installation-issues).
+For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Log installation issues](linux-resources.md#log-installation-issues).
## Operating system upgrades
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
index 7da256d6f9..f22ca4f413 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
@@ -245,6 +245,16 @@ Specify the maximum number of entries to keep in the scan history. Entries inclu
| **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. |
| **Comments** | Available in Defender for Endpoint version 101.04.76 or higher. |
+#### Maximum on-demand scan threads
+
+Specify the maximum number of CPUs used during scheduled scans.
+|||
+|:---|:---|
+| **Key** | maximumOnDemandScanThreads |
+| **Data type** | String |
+| **Possible values** | 1 to use only 1 CPU. 2 to use 2 CPUs. |
+| **Comments** | Setting this configuration will limit the CPU usage during scheduled scans. |
+
### Cloud-delivered protection preferences
The *cloudService* entry in the configuration profile is used to configure the cloud-driven protection feature of the product.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index bec0d684e1..b7803dc3b8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -15,7 +15,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 11/20/2019
+ms.date: 01/27/2021
ms.technology: mde
---
@@ -42,7 +42,7 @@ Alice previously created a policy for the organization's lightly-managed devices
Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully-managed devices:
- All clients are running Windows 10 version 1903 or above;
-- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
+- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or [co-managed](https://docs.microsoft.com/mem/configmgr/comanage/overview) with Intune;
> [!NOTE]
> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM)