diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 91081ca4d6..b8688031d0 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -58,7 +58,7 @@
{
"source_path": "devices/surface/manage-surface-pro-3-firmware-updates.md",
"redirect_url": "https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates",
-"redirect_document_id": true
+"redirect_document_id": false
},
{
"source_path": "devices/surface/update.md",
@@ -15577,6 +15577,11 @@
"redirect_document_id": false
},
{
+"source_path": "devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md",
+"redirect_url": "/surface/manage-surface-driver-and-firmware-updates",
+"redirect_document_id": true
+},
+{
"source_path": "windows/deployment/planning/windows-10-1809-removed-features.md",
"redirect_url": "https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features",
"redirect_document_id": false
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index bc26815d56..faefd0d8fc 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -28,7 +28,7 @@
### [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md)
### [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
### [Surface Pro X app compatibility](surface-pro-arm-app-performance.md)
-### [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
+### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
@@ -40,13 +40,14 @@
## Manage
+### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
### [Optimize Wi-Fi connectivity for Surface devices](surface-wireless-connect.md)
### [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)
### [Surface Dock Firmware Update](surface-dock-firmware-update.md)
### [Battery Limit setting](battery-limit.md)
### [Surface Brightness Control](microsoft-surface-brightness-control.md)
### [Surface Asset Tag](assettag.md)
-### [Manage Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
+
## Secure
### [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md)
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index ebbb3fc3b5..f99bfa549c 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -18,6 +18,12 @@ ms.date: 10/21/2019
This topic lists new and updated topics in the Surface documentation library.
+## January 2020
+| **New or changed topic** | **Description** |
+| ------------------------ | --------------- |
+| [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)| Updated with the latest information and links to related articles.|
+
+
## October 2019
| **New or changed topic** | **Description** |
@@ -37,7 +43,7 @@ This topic lists new and updated topics in the Surface documentation library.
| **New or changed topic** | **Description** |
| ------------------------ | --------------- |
| [Optimizing wireless connectivity for Surface devices](surface-wireless-connect.md) | New document highlights key wireless connectivity considerations for Surface devices in mobile scenarios. |
-| [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Updated to reflect minor changes in the file naming convention for Surface MSI files. |
+| [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Updated to reflect minor changes in the file naming convention for Surface MSI files. |
## July 2019
@@ -76,14 +82,14 @@ New or changed topic | Description
--- | ---
[Surface Brightness Control](microsoft-surface-brightness-control.md) | New
[Maintain optimal power settings on Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) | New
-|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Studio 2 |
+|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface Studio 2 |
## November 2018
New or changed topic | Description
--- | ---
-|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Pro 6 |
+|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface Pro 6 |
[Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | New
[Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) | New
[Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) | New
@@ -93,7 +99,7 @@ New or changed topic | Description
New or changed topic | Description
--- | ---
[Battery Limit setting](battery-limit.md) | New
-|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface GO |
+|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface GO |
## May 2018
@@ -121,7 +127,7 @@ New or changed topic | Description
|New or changed topic | Description |
| --- | --- |
-|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Book 2, Surface Laptop, Surface Pro, and Surface Pro with LTE Advanced information |
+|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface Book 2, Surface Laptop, Surface Pro, and Surface Pro with LTE Advanced information |
## October 2017
@@ -160,7 +166,7 @@ New or changed topic | Description
|New or changed topic | Description |
| --- | --- |
-|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)|
+|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)|
## November 2016
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
deleted file mode 100644
index 92527470f2..0000000000
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: Deploy the latest firmware and drivers for Surface devices (Surface)
-description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
-ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A
-ms.reviewer: dansimp
-manager: kaushika
-keywords: update Surface, newest, latest, download, firmware, driver, tablet, hardware, device
-ms.localizationpriority: medium
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: surface, devices
-ms.sitesec: library
-author: dansimp
-ms.audience: itpro
-ms.date: 11/25/2019
-ms.author: dansimp
-ms.topic: article
----
-
-# Deploy the latest firmware and drivers for Surface devices
-
-> **Home users:** This article is only intended for technical support agents and IT professionals, and applies only to Surface devices. If you're looking for help to install Surface updates or firmware on a home device, please see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505).
-
-Under typical conditions, Windows Update automatically keeps Windows Surface devices up-to-date by downloading and installing the latest device drivers and firmware. However, you may sometimes have to download and install updates manually. For example, you may have to manually manage updates when you deploy a new version of Windows.
-
-## Downloading MSI files
-
-[Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface) provides links to download installation files for the following:
-
-- Administrative tools
-- Drivers for accessories
-- For some devices, updates for Windows
-
-## Deploying MSI files
-
-Specific versions of Windows 10 have separate MSI files. Each MSI file contains all required cumulative driver and firmware updates for Surface devices.
-
-The MSI file names contain useful information, including the minimum supported Windows build number that is required to install the drivers and firmware. For example, to install the drivers that are contained in SurfaceBook_Win10_17763_19.080.2031.0.msi on a Surface Book, the device must be running Windows 10 Fall Creators Update, version 1709 or later.
-
-For more information about build numbers for each Windows version, see [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information).
-
-### Surface MSI naming convention
-
-Beginning in August, 2019, MSI files have used the following naming convention:
-
-> *Product*\_*Windows release*\_*Windows build number*\_*Version number*\_*Revision of version number (typically zero)*.
-
-**Example**
-
-Consider the following MSI file:
-
-> SurfacePro6_Win10_18362_19.073.44195_0.msi
-
-This file name provides the following information:
-
-- **Product:** SurfacePro6
-- **Windows release:** Win10
-- **Build:** 18362
-- **Version:** 19.073.44195 – This shows the date and time that the file was created, as follows:
- - **Year:** 19 (2019)
- - **Month and week:** 073 (third week of July)
- - **Minute of the month:** 44195
-- **Revision of version:** 0 (first release of this version)
-
-### Legacy Surface MSI naming convention
-
-Legacy MSI files (files that were built before August, 2019) followed the same overall naming formula, but used a different method to derive the version number.
-
-**Example**
-
-Consider the following MSI file:
-
-> SurfacePro6_Win10_16299_1900307_0.msi
-
-This file name provides the following information:
-
-- **Product:** SurfacePro6
-- **Windows release:** Win10
-- **Build:** 16299
-- **Version:** 1900307 – This shows the date that the file was created and its position in the release sequence, as follows:
- - **Year:** 19 (2019)
- - **Number of release:** 003 (third release of the year)
- - **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro)
-- **Revision of version:** 0 (first release of this version)
-
-Use the **version** number to determine the latest files that contain the most recent security updates. For example, consider the following list:
-
-- SurfacePro6_Win10_16299_1900307_0.msi
-- SurfacePro6_Win10_17134_1808507_3.msi
-- SurfacePro6_Win10_17763_1808707_3.msi
-
-In this list, the newest file is the first file (SurfacePro6_Win10_16299_1900307_0.msi). Its **Version** field has the newest date (2019). The other files are from 2018.
-
-## Supported devices
-
-For downloadable MSI files for devices that run Surface Pro 2 and later versions, see [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface). This article contains information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3, as they are released.
-
-> [!NOTE]
-> There are no downloadable firmware or driver updates available for Surface devices that run Windows RT, including Surface RT and Surface 2. To update these devices, use Windows Update.
-
-For more information about how to deploy Surface drivers and firmware, see the following articles:
-
-- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates)
-
-- [Surface for Business help](https://www.microsoft.com/surface/support/business)
diff --git a/devices/surface/get-started.md b/devices/surface/get-started.md
index af2bc13af9..c81e994d70 100644
--- a/devices/surface/get-started.md
+++ b/devices/surface/get-started.md
@@ -46,9 +46,10 @@ Harness the power of Surface, Windows, and Office connected together through the
diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
index e43a14a63b..2631b5f837 100644
--- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
+++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
@@ -28,12 +28,12 @@ low power idle state (S0ix).
To ensure Surface devices across your organization fully benefit from Surface power optimization features:
-- Install the latest drivers and firmware from Windows Update or the Surface Driver and Firmware MSI. This creates the balanced power plan (aka power profile) by default and configures optimal power settings. For more information, refer to [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+- Install the latest drivers and firmware from Windows Update or the Surface Driver and Firmware MSI. This creates the balanced power plan (aka power profile) by default and configures optimal power settings. For more information, refer to [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md).
- Avoid creating custom power profiles or adjusting advanced power settings not visible in the default UI (**System** > **Power & sleep**).
- If you must manage the power profile of devices across your network (such as in highly managed organizations), use the powercfg command tool to export the power plan from the factory image of the Surface device and then import it into the provisioning package for your Surface devices.
->[!NOTE]
->You can only export a power plan across the same type of Surface device. For example, you cannot export a power plan from Surface Laptop and import it on Surface Pro. For more information, refer to [Configure power settings](https://docs.microsoft.com/windows-hardware/customize/power-settings/configure-power-settings).
+ >[!NOTE]
+ >You can only export a power plan across the same type of Surface device. For example, you cannot export a power plan from Surface Laptop and import it on Surface Pro. For more information, refer to [Configure power settings](https://docs.microsoft.com/windows-hardware/customize/power-settings/configure-power-settings).
- Exclude Surface devices from any existing power management policy settings.
@@ -166,7 +166,7 @@ To learn more, see:
| Check app usage | Your apps | Close apps.|
| Check your power cord for any damage.| Your power cord | Replace power cord if worn or damaged.|
-# Learn more
+## Learn more
- [Modern
standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-wake-sources)
@@ -178,4 +178,4 @@ To learn more, see:
- [Battery
saver](https://docs.microsoft.com/windows-hardware/design/component-guidelines/battery-saver)
-- [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
+- [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md
index 7fbd031cf5..8fbc32d7df 100644
--- a/devices/surface/microsoft-surface-deployment-accelerator.md
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@@ -80,7 +80,7 @@ For environments where the SDA server will not be able to connect to the Interne
*Figure 2. Specify a local source for Surface driver and app files*
-You can find a full list of available driver downloads at [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
+You can find a full list of available driver downloads at [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
>[!NOTE]
>Downloaded files do not need to be extracted. The downloaded files can be left as .zip files as long as they are stored in one folder.
diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md
index c5869a15d4..fd98f72368 100644
--- a/devices/surface/surface-pro-arm-app-management.md
+++ b/devices/surface/surface-pro-arm-app-management.md
@@ -73,7 +73,7 @@ Surface Pro X was designed to use Windows Update to simplify the process of keep
- Use Windows Update or Windows Update for Business for maintaining the latest drivers and firmware. For more information, see [Deploy Updates using Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb).
- If your procedures require using a Windows Installer .msi file, contact [Surface for Business support](https://support.microsoft.com/help/4037645).
-- For more information about deploying and managing updates on Surface devices, see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+- For more information about deploying and managing updates on Surface devices, see [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md).
- Note that Windows Server Update Services (WSUS) does not support the ability to deliver drivers and firmware to Surface Pro X.
## Running apps on Surface Pro X
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index 5a4fd15cf0..121f28dad6 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -1,11 +1,13 @@
---
title: ApplicationControl CSP
description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from a MDM server.
+keywords: whitelisting, security, malware
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: ManikaDhiman
+ms.reviewer: jsuther1974
ms.date: 05/21/2019
---
@@ -61,7 +63,8 @@ This node specifies whether a policy is actually loaded by the enforcement engin
Scope is dynamic. Supported operation is Get.
-Value type is bool. Supported values are as follows:
+Value type is bool. Supported values are as follows:
+
- True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system.
- False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default.
@@ -70,7 +73,8 @@ This node specifies whether a policy is deployed on the system and is present on
Scope is dynamic. Supported operation is Get.
-Value type is bool. Supported values are as follows:
+Value type is bool. Supported values are as follows:
+
- True — Indicates that the policy is deployed on the system and is present on the physical machine.
- False — Indicates that the policy is not deployed on the system and is not present on the physical machine. This is the default.
@@ -79,7 +83,8 @@ This node specifies whether the policy is authorized to be loaded by the enforce
Scope is dynamic. Supported operation is Get.
-Value type is bool. Supported values are as follows:
+Value type is bool. Supported values are as follows:
+
- True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system.
- False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default.
@@ -112,24 +117,43 @@ Scope is dynamic. Supported operation is Get.
Value type is char.
-## Usage guidance
+## Microsoft Endpoint Manager (MEM) Intune Usage Guidance
-To use ApplicationControl CSP, you must:
-- Know a generated policy’s GUID, which can be found in the policy xml as ``.
-- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)
-If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy via uploading the binary file.
+## Non-Intune Usage Guidance
+
+In order to leverage the ApplicationControl CSP without using Intune, you must:
+
+1. Know a generated policy’s GUID, which can be found in the policy xml as or for pre-1903 systems.
+2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool.
+
+Below is a sample certutil invocation:
+
+```cmd
+certutil -encode WinSiPolicy.p7b WinSiPolicy.cer
+```
+
+An alternative to using certutil would be to use the following PowerShell invocation:
+
+```powershell
+[Convert]::toBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path ))
+```
+
+### Deploy Policies
-### Deploy policies
To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below.
To deploy base policy and supplemental policies:
-- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
-- Repeat for each base or supplemental policy (with its own GUID and data).
+
+1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
+2. Repeat for each base or supplemental policy (with its own GUID and data).
The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD).
-**Example 1: Add first base policy**
+#### Example 1: Add first base policy
+
```xml
1
@@ -144,7 +168,9 @@ The following example shows the deployment of two base policies and a supplement
```
-**Example 2: Add second base policy**
+
+#### Example 2: Add second base policy
+
```xml
1
@@ -159,7 +185,9 @@ The following example shows the deployment of two base policies and a supplement
```
-**Example 3: Add supplemental policy**
+
+#### Example 3: Add supplemental policy
+
```xml
1
@@ -174,6 +202,7 @@ The following example shows the deployment of two base policies and a supplement
```
+
### Get policies
Perform a GET using a deployed policy’s GUID to interrogate/inspect the policy itself or information about it.
@@ -190,7 +219,8 @@ The following table displays the result of Get operation on different nodes:
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful|
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy|
-The following is an example of Get command:
+The following is an example of Get command:
+
```xml
1
@@ -203,17 +233,28 @@ The following is an example of Get command:
```
### Delete policies
+
+#### Rebootless Deletion
+
+Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
+
+#### Unsigned Policies
+
To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy**.
-> [!Note]
-> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy.
-
+#### Signed Policies
+
+> [!NOTE]
+> A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy.
+
To delete a signed policy:
+
1. Replace it with a signed update allowing unsigned policy.
-2. Deploy another update with unsigned policy.
+2. Deploy another update with unsigned Allow All policy.
3. Perform delete.
-
+
The following is an example of Delete command:
+
```xml
1
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index c5b559cf50..2818c2e55f 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -35,7 +35,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
> [!NOTE]
> - Bulk-join is not supported in Azure Active Directory Join.
> - Bulk enrollment does not work in Intune standalone environment.
-> - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.
+> - Bulk enrollment works in Microsoft Endpoint Configuration Manager where the ppkg is generated from the Configuration Manager console.
> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
## What you need
diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
index e05ab31e6f..32ac15d67d 100644
--- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
+++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
@@ -15,7 +15,7 @@ ms.date: 06/26/2017
# Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
-Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. Because of network restrictions or other enterprise policies, devices must download their updates from an internal location. This document describes how to enable offline updates using System Center Configuration Manager.
+Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. Because of network restrictions or other enterprise policies, devices must download their updates from an internal location. This document describes how to enable offline updates using Microsoft Endpoint Configuration Manager.
Here is a table of update path to Windows 10 Mobile.
@@ -79,7 +79,7 @@ Down the road, after the upgrade to Windows 10 is complete, if you decide to pus
**Requirements:**
- The test device must be same as the other production devices that are receiving the updates.
-- Your test device must be enrolled with System Center Configuration Manager.
+- Your test device must be enrolled with Microsoft Endpoint Configuration Manager.
- Your device can connect to the Internet.
- Your device must have an SD card with at least 0.5 GB of free space.
- Ensure that the settings app and PhoneUpdate applet are available via Assigned Access.
@@ -93,7 +93,7 @@ The following diagram is a high-level overview of the process.
Define the baseline update set that will be applied to other devices. Use a device that is running the most recent image as the test device.
-Trigger the device to check for updates either manually or using System Center Configuration Manager.
+Trigger the device to check for updates either manually or using Microsoft Endpoint Configuration Manager.
**Manually**
@@ -104,19 +104,19 @@ Trigger the device to check for updates either manually or using System Center C
> **Note** There is a bug in all OS versions up to GDR2 where the CSP will not set the assigned value. There is no way to change or set this until GDR2 is deployed onto the device.
-**Using System Center Configuration Manager**
+**Using Microsoft Endpoint Configuration Manager**
1. Remotely trigger a scan of the test device by deploying a Trigger Scan Configuration Baseline.
- 
+ 
2. Set the value of this OMA-URI by browsing to the settings of this Configuration Item and selecting the newly created Trigger Scan settings from the previous step.
- 
+ 
3. Ensure that the value that is specified for this URI is greater than the value on the device(s) and that the Remediate noncompliant rules when supported option is checked. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
- 
+ 
4. Create a Configuration Baseline for TriggerScan and Deploy. It is recommended that this Configuration Baseline be deployed after the Controlled Updates Baseline has been applied to the device (the corresponding files are deployed on the device through a device sync session).
5. Follow the prompts for downloading the updates, but do not install the updates on the device.
@@ -132,16 +132,16 @@ There are two ways to retrieve this file from the device; one pre-GDR1 and one p
1. Create a Configuration Item using ConfigMgr to look at the registry entry ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/ApprovedUpdatesXml.
- > **Note** In System Center Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml. However, the process still completes even if the file is large.
+ > **Note** In Microsoft Endpoint Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml. However, the process still completes even if the file is large.
If the XML file is greater than 32K you can also use ./Vendor/MSFT/FileSystem/<*filename*>.
2. Set a baseline for this Configuration Item with a “dummy” value (such as zzz), and ensure that you do not remediate it.
The dummy value is not be set; it is only used for comparison.
-3. After the report XML is sent to the device, System Center Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data.
+3. After the report XML is sent to the device, Microsoft Endpoint Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data.
4. Parse this log for the report XML content.
-For a step-by-step walkthrough, see [How to retrieve a device update report using System Center Configuration Manager logs](#how-to-retrieve-a-device-update-report-using-system-center-configuration-manager-logs).
+For a step-by-step walkthrough, see [How to retrieve a device update report using Microsoft Endpoint Configuration Manager logs](#how-to-retrieve-a-device-update-report-using-microsoft-endpoint-configuration-manager-logs).
**Post-GDR1: Retrieve the report xml file using an SD card**
@@ -228,7 +228,7 @@ This process has three parts:
1. Create a configuration item and specify that file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
2. Check the box **Remediate noncompliant settings**.
- 
+ 
3. Click **OK**.
@@ -238,11 +238,11 @@ This process has three parts:
1. Create a configuration baseline item and give it a name (such as ControlledUpdates).
2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then click **OK**.
- 
+ 
3. Deploy the configuration baseline to the appropriate device or device collection.
- 
+ 
4. Click **OK**.
@@ -252,7 +252,7 @@ Now that the other "production" or "in-store" devices have the necessary informa
### Use this process for unmanaged devices
-If the update policy of the device is not managed or restricted by System Center Configuration Manager, an update process can be initiated on the device in one of the following ways:
+If the update policy of the device is not managed or restricted by Microsoft Endpoint Configuration Manager, an update process can be initiated on the device in one of the following ways:
- Initiated by a periodic scan that the device automatically performs.
- Initiated manually through **Settings** -> **Phone Update** -> **Check for Updates**.
@@ -261,14 +261,14 @@ If the update policy of the device is not managed or restricted by System Center
If the update policy of the device is managed or restricted by MDM, an update process can be initiated on the device in one of the following ways:
-- Trigger the device to scan for updates through System Center Configuration Manager.
+- Trigger the device to scan for updates through Microsoft Endpoint Configuration Manager.
Ensure that the trigger scan has successfully executed, and then remove the trigger scan configuration baseline.
> **Note** Ensure that the PhoneUpdateRestriction Policy is set to a value of 0, to ensure that the device will not perform an automatic scan.
-- Trigger the device to scan as part of a Maintenance Window defined by the IT Admin in System Center Configuration Manager.
+- Trigger the device to scan as part of a Maintenance Window defined by the IT Admin in Microsoft Endpoint Configuration Manager.
After the installation of updates is completed, the IT Admin can use the DUReport generated in the production devices to determine if the device successfully installed the list of updates. If the device did not, error codes are provided in the DUReport.xml. To retrieve the device update report from a device, perform the same steps defined in [Step 2](#step2).
@@ -456,7 +456,7 @@ DownloadFiles $inputFile $downloadCache $localCacheURL
```
-## How to retrieve a device update report using System Center Configuration Manager logs
+## How to retrieve a device update report using Microsoft Endpoint Configuration Manager logs
Use this procedure for pre-GDR1 devices.
@@ -465,17 +465,17 @@ Use this procedure for pre-GDR1 devices.
1. Trigger a device scan. Go to **Settings** -> **Phone Update** -> **Check for Updates**.
Since the DUReport settings have not been remedied, you should see a non-compliance.
-2. In System Center Configuration Manager under **Assets and Compliance** > **Compliance Settings**, right-click on **Configuration Items**.
+2. In Microsoft Endpoint Configuration Manager under **Assets and Compliance** > **Compliance Settings**, right-click on **Configuration Items**.
3. Select **Create Configuration Item**.
- 
+ 
4. Enter a filename (such as GetDUReport) and then choose **Mobile Device**.
5. In the **Mobile Device Settings** page, check the box **Configure Additional Settings that are not in the default settings group**, and the click **Next**.
- 
+ 
6. In the **Additional Settings** page, click **Add**.
- 
+ 
7. In the **Browse Settings** page, click **Create Setting**.
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index 08bae9914c..87c13cbc3e 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -279,7 +279,7 @@ There are a few instances where your device may not be able to connect to work,
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
| Your device is already connected to your organization’s cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. |
| We could not find your identity in your organization’s cloud. | The username you entered was not found on your Azure AD tenant. |
-| Your device is already being managed by an organization. | Your device is either already managed by MDM or System Center Configuration Manager. |
+| Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Endpoint Configuration Manager. |
| You don’t have the right privileges to perform this operation. Please talk to your admin. | You cannot enroll your device into MDM as a standard user. You must be on an administrator account. |
| We couldn’t auto-discover a management endpoint matching the username entered. Please check your username and try again. If you know the URL to your management endpoint, please enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. |
@@ -359,7 +359,7 @@ The **Info** button can be found on work or school connections involving MDM. Th
Clicking the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session which will force your device to communicate to the MDM server and fetch any updates to policies if needed.
-Starting in Windows 10, version 1709, clicking the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screehshot.
+Starting in Windows 10, version 1709, clicking the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot.
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index a5298bf190..8a9c1a34dc 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -1657,10 +1657,10 @@ If disabled or not configured, extensions defined as part of this policy get ign
Default setting: Disabled or not configured
Related policies: Allow Developer Tools
Related Documents:
-- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
+- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business)
- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy)
-- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows)
@@ -11034,10 +11034,10 @@ If disabled or not configured, extensions defined as part of this policy get ign
Default setting: Disabled or not configured
Related policies: Allow Developer Tools
Related Documents:
-- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
+- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business)
- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy)
-- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows)
@@ -23032,10 +23032,10 @@ If disabled or not configured, extensions defined as part of this policy get ign
Default setting: Disabled or not configured
Related policies: Allow Developer Tools
Related Documents:
-- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
+- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business)
- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy)
-- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows)
@@ -51686,10 +51686,10 @@ If disabled or not configured, extensions defined as part of this policy get ign
Default setting: Disabled or not configured
Related policies: Allow Developer Tools
Related Documents:
-- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
+- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business)
- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy)
-- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows)
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index 47a439de72..afb9c4241f 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -37,7 +37,7 @@ Windows 10 supports end-to-end device lifecycle management to give companies con
## Deploy
Windows 10 Mobile has a built-in device management client to deploy, configure, maintain, and support smartphones. Common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT), this client provides a single interface through which Mobile Device Management (MDM) solutions can manage any device that runs Windows 10. Because the MDM client integrates with identity management, the effort required to manage devices throughout the lifecycle is greatly reduced.
-Windows 10 includes comprehensive MDM capabilities that can be managed by Microsoft management solutions, such as Microsoft Intune or System Center Configuration Manager, as well as many third-party MDM solutions. There is no need to install an additional, custom MDM app to enroll devices and bring them under MDM control. All MDM system vendors have equal access to Windows 10 Mobile device management application programming interfaces (APIs), giving IT organizations the freedom to select whichever system best fits their management requirements, whether Microsoft Intune or a third-party MDM product. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=734050).
+Windows 10 includes comprehensive MDM capabilities that can be managed by Microsoft management solutions, such as Microsoft Intune or Microsoft Endpoint Configuration Manager, as well as many third-party MDM solutions. There is no need to install an additional, custom MDM app to enroll devices and bring them under MDM control. All MDM system vendors have equal access to Windows 10 Mobile device management application programming interfaces (APIs), giving IT organizations the freedom to select whichever system best fits their management requirements, whether Microsoft Intune or a third-party MDM product. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=734050).
### Deployment scenarios
@@ -187,7 +187,6 @@ Azure AD is a cloud-based directory service that provides identity and access ma
**Mobile Device Management**
Microsoft [Intune](https://www.microsoft.com/server-cloud/products/microsoft-intune/overview.aspx), part of the Enterprise Mobility + Security, is a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management so employees use the same credentials to enroll devices in Intune that they use to sign into Office 365. Intune supports devices that run other operating systems, such as iOS and Android, to provide a complete MDM solution.
-You can also integrate Intune with Configuration Manager to gain a single console for managing all devices in the cloud and on premises, mobile or PC. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](https://technet.microsoft.com/library/jj884158.aspx). For guidance on choosing between a stand-alone Intune installation and Intune integrated with System Center Configuration Manager, see Choose between Intune by itself or integrating Intune with System Center Configuration Manager.
Multiple MDM systems support Windows 10 and most support personal and corporate device deployment scenarios. MDM providers that support Windows 10 Mobile currently include: AirWatch, Citrix, MobileIron, SOTI, Blackberry and others. Most industry-leading MDM vendors already support integration with Azure AD. You can find the MDM vendors that support Azure AD in [Azure Marketplace](https://azure.microsoft.com/marketplace/). If your organization doesn’t use Azure AD, the user must use an MSA during OOBE before enrolling the device in your MDM using a corporate account.
>**Note:** Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365.
@@ -280,7 +279,7 @@ Employees are usually allowed to change certain personal device settings that yo
*Applies to: Corporate devices*
-Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi Fi. You can use hardware restrictions to control the availability of these features.
+Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi-Fi. You can use hardware restrictions to control the availability of these features.
The following lists the MDM settings that Windows 10 Mobile supports to configure hardware restrictions.
@@ -303,12 +302,12 @@ The following lists the MDM settings that Windows 10 Mobile supports to configur
*Applies to: Personal and corporate devices*
-Certificates help improve security by providing account authentication, Wi Fi authentication, VPN encryption, and SSL encryption of web content. Although users can manage certificates on devices manually, it’s a best practice to use your MDM system to manage those certificates throughout their entire lifecycle – from enrollment through renewal and revocation.
+Certificates help improve security by providing account authentication, Wi-Fi authentication, VPN encryption, and SSL encryption of web content. Although users can manage certificates on devices manually, it’s a best practice to use your MDM system to manage those certificates throughout their entire lifecycle – from enrollment through renewal and revocation.
To install certificates manually, you can post them on Microsoft Edge website or send them directly via email, which is ideal for testing purposes.
Using SCEP and MDM systems, certificate management is completely transparent and requires no user intervention, helping improve user productivity, and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device (as long as the MDM system supports the Simple Certificate Enrollment Protocol (SCEP) or Personal Information Exchange (PFX)). The MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.
In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. The table below lists the Windows 10 Mobile PFX certificate deployment settings.
Get more detailed information about MDM certificate management in the [Client Certificate Install CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile).
-Use the Allow Manual Root Certificate Installation setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidently.
+Use the Allow Manual Root Certificate Installation setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidentally.
> **Note:** To diagnose certificate-related issues on Windows 10 Mobile devices, use the free Certificates app in Microsoft Store. This Windows 10 Mobile app can help you:
> - View a summary of all personal certificates
@@ -322,11 +321,11 @@ Use the Allow Manual Root Certificate Installation setting to prevent users from
*Applies to: Corporate and personal devices*
-Wi-Fi is used on mobile devices as much as, or more than, cellular data connections. Most corporate Wi Fi networks require certificates and other complex information to restrict and secure user access. This advanced Wi Fi information is difficult for typical users to configure, but MDM systems can fully configure these Wi-Fi profiles without user intervention.
+Wi-Fi is used on mobile devices as much as, or more than, cellular data connections. Most corporate Wi-Fi networks require certificates and other complex information to restrict and secure user access. This advanced Wi-Fi information is difficult for typical users to configure, but MDM systems can fully configure these Wi-Fi profiles without user intervention.
You can create multiple Wi-Fi profiles in your MDM system. The below table lists the Windows 10 Mobile Wi Fi connection profile settings that can be configured by administrators.
-- **SSID** The case-sensitive name of the Wi Fi network Service Set Identifier
-- **Security type** The type of security the Wi Fi network uses; can be one of the following authentication types:
+- **SSID** The case-sensitive name of the Wi-Fi network Service Set Identifier
+- **Security type** The type of security the Wi-Fi network uses; can be one of the following authentication types:
- Open 802.11
- Shared 802.11
- WPA-Enterprise 802.11
@@ -341,13 +340,13 @@ You can create multiple Wi-Fi profiles in your MDM system. The below table lists
- **Extensible Authentication Protocol Transport Layer Security (EAP-TLS)** WPA-Enterprise 802.11 and WPA2-Enterprise 802.11 security types can use EAP-TLS with certificates for authentication
- **Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2)** WPA-Enterprise 802.11 and WPA2-Enterprise 802.11 security types can use PEAP-MSCHAPv2 with a user name and password for authentication
- **Shared key** WPA-Personal 802.11 and WPA2-Personal 802.11 security types can use a shared key for authentication.
-- **Proxy** The configuration of any network proxy that the Wi Fi connection requires (to specify the proxy server, use its fully qualified domain name [FQDN], Internet Protocol version 4 [IPv4] address, IP version 6 [IPv6] address, or IPvFuture address)
-- **Disable Internet connectivity checks** Whether the Wi Fi connection should check for Internet connectivity
+- **Proxy** The configuration of any network proxy that the Wi-Fi connection requires (to specify the proxy server, use its fully qualified domain name [FQDN], Internet Protocol version 4 [IPv4] address, IP version 6 [IPv6] address, or IPvFuture address)
+- **Disable Internet connectivity checks** Whether the Wi-Fi connection should check for Internet connectivity
- **Proxy auto-configuration URL** A URL that specifies the proxy auto-configuration file
- **Enable Web Proxy Auto-Discovery Protocol (WPAD)** Specifies whether WPAD is enabled
In addition, you can set a few device wide Wi-Fi settings.
-- **Allow Auto Connect to Wi Fi Sense Hotspots** Whether the device will automatically detect and connect to Wi-Fi networks
+- **Allow Auto Connect to Wi-Fi Sense Hotspots** Whether the device will automatically detect and connect to Wi-Fi networks
- **Allow Manual Wi-Fi Configuration** Whether the user can manually configure Wi-Fi settings
- **Allow Wi-Fi** Whether the Wi-Fi hardware is enabled
- **Allow Internet Sharing** Allow or disallow Internet sharing
@@ -958,7 +957,7 @@ DHA-enabled device management solutions help IT managers create a unified securi
For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](/windows/device-security/windows-10-mobile-security-guide).
-Thisis a lists of attributes that are supported by DHA and can trigger the corrective actions mentioned above.
+This is a list of attributes that are supported by DHA and can trigger the corrective actions mentioned above.
- **Attestation Identity Key (AIK) present** Indicates that an AIK is present (i.e., the device can be trusted more than a device without an AIK).
- **Data Execution Prevention (DEP) enabled** Whether a DEP policy is enabled for the device, indicating that the device can be trusted more than a device without a DEP policy.
- **BitLocker status** BitLocker helps protect the storage on the device. A device with BitLocker can be trusted more than a device without BitLocker.
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index c0ad05a8bd..7428624219 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -141,7 +141,7 @@
### [Administering UE-V](ue-v/uev-administering-uev.md)
#### [Manage Configurations for UE-V](ue-v/uev-manage-configurations.md)
##### [Configuring UE-V with Group Policy Objects](ue-v/uev-configuring-uev-with-group-policy-objects.md)
-##### [Configuring UE-V with System Center Configuration Manager](ue-v/uev-configuring-uev-with-system-center-configuration-manager.md)
+##### [Configuring UE-V with Microsoft Endpoint Configuration Manager](ue-v/uev-configuring-uev-with-system-center-configuration-manager.md)
##### [Administering UE-V with Windows PowerShell and WMI](ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md)
###### [Managing the UE-V Service and Packages with Windows PowerShell and WMI](ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md)
###### [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md)
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index fb9e1c7935..cad5f5470d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -45,7 +45,7 @@ Cortana requires the following hardware and software to successfully run the inc
|Client operating system |
**Desktop:** Windows 10, version 1703
**Mobile:** Windows 10 Mobile, version 1703 (with limited functionality)
|
|Azure Active Directory (Azure AD) |While all employees signing into Cortana need an Azure AD account; an Azure AD premium tenant isn’t required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana, but won't turn Cortana off.
For example:
If you turn **Location** off, Cortana won't be able to provide location-based reminders, such as reminding you to visit the mail room when you get to work.
If you turn **Speech** off, your employees won't be able to use “Hello Cortana” for hands free usage or voice commands to easily ask for help. |
-|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip)
If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft System Center Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.|
+|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip)
If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.|
## Signing in using Azure AD
Your organization must have an Azure AD tenant and your employees’ devices must all be Azure AD-joined for Cortana to work properly. For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [What is an Azure AD directory?](https://msdn.microsoft.com/library/azure/jj573650.aspx)
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index 825037d62d..9ae00ff891 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -36,7 +36,7 @@ To enable voice commands in Cortana
- **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana).
-2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
+2. **Install the VCD file on employees' devices**. You can use Microsoft Endpoint Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
## Test scenario: Use voice commands in a Microsoft Store app
While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization.
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index be16f1f393..641af623c3 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -42,7 +42,7 @@ CSPs are behind many of the management tasks and policies for Windows 10, both i
-CSPs receive configuration policies in the XML-based SyncML format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as System Center Configuration Manager, can also target CSPs, by using a client-side WMI-to-CSP bridge.
+CSPs receive configuration policies in the XML-based SyncML format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side WMI-to-CSP bridge.
### Synchronization Markup Language (SyncML)
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 3f608dd8ee..035bdf4010 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -71,7 +71,7 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg)
| Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) |
-5. On the **Import a provisioning package (optional)** page, you can click **Finish** to create your project, or browse to and select an existing provisioning packge to import to your project, and then click **Finish**.
+5. On the **Import a provisioning package (optional)** page, you can click **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then click **Finish**.
>[!TIP]
>**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly.
@@ -148,7 +148,7 @@ For details on each specific setting, see [Windows Provisioning settings referen
- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-- [How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://docs.microsoft.com/sccm/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
+- [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
## Related topics
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index b67d2c9fa7..af989096a8 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -112,7 +112,7 @@ The following table provides some examples of settings that you can configure us
| Start menu customization | Start menu layout, application pinning |
| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on |
-\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices.
+\* Using a provisioning package for auto-enrollment to Microsoft Endpoint Configuration Manager is not supported. Use the Configuration Manager console to enroll devices.
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
@@ -136,7 +136,7 @@ Windows ICD in Windows 10, version 1607, supported the following scenarios for I
* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include:
- * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment)
+ * Microsoft Intune (certificate-based enrollment)
* AirWatch (password-string based enrollment)
* Mobile Iron (password-string based enrollment)
* Other MDMs (cert-based enrollment)
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
index 0d078ba82b..f7f8d70fcd 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -1,6 +1,6 @@
---
-title: Configuring UE-V with System Center Configuration Manager
-description: Configuring UE-V with System Center Configuration Manager
+title: Configuring UE-V with Microsoft Endpoint Configuration Manager
+description: Configuring UE-V with Microsoft Endpoint Configuration Manager
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
@@ -14,12 +14,12 @@ ms.topic: article
---
-# Configuring UE-V with System Center Configuration Manager
+# Configuring UE-V with Microsoft Endpoint Configuration Manager
**Applies to**
- Windows 10, version 1607
-After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of System Center Configuration Manager (2012 SP1 or later) to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
+After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of Microsoft Endpoint Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
## UE-V Configuration Pack supported features
diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md
index 926765cff2..b8b4cb2155 100644
--- a/windows/configuration/ue-v/uev-deploy-required-features.md
+++ b/windows/configuration/ue-v/uev-deploy-required-features.md
@@ -117,7 +117,7 @@ You can configure UE-V before, during, or after you enable the UE-V service on u
Windows Server 2012 and Windows Server 2012 R2
-- [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of System Center Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
+- [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of Microsoft Endpoint Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
- [**Windows PowerShell and WMI**](uev-administering-uev-with-windows-powershell-and-wmi.md) You can use scripted commands for Windows PowerShell and Windows Management Instrumentation (WMI) to modify the configuration of the UE-V service.
diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
index edb70df39e..918e018c48 100644
--- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
+++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
@@ -222,7 +222,7 @@ After you create a settings location template with the UE-V template generator,
You can deploy settings location templates using of these methods:
-- An electronic software distribution (ESD) system such as System Center Configuration Manager
+- An electronic software distribution (ESD) system such as Microsoft Endpoint Configuration Manager
- Group Policy preferences
diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md
index dddea0457c..71d5841793 100644
--- a/windows/configuration/ue-v/uev-manage-configurations.md
+++ b/windows/configuration/ue-v/uev-manage-configurations.md
@@ -27,11 +27,11 @@ You can use Group Policy Objects to modify the settings that define how UE-V syn
[Configuring UE-V with Group Policy Objects](uev-configuring-uev-with-group-policy-objects.md)
-## Configuring UE-V with System Center Configuration Manager
+## Configuring UE-V with Microsoft Endpoint Configuration Manager
-You can use System Center Configuration Manager to manage the UE-V service by using the UE-V Configuration Pack.
+You can use Microsoft Endpoint Configuration Manager to manage the UE-V service by using the UE-V Configuration Pack.
-[Configuring UE-V with System Center Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md)
+[Configuring UE-V with Microsoft Endpoint Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md)
## Administering UE-V with PowerShell and WMI
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index 7e2ed82e70..c56e5b4661 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -267,9 +267,9 @@ For more information, see the [Windows Application List](uev-managing-settings-l
If you are deploying UE-V to synchronize settings for custom applications, you’ll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices.
-Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including System Center Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell.
+Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including Microsoft Endpoint Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell.
-For more information about custom settings location templates, see [Deploy UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). For more information about using UE-V with Configuration Manager, see [Configuring UE-V with System Center Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md).
+For more information about custom settings location templates, see [Deploy UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). For more information about using UE-V with Configuration Manager, see [Configuring UE-V with Microsoft Endpoint Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md).
### Prevent unintentional user settings configuration
@@ -362,7 +362,7 @@ The UE-V service synchronizes user settings for devices that are not always conn
Enable this configuration using one of these methods:
-- After you enable the UE-V service, use the Settings Management feature in System Center Configuration Manager or the UE-V ADMX templates (installed with Windows 10, version 1607) to push the SyncMethod = None configuration.
+- After you enable the UE-V service, use the Settings Management feature in Microsoft Endpoint Configuration Manager or the UE-V ADMX templates (installed with Windows 10, version 1607) to push the SyncMethod = None configuration.
- Use Windows PowerShell or Windows Management Instrumentation (WMI) to set the SyncMethod = None configuration.
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 2e88d65395..3e09a3f04b 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -35,7 +35,7 @@
### [Windows 10 deployment test lab](windows-10-poc.md)
#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+#### [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
### [Plan for Windows 10 deployment](planning/index.md)
#### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md)
@@ -267,7 +267,7 @@
### Use Windows Server Update Services
#### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md)
#### [Enable FoD and language pack updates in Windows Update](update/fod-and-lang-packs.md)
-### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
+### [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](update/waas-manage-updates-configuration-manager.md)
### [Manage device restarts after updates](update/waas-restart.md)
### [Manage additional Windows Update settings](update/waas-wu-settings.md)
### [Determine the source of Windows updates](update/windows-update-sources.md)
diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md
index e6a2e1664a..2389ae314a 100644
--- a/windows/deployment/change-history-for-deploy-windows-10.md
+++ b/windows/deployment/change-history-for-deploy-windows-10.md
@@ -1,160 +1,161 @@
----
-title: Change history for Deploy Windows 10 (Windows 10)
-description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile.
-ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Change history for Deploy Windows 10
-This topic lists new and updated topics in the [Deploy Windows 10](https://docs.microsoft.com/windows/deployment) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
-
-## April 2018
-
-New or changed topic | Description
---- | ---
-[Install VAMT](volume-activation/install-vamt.md) | Updated the instructions and link for SQL Server Express.
-
-## November 2017
-
-New or changed topic | Description
--- | ---
- [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) | Added warning that you should not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml.
-
-## RELEASE: Windows 10, version 1709
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated the edition upgrade table to include all other Windows 10 editions previously not on the list and the supported upgrade methods for upgrade path. |
-| [Fonts missing after upgrading to Windows 10](windows-10-missing-fonts.md)| New article about the set of fonts that have moved from being included in the default installation image to being included in Optional Features. This article includes the steps for adding these optional font features.|
-
-## July 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| The table of contents for deployment topics was reorganized.
-
-## June 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) | New |
-
-## April 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | Updated: The "refresh" and "replace" procedures were swapped in order so that it would not be necessary to save and restore VMs. Also a missing step was added to include the State migration point role. |
-| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)| Updated with minor fixes. |
-| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)| Updated child topics under this node to include new feature and user interface changes. |
-| [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)| Added a table summarizing connection scenarios under the Enable data sharing topic. |
-
-
-## RELEASE: Windows 10, version 1703
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](/windows/configuration/index).
-
-
-## March 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [What's new in Windows 10 deployment](deploy-whats-new.md) | New |
-| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. |
-| [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. |
-| [Convert MBR partition to GPT](mbr-to-gpt.md) | New |
-
-## February 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | Multiple topics updated, name changed from Upgrade Analytics to Upgrade Readiness, and other content updates. |
-| [USMT Requirements](usmt/usmt-requirements.md) | Updated: Vista support removed and other minor changes |
-| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated structure and content |
-| [Upgrade Analytics deployment script](upgrade/upgrade-readiness-deployment-script.md) | Added as a separate page from get started |
-| [Use Upgrade Analytics to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) | Updated with links to new content and information about the target OS setting |
-| [Upgrade Analytics - Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md) | New |
-| [Upgrade Analytics - Step 1: Identify important apps](upgrade/upgrade-readiness-identify-apps.md) | Updated topic title and content |
-| [Upgrade Analytics - Step 2: Resolve app and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | New |
-| [Upgrade Analytics - Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) | New |
-| [Upgrade Analytics - Additional insights](upgrade/upgrade-readiness-additional-insights.md) | New |
-
-
-## January 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New |
-| [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New |
-| [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | New |
-| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | New (previously published in other topics) |
-| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) | New (previously published in Hardware Dev Center on MSDN) |
-| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant) | New (previously published in Hardware Dev Center on MSDN) |
-| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works) | New (previously published in Hardware Dev Center on MSDN) |
-| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) | New (previously published in Hardware Dev Center on MSDN) |
-| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc) | New (previously published in Hardware Dev Center on MSDN) |
-| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package) | New (previously published in Hardware Dev Center on MSDN) |
-| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app) | New (previously published in Hardware Dev Center on MSDN) |
-| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line) | New (previously published in Hardware Dev Center on MSDN) |
-| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog |
-| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
-| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
-
-
-## October 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) | New |
-
-## September 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New |
-| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated with prerequisites for site discovery |
-| [Resolve application and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | Updated with app status info for Ready For Windows |
-| [Review site discovery](upgrade/upgrade-readiness-additional-insights.md) | New |
-
-## RELEASE: Windows 10, version 1607
-
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
-
-- [Provisioning packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages.md)
-- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md)
-- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md)
-
-## August 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated with reboot requirements |
-
-## July 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Manage Windows upgrades with Upgrade Analytics](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | New |
-
-## June 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New |
-| [User State Migration Tool Technical Reference](usmt/usmt-technical-reference.md) | Updated support statement for Office 2016 |
-| [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) | New |
-
-## May 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) | New |
-
-## December 2015
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Activate using Key Management Service](volume-activation/activate-using-key-management-service-vamt.md) | Updated |
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated |
-
-## November 2015
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | New |
-
-## Related topics
-- [Change history for Plan for Windows 10 deployment](/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment)
-- [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
-- [Change history for Device Security](/windows/device-security/change-history-for-device-security)
-- [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
+---
+title: Change history for Deploy Windows 10 (Windows 10)
+description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile.
+ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Change history for Deploy Windows 10
+This topic lists new and updated topics in the [Deploy Windows 10](https://docs.microsoft.com/windows/deployment) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
+
+## April 2018
+
+New or changed topic | Description
+--- | ---
+[Install VAMT](volume-activation/install-vamt.md) | Updated the instructions and link for SQL Server Express.
+
+## November 2017
+
+New or changed topic | Description
+-- | ---
+ [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) | Added warning that you should not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml.
+
+## RELEASE: Windows 10, version 1709
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated the edition upgrade table to include all other Windows 10 editions previously not on the list and the supported upgrade methods for upgrade path. |
+| [Fonts missing after upgrading to Windows 10](windows-10-missing-fonts.md)| New article about the set of fonts that have moved from being included in the default installation image to being included in Optional Features. This article includes the steps for adding these optional font features.|
+
+## July 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| The table of contents for deployment topics was reorganized.
+
+## June 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) | New |
+
+## April 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) | Updated: The "refresh" and "replace" procedures were swapped in order so that it would not be necessary to save and restore VMs. Also a missing step was added to include the State migration point role. |
+| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)| Updated with minor fixes. |
+| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)| Updated child topics under this node to include new feature and user interface changes. |
+| [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)| Added a table summarizing connection scenarios under the Enable data sharing topic. |
+
+
+## RELEASE: Windows 10, version 1703
+The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](/windows/configuration/index).
+
+
+## March 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [What's new in Windows 10 deployment](deploy-whats-new.md) | New |
+| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. |
+| [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. |
+| [Convert MBR partition to GPT](mbr-to-gpt.md) | New |
+
+## February 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | Multiple topics updated, name changed from Upgrade Analytics to Upgrade Readiness, and other content updates. |
+| [USMT Requirements](usmt/usmt-requirements.md) | Updated: Vista support removed and other minor changes |
+| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated structure and content |
+| [Upgrade Analytics deployment script](upgrade/upgrade-readiness-deployment-script.md) | Added as a separate page from get started |
+| [Use Upgrade Analytics to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) | Updated with links to new content and information about the target OS setting |
+| [Upgrade Analytics - Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md) | New |
+| [Upgrade Analytics - Step 1: Identify important apps](upgrade/upgrade-readiness-identify-apps.md) | Updated topic title and content |
+| [Upgrade Analytics - Step 2: Resolve app and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | New |
+| [Upgrade Analytics - Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) | New |
+| [Upgrade Analytics - Additional insights](upgrade/upgrade-readiness-additional-insights.md) | New |
+
+
+## January 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New |
+| [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New |
+| [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) | New |
+| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | New (previously published in other topics) |
+| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) | New (previously published in Hardware Dev Center on MSDN) |
+| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant) | New (previously published in Hardware Dev Center on MSDN) |
+| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works) | New (previously published in Hardware Dev Center on MSDN) |
+| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) | New (previously published in Hardware Dev Center on MSDN) |
+| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc) | New (previously published in Hardware Dev Center on MSDN) |
+| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package) | New (previously published in Hardware Dev Center on MSDN) |
+| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app) | New (previously published in Hardware Dev Center on MSDN) |
+| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line) | New (previously published in Hardware Dev Center on MSDN) |
+| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog |
+| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
+| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
+
+
+## October 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) | New |
+
+## September 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New |
+| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated with prerequisites for site discovery |
+| [Resolve application and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | Updated with app status info for Ready For Windows |
+| [Review site discovery](upgrade/upgrade-readiness-additional-insights.md) | New |
+
+## RELEASE: Windows 10, version 1607
+
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
+
+- [Provisioning packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages.md)
+- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md)
+- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md)
+
+## August 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated with reboot requirements |
+
+## July 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Manage Windows upgrades with Upgrade Analytics](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | New |
+
+## June 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New |
+| [User State Migration Tool Technical Reference](usmt/usmt-technical-reference.md) | Updated support statement for Office 2016 |
+| [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) | New |
+
+## May 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) | New |
+
+## December 2015
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Activate using Key Management Service](volume-activation/activate-using-key-management-service-vamt.md) | Updated |
+| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated |
+
+## November 2015
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | New |
+
+## Related topics
+- [Change history for Plan for Windows 10 deployment](/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment)
+- [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
+- [Change history for Device Security](/windows/device-security/change-history-for-device-security)
+- [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index 1ec460b74e..750119724d 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -1,78 +1,79 @@
----
-title: Deploy Windows 10 with Microsoft 365
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: Concepts about deploying Windows 10 for M365
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-keywords: deployment, automate, tools, configure, mdt, sccm, M365
-ms.localizationpriority: medium
-audience: itpro
author: greg-lindsay
-ms.topic: article
-ms.collection: M365-modern-desktop
----
-
-# Deploy Windows 10 with Microsoft 365
-
-**Applies to**
-
-- Windows 10
-
-This topic provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
-
-[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [M365 Enterprise poster](#m365-enterprise-poster) for an overview.
-
-For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including:
-
-- Windows Autopilot
-- In-place upgrade
-- Deploying Windows 10 upgrade with Intune
-- Deploying Windows 10 upgrade with System Center Configuration Manager
-- Deploying a computer refresh with System Center Configuration Manager
-
-## Free trial account
-
-**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center**
-
-From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services.
-In the Enterprise Suites section of the service offerings, you will find Microsoft 365 E3 and Microsoft 365 E5 tiles.
-There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles.
-
-**If you do not already have a Microsoft services subscription**
-
-You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below.
-
->[!NOTE]
->If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected.
-
-1. [Obtain a free M365 trial](https://docs.microsoft.com/office365/admin/try-or-buy-microsoft-365).
-2. Check out the [Microsoft 365 deployment advisor](https://portal.office.com/onboarding/Microsoft365DeploymentAdvisor#/).
-3. Also check out the [Windows Analytics deployment advisor](https://portal.office.com/onboarding/WindowsAnalyticsDeploymentAdvisor#/). This advisor will walk you through deploying [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), [Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), and [Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
-
-That's all there is to it!
-
-Examples of these two deployment advisors are shown below.
-
-- [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example)
-- [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example)
-
-## Microsoft 365 deployment advisor example
-
-
-## Windows Analytics deployment advisor example
-
-
-## M365 Enterprise poster
-
-[](https://aka.ms/m365eposter)
-
-## Related Topics
-
-[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
-[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
-
-
-
+---
+title: Deploy Windows 10 with Microsoft 365
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description: Concepts about deploying Windows 10 for M365
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, mdt, sccm, M365
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+ms.collection: M365-modern-desktop
+---
+
+# Deploy Windows 10 with Microsoft 365
+
+**Applies to**
+
+- Windows 10
+
+This topic provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
+
+[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [M365 Enterprise poster](#m365-enterprise-poster) for an overview.
+
+For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including:
+
+- Windows Autopilot
+- In-place upgrade
+- Deploying Windows 10 upgrade with Intune
+- Deploying Windows 10 upgrade with Microsoft Endpoint Configuration Manager
+- Deploying a computer refresh with Microsoft Endpoint Configuration Manager
+
+## Free trial account
+
+**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center**
+
+From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services.
+In the Enterprise Suites section of the service offerings, you will find Microsoft 365 E3 and Microsoft 365 E5 tiles.
+There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles.
+
+**If you do not already have a Microsoft services subscription**
+
+You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below.
+
+>[!NOTE]
+>If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected.
+
+1. [Obtain a free M365 trial](https://docs.microsoft.com/office365/admin/try-or-buy-microsoft-365).
+2. Check out the [Microsoft 365 deployment advisor](https://portal.office.com/onboarding/Microsoft365DeploymentAdvisor#/).
+3. Also check out the [Windows Analytics deployment advisor](https://portal.office.com/onboarding/WindowsAnalyticsDeploymentAdvisor#/). This advisor will walk you through deploying [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), [Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), and [Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
+
+That's all there is to it!
+
+Examples of these two deployment advisors are shown below.
+
+- [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example)
+- [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example)
+
+## Microsoft 365 deployment advisor example
+
+
+## Windows Analytics deployment advisor example
+
+
+## M365 Enterprise poster
+
+[](https://aka.ms/m365eposter)
+
+## Related Topics
+
+[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
+
+
+
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index e512fb6f51..0ee0a6d5b3 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -49,7 +49,7 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic
## Windows 10 servicing and support
-- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon!
+- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
@@ -157,7 +157,7 @@ For more information, see the following guides:
- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
## Troubleshooting guidance
diff --git a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index cb8f13a66b..9fdf3cf07d 100644
--- a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -1,75 +1,76 @@
----
-title: Add a Windows 10 operating system image using Configuration Manager (Windows 10)
-description: Operating system images are typically the production image used for deployment throughout the organization.
-ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: image, deploy, distribute
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Add a Windows 10 operating system image using Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft System Center 2012 R2 Configuration Manager, and how to distribute the image to a distribution point.
-
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard, as the distribution point. CM01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). Our image is named REFW10-X64-001.wim. For details on building this image, please see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
-
-1. Using File Explorer, in the **E:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
-
-2. Copy the REFW10-X64-001.wim file to the **E:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
-
- 
-
- Figure 17. The Windows 10 image copied to the Sources folder structure.
-
-3. Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**.
-
-4. On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim and click **Next**.
-
-5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM and click **Next** twice, and then click **Close**.
-
-6. Distribute the operating system image to the CM01 distribution point by right-clicking the Windows 10 Enterprise x64 RTM operating system image and selecting **Distribute Content**.
-
-7. In the Distribute Content Wizard, add the CM01 distribution point.
-
-8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed. You also can review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
-
- 
-
- Figure 18. The distributed Windows 10 Enterprise x64 RTM package.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+---
+title: Add a Windows 10 operating system image using Configuration Manager (Windows 10)
+description: Operating system images are typically the production image used for deployment throughout the organization.
+ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: image, deploy, distribute
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Add a Windows 10 operating system image using Configuration Manager
+
+
+**Applies to**
+
+- Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
+
+Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft Endpoint Configuration Manager, and how to distribute the image to a distribution point.
+
+For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard, as the distribution point. CM01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). Our image is named REFW10-X64-001.wim. For details on building this image, please see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
+
+1. Using File Explorer, in the **E:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
+
+2. Copy the REFW10-X64-001.wim file to the **E:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
+
+ 
+
+ Figure 17. The Windows 10 image copied to the Sources folder structure.
+
+3. Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**.
+
+4. On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim and click **Next**.
+
+5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM and click **Next** twice, and then click **Close**.
+
+6. Distribute the operating system image to the CM01 distribution point by right-clicking the Windows 10 Enterprise x64 RTM operating system image and selecting **Distribute Content**.
+
+7. In the Distribute Content Wizard, add the CM01 distribution point.
+
+8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed. You also can review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
+
+ 
+
+ Figure 18. The distributed Windows 10 Enterprise x64 RTM package.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 19e35e39b3..04dc40cc6e 100644
--- a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -24,8 +24,8 @@ ms.topic: article
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
diff --git a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index 975eb2a944..77ad24c498 100644
--- a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
-description: Microsoft System Center 2012 R2 Configuration Manager can create custom Windows Preinstallation Environment (Windows PE) boot images with extra features.
+description: In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features.
ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
ms.reviewer:
manager: laurawi
@@ -23,10 +23,10 @@ ms.topic: article
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
+In Microsoft Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
diff --git a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 19ffe1ae2a..f19cafa1a4 100644
--- a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Create an app to deploy with Windows 10 using Configuration Manager
-description: Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
+description: Microsoft Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
ms.reviewer:
manager: laurawi
@@ -23,10 +23,10 @@ ms.topic: article
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in System Center 2012 R2 Configuration Manager that you later configure the task sequence to use.
+Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Configuration Manager that you later configure the task sequence to use.
For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
index 71be4f7e4b..6b8c2133f1 100644
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -1,76 +1,77 @@
----
-title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
-description: In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences.
-ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deployment, image, UEFI, task sequence
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10 using PXE and Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001.
-
-For the purposes of this topic, we will use two additional machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-1. Start the PC0001 machine. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
-
- 
-
- Figure 31. PXE booting PC0001.
-
-2. On the **Welcome to the Task Sequence Wizard** page, type in the password **Passw0rd!** and click **Next**.
-
-3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
-
-4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
-
-
-
-Figure 32. Typing in the computer name.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
+---
+title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
+description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences.
+ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deployment, image, UEFI, task sequence
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10 using PXE and Configuration Manager
+
+
+**Applies to**
+
+- Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
+
+In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001.
+
+For the purposes of this topic, we will use two additional machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+1. Start the PC0001 machine. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
+
+ 
+
+ Figure 31. PXE booting PC0001.
+
+2. On the **Welcome to the Task Sequence Wizard** page, type in the password **Passw0rd!** and click **Next**.
+
+3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
+
+4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
+
+
+
+Figure 32. Typing in the computer name.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
index b933315e49..06c696d2c7 100644
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
@@ -1,114 +1,115 @@
----
-title: Deploy Windows 10 with System Center 2012 R2 Configuration Manager (Windows 10)
-description: If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10.
-ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deployment, custom, boot
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10 with System Center 2012 R2 Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
-
-For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-
-
-Figure 1. The machines used in this topic.
-
-## In this section
-
-
-- [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-- [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
-
-- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-- [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
-
-- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-- [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-## Components of Configuration Manager operating system deployment
-
-
-Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
-
-- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
-
-- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
-
-- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
-
-- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
-
-- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
-
-- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
-
-- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
-
-- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
-
-- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
-
- **Note** Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
-
-
-
-## See also
-
-
-- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-
-- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)
-
-- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-
-- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-
-- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-
-- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx)
-
-- [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803)
-
-
-
-
-
-
-
-
-
+---
+title: Deploy Windows 10 with Microsoft Endpoint Configuration Manager (Windows 10)
+description: If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10.
+ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deployment, custom, boot
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10 with Microsoft Endpoint Configuration Manager
+
+
+**Applies to**
+
+- Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+
+If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
+
+For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+
+
+Figure 1. The machines used in this topic.
+
+## In this section
+
+
+- [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+
+- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+- [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+
+- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+- [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
+
+- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+- [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+## Components of Configuration Manager operating system deployment
+
+
+Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
+
+- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
+
+- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
+
+- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
+
+- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
+
+- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
+
+- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
+
+- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
+
+- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
+
+- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
+
+ **Note** Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
+
+
+
+## See also
+
+
+- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
+
+- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)
+
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+
+- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+
+- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
+
+- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx)
+
+- [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index bad7159496..99f2e1edd9 100644
--- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -23,10 +23,10 @@ ms.topic: article
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
+This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft Endpoint Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
diff --git a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
index e09b542e0e..c1461b27eb 100644
--- a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
@@ -23,14 +23,14 @@ ms.topic: article
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature.
+In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft Endpoint Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature.
For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-To monitor an operating system deployment conducted through System Center 2012 R2 Configuration Manager, you will use the Deployment Workbench in MDT as follows:
+To monitor an operating system deployment conducted through Microsoft Endpoint Configuration Manager, you will use the Deployment Workbench in MDT as follows:
1. On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh).
diff --git a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 2951abbc45..4ccb6b76ea 100644
--- a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -23,10 +23,10 @@ ms.topic: article
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
+This topic will walk you through the process of integrating Microsoft Endpoint Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
## Prerequisites
@@ -45,7 +45,7 @@ In this topic, you will use an existing Configuration Manager server structure t
- A Configuration Manager console folder structure for packages has been created.
-- System Center 2012 R2 Configuration Manager SP1 and any additional Windows 10 prerequisites are installed.
+- Microsoft Endpoint Configuration Manager and any additional Windows 10 prerequisites are installed.
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01 and CM01 are both members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
diff --git a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index f807d3f0e8..d9550467e3 100644
--- a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -23,12 +23,12 @@ ms.topic: article
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
+This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft Endpoint Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
-A computer refresh with System Center 2012 R2 Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps:
+A computer refresh with Microsoft Endpoint Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps:
1. Data and settings are backed up locally in a backup folder.
diff --git a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 45d77e1fa1..b00e32b337 100644
--- a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -1,240 +1,241 @@
----
-title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
-description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager.
-ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: upgrade, install, installation, replace computer, setup
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10.
-
-For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
-
-## Create a replace task sequence
-
-
-1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
-
-2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**.
-
-3. On the **General** page, assign the following settings and click **Next**:
-
- * Task sequence name: Replace Task Sequence
-
- * Task sequence comments: USMT backup only
-
-4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
-
-5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**.
-
-6. On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
-
-7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**.
-
-8. On the **Summary** page, review the details and then click **Next**.
-
-9. On the **Confirmation** page, click **Finish**.
-
-10. Review the Replace Task Sequence.
- >[!NOTE]
- >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
-
-
-
-Figure 34. The backup-only task sequence (named Replace Task Sequence).
-
-## Associate the new machine with the old computer
-
-
-This section walks you through the process of associating a blank machine, PC0006, with an old machine, PC0004, for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine.
-
-1. Make a note of the PC0006 machine's MAC Address. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96.
-
-2. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Devices**, and then select **Import Computer Information**.
-
-3. On the **Select Source** page, select **Import single computer** and click **Next**.
-
-4. On the **Single Computer** page, use the following settings and then click **Next**:
-
- * Computer Name: PC0006
-
- * MAC Address: <the mac address from step 1>
-
- * Source Computer: PC0004
-
- 
-
- Figure 35. Creating the computer association between PC0004 and PC0006.
-
-5. On the **User Accounts** page, select **Capture and restore all user accounts** and click **Next**.
-
-6. On the **Data Preview** page, click **Next**.
-
-7. On the **Choose Target Collection** page, select the **Install Windows 10 Enterprise x64** collection and click **Next**.
-
-8. On the **Summary** page, click **Next**, and then click **Close**.
-
-9. Select the **User State Migration** node and review the computer association in the right pane.
-
-10. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not.
-
-11. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0006 machine in the collection. You might have to update and refresh the collection again.
-
-## Create a device collection and add the PC0004 computer
-
-
-1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings.
-
- * General
-
- * Name: USMT Backup (Replace)
-
- * Limited Collection: All Systems
-
- * Membership rules:
-
- * Direct rule
-
- * Resource Class: System Resource
-
- * Attribute Name: Name
-
- * Value: PC0004
-
- * Select **Resources**
-
- * Select **PC0004**
-
-2. Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection.
-
-## Create a new deployment
-
-
-Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
-
-- General
-
- - Collection: USMT Backup (Replace)
-
-- Deployment Settings
-
- - Purpose: Available
-
- - Make available to the following: Only Configuration Manager Clients
-
-- Scheduling
-
- - <default>
-
-- User Experience
-
- - <default>
-
-- Alerts
-
- - <default>
-
-- Distribution Points
-
- - <default>
-
-## Verify the backup
-
-
-This section assumes that you have a machine named PC0004 with the Configuration Manager 2012 client installed.
-
-1. Start the PC0004 machine, and using the Control Panel, start the Configuration Manager applet.
-
-2. In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
-
- >[!NOTE]
- >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
-
-3. Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**.
-
-4. In the **Software Center** dialog box, click **INSTALL OPERATING SYSTEM**.
-
-5. Allow the Replace Task Sequence to complete. It should only take about five minutes.
-
-6. On CM01, in the **D:\\MigData** folder, verify that a folder was created containing the USMT backup.
-
-7. Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
-
- >[!NOTE]
- >It may take a few minutes for the user state store location to be populated.
-
-
-
-## Deploy the new computer
-
-
-1. Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
-
- * Password: P@ssw0rd
-
- * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
-
-2. The setup now starts and does the following:
-
- * Installs the Windows 10 operating system
-
- * Installs the Configuration Manager client
-
- * Joins it to the domain
-
- * Installs the applications
-
- * Restores the PC0004 backup
-
-When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
+---
+title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
+description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager.
+ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, install, installation, replace computer, setup
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
+
+
+**Applies to**
+
+- Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
+
+In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10.
+
+For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
+
+## Create a replace task sequence
+
+
+1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
+
+2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**.
+
+3. On the **General** page, assign the following settings and click **Next**:
+
+ * Task sequence name: Replace Task Sequence
+
+ * Task sequence comments: USMT backup only
+
+4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
+
+5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**.
+
+6. On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
+
+7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**.
+
+8. On the **Summary** page, review the details and then click **Next**.
+
+9. On the **Confirmation** page, click **Finish**.
+
+10. Review the Replace Task Sequence.
+ >[!NOTE]
+ >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
+
+
+
+Figure 34. The backup-only task sequence (named Replace Task Sequence).
+
+## Associate the new machine with the old computer
+
+
+This section walks you through the process of associating a blank machine, PC0006, with an old machine, PC0004, for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine.
+
+1. Make a note of the PC0006 machine's MAC Address. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96.
+
+2. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Devices**, and then select **Import Computer Information**.
+
+3. On the **Select Source** page, select **Import single computer** and click **Next**.
+
+4. On the **Single Computer** page, use the following settings and then click **Next**:
+
+ * Computer Name: PC0006
+
+ * MAC Address: <the mac address from step 1>
+
+ * Source Computer: PC0004
+
+ 
+
+ Figure 35. Creating the computer association between PC0004 and PC0006.
+
+5. On the **User Accounts** page, select **Capture and restore all user accounts** and click **Next**.
+
+6. On the **Data Preview** page, click **Next**.
+
+7. On the **Choose Target Collection** page, select the **Install Windows 10 Enterprise x64** collection and click **Next**.
+
+8. On the **Summary** page, click **Next**, and then click **Close**.
+
+9. Select the **User State Migration** node and review the computer association in the right pane.
+
+10. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not.
+
+11. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0006 machine in the collection. You might have to update and refresh the collection again.
+
+## Create a device collection and add the PC0004 computer
+
+
+1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings.
+
+ * General
+
+ * Name: USMT Backup (Replace)
+
+ * Limited Collection: All Systems
+
+ * Membership rules:
+
+ * Direct rule
+
+ * Resource Class: System Resource
+
+ * Attribute Name: Name
+
+ * Value: PC0004
+
+ * Select **Resources**
+
+ * Select **PC0004**
+
+2. Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection.
+
+## Create a new deployment
+
+
+Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
+
+- General
+
+ - Collection: USMT Backup (Replace)
+
+- Deployment Settings
+
+ - Purpose: Available
+
+ - Make available to the following: Only Configuration Manager Clients
+
+- Scheduling
+
+ - <default>
+
+- User Experience
+
+ - <default>
+
+- Alerts
+
+ - <default>
+
+- Distribution Points
+
+ - <default>
+
+## Verify the backup
+
+
+This section assumes that you have a machine named PC0004 with the Configuration Manager 2012 client installed.
+
+1. Start the PC0004 machine, and using the Control Panel, start the Configuration Manager applet.
+
+2. In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
+
+ >[!NOTE]
+ >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+3. Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**.
+
+4. In the **Software Center** dialog box, click **INSTALL OPERATING SYSTEM**.
+
+5. Allow the Replace Task Sequence to complete. It should only take about five minutes.
+
+6. On CM01, in the **D:\\MigData** folder, verify that a folder was created containing the USMT backup.
+
+7. Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
+
+ >[!NOTE]
+ >It may take a few minutes for the user state store location to be populated.
+
+
+
+## Deploy the new computer
+
+
+1. Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
+
+ * Password: P@ssw0rd
+
+ * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
+
+2. The setup now starts and does the following:
+
+ * Installs the Windows 10 operating system
+
+ * Installs the Configuration Manager client
+
+ * Joins it to the domain
+
+ * Installs the applications
+
+ * Restores the PC0004 backup
+
+When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index e9b3ec607d..adca6df481 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -28,10 +28,10 @@ Windows 10 upgrade options are discussed and information is provided about plann
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
-|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
-|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
+|[Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index 9530728934..4414c1e8fe 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -10,8 +10,7 @@ metadata:
ms.localizationpriority: high
author: greg-lindsay
ms.author: greglin
- manager: elizapo
- ms.date: 02/09/2018
+ manager: laurawi
ms.topic: article
ms.devlang: na
@@ -35,11 +34,11 @@ sections:
image:
src: https://docs.microsoft.com/media/common/i_upgrade.svg
title: Windows as a service
- - href: update/windows-analytics-overview
- html:
Windows Analytics provides deep insights into your Windows 10 environment.
Windows Autopilot greatly simplifies deployment of Windows devices
image:
- src: https://docs.microsoft.com/media/common/i_investigate.svg
- title: Windows Analytics
+ src: https://docs.microsoft.com/media/common/i_delivery.svg
+ title: Windows Autopilot
- title:
- items:
- type: markdown
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index b4ff72ee14..5dc23ca66e 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -1,456 +1,458 @@
----
-title: MBR2GPT
-description: How to use the MBR2GPT tool to convert MBR partitions to GPT
-keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.date: 02/13/2018
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.topic: article
----
-
-# MBR2GPT.EXE
-
-**Applies to**
-- Windows 10
-
-## Summary
-
-**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option.
-
->MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later.
->The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version.
-
-See the following video for a detailed description and demonstration of MBR2GPT.
-
-
-
-You can use MBR2GPT to:
-
-- Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT.
-- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them.
-- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
-- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT provided that your task sequence uses Windows PE version 1703 or later.
-
-Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion.
-
->[!IMPORTANT]
->After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode. Make sure that your device supports UEFI before attempting to convert the disk.
-
-## Disk Prerequisites
-
-Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that:
-- The disk is currently using MBR
-- There is enough space not occupied by partitions to store the primary and secondary GPTs:
- - 16KB + 2 sectors at the front of the disk
- - 16KB + 1 sector at the end of the disk
-- There are at most 3 primary partitions in the MBR partition table
-- One of the partitions is set as active and is the system partition
-- The disk does not have any extended/logical partition
-- The BCD store on the system partition contains a default OS entry pointing to an OS partition
-- The volume IDs can be retrieved for each volume which has a drive letter assigned
-- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
-
-If any of these checks fails, the conversion will not proceed and an error will be returned.
-
-## Syntax
-
-
-
-### Options
-
-| Option | Description |
-|----|-------------|
-|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. |
-|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. |
-|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
-|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
-|/map:\=\| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexidecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
-|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it cannot be reused. In this case, a new ESP is created by shrinking the OS partition.|
-
-## Examples
-
-### Validation example
-
-In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**.
-
-```
-X:\>mbr2gpt /validate /disk:0
-MBR2GPT: Attempting to validate disk 0
-MBR2GPT: Retrieving layout of disk
-MBR2GPT: Validating layout, disk sector size is: 512
-MBR2GPT: Validation completed successfully
-```
-
-### Conversion example
-
-In the following example:
-
-1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
-2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type.
-2. The MBR2GPT tool is used to convert disk 0.
-3. The DiskPart tool displays that disk 0 is now using the GPT format.
-4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
-5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
-
->As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
-
-```
-X:\>DiskPart
-
-Microsoft DiskPart version 10.0.15048.0
-
-Copyright (C) Microsoft Corporation.
-On computer: MININT-K71F13N
-
-DISKPART> list volume
-
- Volume ### Ltr Label Fs Type Size Status Info
- ---------- --- ----------- ----- ---------- ------- --------- --------
- Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy
- Volume 1 C System Rese NTFS Partition 499 MB Healthy
- Volume 2 D Windows NTFS Partition 58 GB Healthy
- Volume 3 E Recovery NTFS Partition 612 MB Healthy Hidden
-
-DISKPART> select volume 2
-
-Volume 2 is the selected volume.
-
-DISKPART> list partition
-
- Partition ### Type Size Offset
- ------------- ---------------- ------- -------
- Partition 1 Primary 499 MB 1024 KB
-* Partition 2 Primary 58 GB 500 MB
- Partition 3 Recovery 612 MB 59 GB
-
-DISKPART> detail partition
-
-Partition 2
-Type : 07
-Hidden: No
-Active: No
-Offset in Bytes: 524288000
-
- Volume ### Ltr Label Fs Type Size Status Info
- ---------- --- ----------- ----- ---------- ------- --------- --------
-* Volume 2 D Windows NTFS Partition 58 GB Healthy
-
-DISKPART> exit
-
-Leaving DiskPart...
-
-X:\>mbr2gpt /convert /disk:0
-
-MBR2GPT will now attempt to convert disk 0.
-If conversion is successful the disk can only be booted in GPT mode.
-These changes cannot be undone!
-
-MBR2GPT: Attempting to convert disk 0
-MBR2GPT: Retrieving layout of disk
-MBR2GPT: Validating layout, disk sector size is: 512 bytes
-MBR2GPT: Trying to shrink the system partition
-MBR2GPT: Trying to shrink the OS partition
-MBR2GPT: Creating the EFI system partition
-MBR2GPT: Installing the new boot files
-MBR2GPT: Performing the layout conversion
-MBR2GPT: Migrating default boot entry
-MBR2GPT: Adding recovery boot entry
-MBR2GPT: Fixing drive letter mapping
-MBR2GPT: Conversion completed successfully
-MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode!
-
-X:\>DiskPart
-
-Microsoft DiskPart version 10.0.15048.0
-
-Copyright (C) Microsoft Corporation.
-On computer: MININT-K71F13N
-
-DISKPART> list disk
-
- Disk ### Status Size Free Dyn Gpt
- -------- ------------- ------- ------- --- ---
- Disk 0 Online 60 GB 0 B *
-
-DISKPART> select disk 0
-
-Disk 0 is now the selected disk.
-
-DISKPART> list volume
-
- Volume ### Ltr Label Fs Type Size Status Info
- ---------- --- ----------- ----- ---------- ------- --------- --------
- Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy
- Volume 1 D Windows NTFS Partition 58 GB Healthy
- Volume 2 C System Rese NTFS Partition 499 MB Healthy Hidden
- Volume 3 FAT32 Partition 100 MB Healthy Hidden
- Volume 4 E Recovery NTFS Partition 612 MB Healthy Hidden
-
-DISKPART> select volume 1
-
-Volume 1 is the selected volume.
-
-DISKPART> list partition
-
- Partition ### Type Size Offset
- ------------- ---------------- ------- -------
- Partition 1 Recovery 499 MB 1024 KB
-* Partition 2 Primary 58 GB 500 MB
- Partition 4 System 100 MB 59 GB
- Partition 3 Recovery 612 MB 59 GB
-
-DISKPART> detail partition
-
-Partition 2
-Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
-Hidden : No
-Required: No
-Attrib : 0000000000000000
-Offset in Bytes: 524288000
-
- Volume ### Ltr Label Fs Type Size Status Info
- ---------- --- ----------- ----- ---------- ------- --------- --------
-* Volume 1 D Windows NTFS Partition 58 GB Healthy
-```
-
-## Specifications
-
-### Disk conversion workflow
-
-The following steps illustrate high-level phases of the MBR-to-GPT conversion process:
-
-1. Disk validation is performed.
-2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist.
-3. UEFI boot files are installed to the ESP.
-4. GPT metatdata and layout information is applied.
-5. The boot configuration data (BCD) store is updated.
-6. Drive letter assignments are restored.
-
-### Creating an EFI system partition
-
-For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules:
-
-1. The existing MBR system partition is reused if it meets these requirements:
- a. It is not also the OS or Windows Recovery Environment partition.
- b. It is at least 100MB (or 260MB for 4K sector size disks) in size.
- c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.
- d. The conversion is not being performed from the full OS. In this case, the existing MBR system partition is in use and cannot be repurposed.
-2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32.
-
-If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified.
-
->[!IMPORTANT]
->If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
-
-### Partition type mapping and partition attributes
-
-Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules:
-
-1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b).
-2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used.
-3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac).
-4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7).
-
-In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set:
-- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001)
-- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000)
-
-For more information about partition types, see:
-- [GPT partition types](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx)
-- [MBR partition types](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx)
-
-
-### Persisting drive letter assignments
-
-The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage.
-
-The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following:
-
-1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk.
-2. If found, set the value to be the new unique ID, obtained after the layout conversion.
-3. If the new unique ID cannot be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment.
-
-## Troubleshooting
-
-The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions do not translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs).
-
-### Logs
-
-Four log files are created by the MBR2GPT tool:
-
-- diagerr.xml
-- diagwrn.xml
-- setupact.log
-- setuperr.log
-
-These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. Note: The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory.
-
-The default location for all these log files in Windows PE is **%windir%**.
-
-### Interactive help
-
-To view a list of options available when using the tool, type **mbr2gpt /?**
-
-The following text is displayed:
-
-```
-
-C:\> mbr2gpt /?
-
-Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk.
-
-MBR2GPT.exe /validate|convert [/disk:] [/logs:] [/map:=] [/allowFullOS]
-
-Where:
-
- /validate
- - Validates that the selected disk can be converted
- without performing the actual conversion.
-
- /convert
- - Validates that the selected disk can be converted
- and performs the actual conversion.
-
- /disk:
- - Specifies the disk number of the disk to be processed.
- If not specified, the system disk is processed.
-
- /logs:
- - Specifies the directory for logging. By default logs
- are created in the %windir% directory.
-
- /map:=
- - Specifies the GPT partition type to be used for a
- given MBR partition type not recognized by Windows.
- Multiple /map switches are allowed.
-
- /allowFullOS
- - Allows the tool to be used from the full Windows
- environment. By default, this tool can only be used
- from the Windows Preinstallation Environment.
-```
-
-### Return codes
-
-MBR2GPT has the following associated return codes:
-
-| Return code | Description |
-|----|-------------|
-|0| Conversion completed successfully.|
-|1| Conversion was canceled by the user.|
-|2| Conversion failed due to an internal error.|
-|3| Conversion failed due to an initialization error.|
-|4| Conversion failed due to invalid command-line parameters. |
-|5| Conversion failed due to error reading the geometry and layout of the selected disk.|
-|6| Conversion failed because one or more volumes on the disk is encrypted.|
-|7| Conversion failed because the geometry and layout of the selected disk do not meet requirements.|
-|8| Conversion failed due to error while creating the EFI system partition.|
-|9| Conversion failed due to error installing boot files.|
-|10| Conversion failed due to error while applying GPT layout.|
-|100| Conversion to GPT layout succeeded, but some boot configuration data entries could not be restored.|
-
-
-### Determining the partition type
-
-You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown:
-
-
-```
-PS C:\> Get-Disk | ft -Auto
-
-Number Friendly Name Serial Number HealthStatus OperationalStatus Total Size Partition Style
------- ------------- ------------- ------------ ----------------- ---------- ---------------
-0 MTFDDAK256MAM-1K1 13050928F47C Healthy Online 238.47 GB MBR
-1 ST1000DM003-1ER162 Z4Y3GD8F Healthy Online 931.51 GB GPT
-```
-
-You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example:
-
-
-
-
-If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:
-
-```
-X:\>DiskPart
-
-Microsoft DiskPart version 10.0.15048.0
-
-Copyright (C) Microsoft Corporation.
-On computer: MININT-K71F13N
-
-DISKPART> list disk
-
- Disk ### Status Size Free Dyn Gpt
- -------- ------------- ------- ------- --- ---
- Disk 0 Online 238 GB 0 B
- Disk 1 Online 931 GB 0 B *
-```
-
-In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT.
-
-
-## Known issue
-
-### MBR2GPT.exe cannot run in Windows PE
-
-When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues:
-
-**Issue 1** When you run the MBR2GPT.exe command, the process exits without converting the drive.
-
-**Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there is no output from the tool.
-
-**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a System Center Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781.
-
-#### Cause
-
-This issue occurs because in Windows 10, version 1903 and later versions, MBR2GPT.exe requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later.
-
-#### Workaround
-
-To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. To do this, follow these steps:
-
-1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image).
-
-2. Copy the ReAgent files and the ReAgent localization files from the Window 10, version 1903 ADK source folder to the mounted WIM.
-
- For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window:
-
- **Command 1:**
- ```cmd
- copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32"
- ```
- This command copies three files:
-
- * ReAgent.admx
- * ReAgent.dll
- * ReAgent.xml
-
- **Command 2:**
- ```cmd
- copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us"
- ```
- This command copies two files:
- * ReAgent.adml
- * ReAgent.dll.mui
-
- > [!NOTE]
- > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language.
-
-3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image).
-
-
-## Related topics
-
-[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
- [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+---
+title: MBR2GPT
+description: How to use the MBR2GPT tool to convert MBR partitions to GPT
+keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.date: 02/13/2018
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.topic: article
+---
+
+# MBR2GPT.EXE
+
+**Applies to**
+- Windows 10
+
+## Summary
+
+**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option.
+
+>MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later.
+>The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version.
+
+See the following video for a detailed description and demonstration of MBR2GPT.
+
+
+
+You can use MBR2GPT to:
+
+- Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT.
+- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them.
+- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
+- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT provided that your task sequence uses Windows PE version 1703 or later.
+
+Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion.
+
+>[!IMPORTANT]
+>After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode. Make sure that your device supports UEFI before attempting to convert the disk.
+
+## Disk Prerequisites
+
+Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that:
+- The disk is currently using MBR
+- There is enough space not occupied by partitions to store the primary and secondary GPTs:
+ - 16KB + 2 sectors at the front of the disk
+ - 16KB + 1 sector at the end of the disk
+- There are at most 3 primary partitions in the MBR partition table
+- One of the partitions is set as active and is the system partition
+- The disk does not have any extended/logical partition
+- The BCD store on the system partition contains a default OS entry pointing to an OS partition
+- The volume IDs can be retrieved for each volume which has a drive letter assigned
+- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
+
+If any of these checks fails, the conversion will not proceed and an error will be returned.
+
+## Syntax
+
+
+
+### Options
+
+| Option | Description |
+|----|-------------|
+|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. |
+|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. |
+|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
+|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
+|/map:\=\| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
+|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it cannot be reused. In this case, a new ESP is created by shrinking the OS partition.|
+
+## Examples
+
+### Validation example
+
+In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**.
+
+```
+X:\>mbr2gpt /validate /disk:0
+MBR2GPT: Attempting to validate disk 0
+MBR2GPT: Retrieving layout of disk
+MBR2GPT: Validating layout, disk sector size is: 512
+MBR2GPT: Validation completed successfully
+```
+
+### Conversion example
+
+In the following example:
+
+1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
+2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type.
+2. The MBR2GPT tool is used to convert disk 0.
+3. The DiskPart tool displays that disk 0 is now using the GPT format.
+4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
+5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+
+>As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
+
+```
+X:\>DiskPart
+
+Microsoft DiskPart version 10.0.15048.0
+
+Copyright (C) Microsoft Corporation.
+On computer: MININT-K71F13N
+
+DISKPART> list volume
+
+ Volume ### Ltr Label Fs Type Size Status Info
+ ---------- --- ----------- ----- ---------- ------- --------- --------
+ Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy
+ Volume 1 C System Rese NTFS Partition 499 MB Healthy
+ Volume 2 D Windows NTFS Partition 58 GB Healthy
+ Volume 3 E Recovery NTFS Partition 612 MB Healthy Hidden
+
+DISKPART> select volume 2
+
+Volume 2 is the selected volume.
+
+DISKPART> list partition
+
+ Partition ### Type Size Offset
+ ------------- ---------------- ------- -------
+ Partition 1 Primary 499 MB 1024 KB
+* Partition 2 Primary 58 GB 500 MB
+ Partition 3 Recovery 612 MB 59 GB
+
+DISKPART> detail partition
+
+Partition 2
+Type : 07
+Hidden: No
+Active: No
+Offset in Bytes: 524288000
+
+ Volume ### Ltr Label Fs Type Size Status Info
+ ---------- --- ----------- ----- ---------- ------- --------- --------
+* Volume 2 D Windows NTFS Partition 58 GB Healthy
+
+DISKPART> exit
+
+Leaving DiskPart...
+
+X:\>mbr2gpt /convert /disk:0
+
+MBR2GPT will now attempt to convert disk 0.
+If conversion is successful the disk can only be booted in GPT mode.
+These changes cannot be undone!
+
+MBR2GPT: Attempting to convert disk 0
+MBR2GPT: Retrieving layout of disk
+MBR2GPT: Validating layout, disk sector size is: 512 bytes
+MBR2GPT: Trying to shrink the system partition
+MBR2GPT: Trying to shrink the OS partition
+MBR2GPT: Creating the EFI system partition
+MBR2GPT: Installing the new boot files
+MBR2GPT: Performing the layout conversion
+MBR2GPT: Migrating default boot entry
+MBR2GPT: Adding recovery boot entry
+MBR2GPT: Fixing drive letter mapping
+MBR2GPT: Conversion completed successfully
+MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode!
+
+X:\>DiskPart
+
+Microsoft DiskPart version 10.0.15048.0
+
+Copyright (C) Microsoft Corporation.
+On computer: MININT-K71F13N
+
+DISKPART> list disk
+
+ Disk ### Status Size Free Dyn Gpt
+ -------- ------------- ------- ------- --- ---
+ Disk 0 Online 60 GB 0 B *
+
+DISKPART> select disk 0
+
+Disk 0 is now the selected disk.
+
+DISKPART> list volume
+
+ Volume ### Ltr Label Fs Type Size Status Info
+ ---------- --- ----------- ----- ---------- ------- --------- --------
+ Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy
+ Volume 1 D Windows NTFS Partition 58 GB Healthy
+ Volume 2 C System Rese NTFS Partition 499 MB Healthy Hidden
+ Volume 3 FAT32 Partition 100 MB Healthy Hidden
+ Volume 4 E Recovery NTFS Partition 612 MB Healthy Hidden
+
+DISKPART> select volume 1
+
+Volume 1 is the selected volume.
+
+DISKPART> list partition
+
+ Partition ### Type Size Offset
+ ------------- ---------------- ------- -------
+ Partition 1 Recovery 499 MB 1024 KB
+* Partition 2 Primary 58 GB 500 MB
+ Partition 4 System 100 MB 59 GB
+ Partition 3 Recovery 612 MB 59 GB
+
+DISKPART> detail partition
+
+Partition 2
+Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
+Hidden : No
+Required: No
+Attrib : 0000000000000000
+Offset in Bytes: 524288000
+
+ Volume ### Ltr Label Fs Type Size Status Info
+ ---------- --- ----------- ----- ---------- ------- --------- --------
+* Volume 1 D Windows NTFS Partition 58 GB Healthy
+```
+
+## Specifications
+
+### Disk conversion workflow
+
+The following steps illustrate high-level phases of the MBR-to-GPT conversion process:
+
+1. Disk validation is performed.
+2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist.
+3. UEFI boot files are installed to the ESP.
+4. GPT metatdata and layout information is applied.
+5. The boot configuration data (BCD) store is updated.
+6. Drive letter assignments are restored.
+
+### Creating an EFI system partition
+
+For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules:
+
+1. The existing MBR system partition is reused if it meets these requirements:
+ a. It is not also the OS or Windows Recovery Environment partition.
+ b. It is at least 100MB (or 260MB for 4K sector size disks) in size.
+ c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.
+ d. The conversion is not being performed from the full OS. In this case, the existing MBR system partition is in use and cannot be repurposed.
+2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32.
+
+If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified.
+
+>[!IMPORTANT]
+>If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
+
+### Partition type mapping and partition attributes
+
+Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules:
+
+1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b).
+2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used.
+3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac).
+4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7).
+
+In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set:
+- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001)
+- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000)
+
+For more information about partition types, see:
+- [GPT partition types](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx)
+- [MBR partition types](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx)
+
+
+### Persisting drive letter assignments
+
+The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage.
+
+The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following:
+
+1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk.
+2. If found, set the value to be the new unique ID, obtained after the layout conversion.
+3. If the new unique ID cannot be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment.
+
+## Troubleshooting
+
+The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions do not translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs).
+
+### Logs
+
+Four log files are created by the MBR2GPT tool:
+
+- diagerr.xml
+- diagwrn.xml
+- setupact.log
+- setuperr.log
+
+These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. Note: The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory.
+
+The default location for all these log files in Windows PE is **%windir%**.
+
+### Interactive help
+
+To view a list of options available when using the tool, type **mbr2gpt /?**
+
+The following text is displayed:
+
+```
+
+C:\> mbr2gpt /?
+
+Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk.
+
+MBR2GPT.exe /validate|convert [/disk:] [/logs:] [/map:=] [/allowFullOS]
+
+Where:
+
+ /validate
+ - Validates that the selected disk can be converted
+ without performing the actual conversion.
+
+ /convert
+ - Validates that the selected disk can be converted
+ and performs the actual conversion.
+
+ /disk:
+ - Specifies the disk number of the disk to be processed.
+ If not specified, the system disk is processed.
+
+ /logs:
+ - Specifies the directory for logging. By default logs
+ are created in the %windir% directory.
+
+ /map:=
+ - Specifies the GPT partition type to be used for a
+ given MBR partition type not recognized by Windows.
+ Multiple /map switches are allowed.
+
+ /allowFullOS
+ - Allows the tool to be used from the full Windows
+ environment. By default, this tool can only be used
+ from the Windows Preinstallation Environment.
+```
+
+### Return codes
+
+MBR2GPT has the following associated return codes:
+
+| Return code | Description |
+|----|-------------|
+|0| Conversion completed successfully.|
+|1| Conversion was canceled by the user.|
+|2| Conversion failed due to an internal error.|
+|3| Conversion failed due to an initialization error.|
+|4| Conversion failed due to invalid command-line parameters. |
+|5| Conversion failed due to error reading the geometry and layout of the selected disk.|
+|6| Conversion failed because one or more volumes on the disk is encrypted.|
+|7| Conversion failed because the geometry and layout of the selected disk do not meet requirements.|
+|8| Conversion failed due to error while creating the EFI system partition.|
+|9| Conversion failed due to error installing boot files.|
+|10| Conversion failed due to error while applying GPT layout.|
+|100| Conversion to GPT layout succeeded, but some boot configuration data entries could not be restored.|
+
+
+### Determining the partition type
+
+You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown:
+
+
+```
+PS C:\> Get-Disk | ft -Auto
+
+Number Friendly Name Serial Number HealthStatus OperationalStatus Total Size Partition Style
+------ ------------- ------------- ------------ ----------------- ---------- ---------------
+0 MTFDDAK256MAM-1K1 13050928F47C Healthy Online 238.47 GB MBR
+1 ST1000DM003-1ER162 Z4Y3GD8F Healthy Online 931.51 GB GPT
+```
+
+You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example:
+
+
+
+
+If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:
+
+```
+X:\>DiskPart
+
+Microsoft DiskPart version 10.0.15048.0
+
+Copyright (C) Microsoft Corporation.
+On computer: MININT-K71F13N
+
+DISKPART> list disk
+
+ Disk ### Status Size Free Dyn Gpt
+ -------- ------------- ------- ------- --- ---
+ Disk 0 Online 238 GB 0 B
+ Disk 1 Online 931 GB 0 B *
+```
+
+In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT.
+
+
+## Known issue
+
+### MBR2GPT.exe cannot run in Windows PE
+
+When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues:
+
+**Issue 1** When you run the MBR2GPT.exe command, the process exits without converting the drive.
+
+**Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there is no output from the tool.
+
+**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Endpoint Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781.
+
+#### Cause
+
+This issue occurs because in Windows 10, version 1903 and later versions, MBR2GPT.exe requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later.
+
+#### Workaround
+
+To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. To do this, follow these steps:
+
+1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image).
+
+2. Copy the ReAgent files and the ReAgent localization files from the Window 10, version 1903 ADK source folder to the mounted WIM.
+
+ For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window:
+
+ **Command 1:**
+ ```cmd
+ copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32"
+ ```
+ This command copies three files:
+
+ * ReAgent.admx
+ * ReAgent.dll
+ * ReAgent.xml
+
+ **Command 2:**
+ ```cmd
+ copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us"
+ ```
+ This command copies two files:
+ * ReAgent.adml
+ * ReAgent.dll.mui
+
+ > [!NOTE]
+ > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language.
+
+3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image).
+
+
+## Related topics
+
+[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
+ [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
+ [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md
index fe7585f713..abb5e94fdb 100644
--- a/windows/deployment/planning/act-technical-reference.md
+++ b/windows/deployment/planning/act-technical-reference.md
@@ -34,7 +34,7 @@ Use Windows Analytics to get:
- Guidance and insights into application and driver compatibility issues, with suggested fixes
- Data driven application rationalization tools
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
-- Data export to commonly used software deployment tools, including System Center Configuration Manager
+- Data export to commonly used software deployment tools, including Microsoft Endpoint Configuration Manager
The Windows Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
index 6c41d9922c..08cbf28585 100644
--- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
+++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
@@ -55,7 +55,7 @@ The following scenarios are examples of situations in which Windows To Go worksp
- **Managed free seating.** The employee is issued a Windows To Go drive that is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return they use the same USB flash drive but use a different host computer.
-- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including System Center Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee’s credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity.
+- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Endpoint Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee’s credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity.
- **Travel lightly.** In this situation you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC.
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index 72439c1132..4b2d75eae6 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -57,7 +57,7 @@ The features described below are no longer being actively developed, and might b
|Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 |
|Trusted Platform Module (TPM): TPM.msc and TPM Remote Management | To be replaced by a new user interface in a future release. | 1709 |
|Trusted Platform Module (TPM) Remote Management |This functionality within TPM.msc will be migrated to a new user interface. | 1709 |
-|Windows Hello for Business deployment that uses System Center Configuration Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
+|Windows Hello for Business deployment that uses Microsoft Endpoint Configuration Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
|Windows PowerShell 2.0 | Applications and components should be migrated to PowerShell 5.0+. | 1709 |
|Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 |
|Tile Data Layer | The [Tile Data Layer](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 |
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index 8716d1b086..764b8d1ca5 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -1,134 +1,136 @@
----
-title: Windows 10 Enterprise FAQ for IT pros (Windows 10)
-description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
-keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 08/18/2017
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows 10 Enterprise: FAQ for IT professionals
-
-Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
-
-## Download and requirements
-
-### Where can I download Windows 10 Enterprise?
-
-If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx).
-
-### What are the system requirements?
-
-For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752).
-
-### What are the hardware requirements for Windows 10?
-
-Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information.
-
-### Can I evaluate Windows 10 Enterprise?
-
-Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features.
-
-## Drivers and compatibility
-
-### Where can I find drivers for my devices for Windows 10 Enterprise?
-
-For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action.
-- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10.
-- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability.
-- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft System Center Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include:
- - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html)
- - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
- - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984)
- - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html)
-
-### Where can I find out if an application or device is compatible with Windows 10?
-
-Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793) on the Windows IT Center.
-
-### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10?
-
-[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/WindowsForBusiness/Windows-Analytics).
-
-## Administration and deployment
-
-### Which deployment tools support Windows 10?
-
-Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10.
-- [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment.
-- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [System Center Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center.
-- The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center.
-
-### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
-
-Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit).
-
-### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
-
-If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
-
-For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10.
-
-## Managing updates
-
-### What is Windows as a service?
-
-The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
-
-### How is servicing different with Windows as a service?
-
-Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
-
-### What are the servicing channels?
-
-To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](/windows/deployment/update/waas-overview#servicing-channels).
-
-### What tools can I use to manage Windows as a service updates?
-
-There are many tools are available. You can choose from these:
-- Windows Update
-- Windows Update for Business
-- Windows Server Update Services
-- System Center Configuration Manager
-
-For more information on pros and cons for these tools, see [Servicing Tools](/windows/deployment/update/waas-overview#servicing-tools).
-
-## User experience
-
-### Where can I find information about new features and changes in Windows 10 Enterprise?
-
-For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library.
-
-Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
-
-To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare).
-
-### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1?
-
-Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources.
-
-### How does Windows 10 help people work with applications and data across a variety of devices?
-
-The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include:
-- Start menu is a launching point for access to apps.
-- Universal apps now open in windows instead of full screen.
-- [Multitasking is improved with adjustable Snap](http://blogs.windows.com/bloggingwindows/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged.
-- Tablet Mode to simplify using Windows with a finger or pen by using touch input.
-
-## Help and support
-
-### Where can I ask a question about Windows 10?
-
-Use the following resources for additional information about Windows 10.
-- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
-- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10).
-- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN.
-- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet.
+---
+title: Windows 10 Enterprise FAQ for IT pros (Windows 10)
+description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
+keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 08/18/2017
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows 10 Enterprise: FAQ for IT professionals
+
+Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
+
+## Download and requirements
+
+### Where can I download Windows 10 Enterprise?
+
+If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx).
+
+### What are the system requirements?
+
+For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752).
+
+### What are the hardware requirements for Windows 10?
+
+Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information.
+
+### Can I evaluate Windows 10 Enterprise?
+
+Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features.
+
+## Drivers and compatibility
+
+### Where can I find drivers for my devices for Windows 10 Enterprise?
+
+For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action.
+- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10.
+- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability.
+- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include:
+ - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html)
+ - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
+ - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984)
+ - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html)
+
+### Where can I find out if an application or device is compatible with Windows 10?
+
+Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793) on the Windows IT Center.
+
+### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10?
+
+[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/WindowsForBusiness/Windows-Analytics).
+
+## Administration and deployment
+
+### Which deployment tools support Windows 10?
+
+Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10.
+- [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment.
+- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center.
+- The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center.
+
+### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
+
+Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit).
+
+### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
+
+If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+
+For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10.
+
+## Managing updates
+
+### What is Windows as a service?
+
+The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
+
+### How is servicing different with Windows as a service?
+
+Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
+
+### What are the servicing channels?
+
+To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](/windows/deployment/update/waas-overview#servicing-channels).
+
+### What tools can I use to manage Windows as a service updates?
+
+There are many tools are available. You can choose from these:
+- Windows Update
+- Windows Update for Business
+- Windows Server Update Services
+- Microsoft Endpoint Configuration Manager
+
+For more information on pros and cons for these tools, see [Servicing Tools](/windows/deployment/update/waas-overview#servicing-tools).
+
+## User experience
+
+### Where can I find information about new features and changes in Windows 10 Enterprise?
+
+For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library.
+
+Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
+
+To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare).
+
+### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1?
+
+Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources.
+
+### How does Windows 10 help people work with applications and data across a variety of devices?
+
+The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include:
+- Start menu is a launching point for access to apps.
+- Universal apps now open in windows instead of full screen.
+- [Multitasking is improved with adjustable Snap](http://blogs.windows.com/bloggingwindows/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged.
+- Tablet Mode to simplify using Windows with a finger or pen by using touch input.
+
+## Help and support
+
+### Where can I ask a question about Windows 10?
+
+Use the following resources for additional information about Windows 10.
+- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
+- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10).
+- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN.
+- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet.
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index afbf7e0553..484aa23fe6 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -50,7 +50,7 @@ For System Center Configuration Manager, Windows 10 support is offered with var
> [!NOTE]
-> Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require System Center Configuration Manager current branch for supported management.
+> Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require Microsoft Endpoint Configuration Manager current branch for supported management.
For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
@@ -58,7 +58,7 @@ For more details about System Center Configuration Manager support for Windows
## Management tools
-In addition to System Center Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](https://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store.
+In addition to Microsoft Endpoint Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](https://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store.
No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these to support new features.
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
index 40c4c03e81..77f7cfe31a 100644
--- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
+++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
@@ -165,7 +165,7 @@ Yes, if the user has administrator permissions they can self-provision a Windows
## How can Windows To Go be managed in an organization?
-Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like System Center Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network.
+Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like Microsoft Endpoint Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network.
## How do I make my computer boot from USB?
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
index d162aa111d..23fefc02cd 100644
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ b/windows/deployment/planning/windows-to-go-overview.md
@@ -56,7 +56,7 @@ The applications that you want to use from the Windows To Go workspace should be
## Prepare for Windows To Go
-Enterprises install Windows on a large group of computers either by using configuration management software (such as System Center Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
+Enterprises install Windows on a large group of computers either by using configuration management software (such as Microsoft Endpoint Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) to review deployment tools available.
diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md
index c46b4cc2da..8f73fcdfd0 100644
--- a/windows/deployment/update/PSFxWhitepaper.md
+++ b/windows/deployment/update/PSFxWhitepaper.md
@@ -72,7 +72,7 @@ numerous advantages:
Historically, download sizes of Windows 10 quality updates (Windows 10, version 1803 and older supported versions of Windows 10) are optimized by using express download. Express download is optimized such that updating Windows 10 systems will download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version.
-For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as “express download files”) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), System Center Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
+For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as “express download files”) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
The flip side of express download is that the size of PSF files can be very large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they are unable to leverage express updates to keep their fleet of devices running Windows 10 up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it is only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly.
diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md
index 37ed550405..7e35245a09 100644
--- a/windows/deployment/update/feature-update-mission-critical.md
+++ b/windows/deployment/update/feature-update-mission-critical.md
@@ -19,7 +19,7 @@ ms.topic: article
**Applies to**: Windows 10
-Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the System Center Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
+Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates).
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index d08ff458c4..a81d83a38c 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -41,12 +41,12 @@ Windows as a service provides a new way to think about building, deploying, and
| [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. |
| [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
| [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
-| [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
+| [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
| [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. |
| [Manage additional Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
| [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
>[!TIP]
->Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
+>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709).
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index aee88e8e01..6bb0bf7519 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -20,7 +20,7 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
+BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
@@ -39,7 +39,7 @@ In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization
## Configure servers for BranchCache
-You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and System Center Configuration Manager.
+You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and Microsoft Endpoint Configuration Manager.
For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](https://technet.microsoft.com/library/jj572990) or [BranchCache Deployment Guide (Windows Server 2016)](https://technet.microsoft.com/windows-server-docs/networking/branchcache/deploy/branchcache-deployment-guide).
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index ae41811326..0c96d3ba90 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -190,7 +190,7 @@ Starting with Windows 10, version 1709, you can set policies to manage preview b
The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
* MDM: **Update/ManagePreviewBuilds**
-* System Center Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy**
+* Microsoft Endpoint Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy**
>[!IMPORTANT]
>This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here:
@@ -273,5 +273,5 @@ When a device running a newer version sees an update available on Windows Update
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index 6d7bf33b2a..9de80024c2 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -24,7 +24,7 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager (when installation of Express Updates is enabled).
+Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Configuration Manager (when installation of Express Updates is enabled).
Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet.
@@ -190,5 +190,5 @@ If you suspect this is the problem, try a Telnet test between two devices on the
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
index d5eab1b3c4..5888c1f3a1 100644
--- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
+++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
@@ -56,7 +56,7 @@ As Table 1 shows, each combination of servicing channel and deployment group is
|  | Build deployment rings for Windows 10 updates (this topic) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index 4d5f0b31bc..9d8afa433e 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -1,6 +1,6 @@
---
title: Integrate Windows Update for Business (Windows 10)
-description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
+description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@@ -21,7 +21,7 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
+You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.
## Integrate Windows Update for Business with Windows Server Update Services
@@ -85,7 +85,7 @@ In this example, the deferral behavior for updates to Office and other non-Windo
>[!NOTE]
> Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner.
-## Integrate Windows Update for Business with System Center Configuration Manager
+## Integrate Windows Update for Business with Microsoft Endpoint Configuration Manager
For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
@@ -109,6 +109,6 @@ For more information, see [Integration with Windows Update for Business in Windo
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md
index 1ebdd76767..da28265e33 100644
--- a/windows/deployment/update/waas-manage-updates-configuration-manager.md
+++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md
@@ -1,6 +1,6 @@
---
-title: Deploy Windows 10 updates via System Center Configuration Manager
-description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10.
+title: Deploy Windows 10 updates via Microsoft Endpoint Configuration Manager
+description: Microsoft Endpoint Configuration Manager provides maximum control over quality and feature updates for Windows 10.
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@@ -11,7 +11,7 @@ manager: laurawi
ms.topic: article
---
-# Deploy Windows 10 updates using System Center Configuration Manager
+# Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager
**Applies to**
@@ -25,21 +25,21 @@ ms.topic: article
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
-System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
+Microsoft Endpoint Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation.
>[!NOTE]
->This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager).
+>This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager).
## Windows 10 servicing dashboard
-The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using System Center Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx).
+The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx).
For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements:
- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods.
-- **Windows Server Update Service (WSUS)**. System Center Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed.
+- **Windows Server Update Service (WSUS)**. Microsoft Endpoint Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed.
- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode.
- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications.
@@ -143,7 +143,7 @@ After you have updated the membership, this new collection will contain all mana
## Use Windows 10 servicing plans to deploy Windows 10 feature updates
-There are two ways to deploy Windows 10 feature updates with System Center Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates.
+There are two ways to deploy Windows 10 feature updates with Microsoft Endpoint Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates.
**To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan**
@@ -160,7 +160,7 @@ There are two ways to deploy Windows 10 feature updates with System Center Confi
>
>
>
- >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for System Center Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx).
+ >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx).
5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**.
@@ -212,10 +212,7 @@ Each time Microsoft releases a new Windows 10 build, it releases a new .iso file
3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 you’re deploying, and then click **Next**.
In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607.
-
- >[!NOTE]
- >System Center Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607.
-
+
4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**.
5. On the **Summary** page, click **Next** to create the package.
@@ -303,11 +300,11 @@ With the task sequence created, you’re ready to deploy it. If you’re using t
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or Deploy Windows 10 updates using System Center Configuration Manager (this topic) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager (this topic) |
## See also
-[Manage Windows as a service using System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service)
+[Manage Windows as a service using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service)
## Related topics
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index e24cc6ff0b..61db3462a7 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -24,7 +24,7 @@ ms.topic: article
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
-WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
+WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Configuration Manager provides.
When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10.
@@ -331,7 +331,7 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows 10 updates using Windows Server Update Services (this topic)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows 10 updates using Windows Server Update Services (this topic)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
@@ -351,5 +351,5 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 479877ca3a..2486006471 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -118,7 +118,7 @@ For more information about Update Compliance, see [Monitor Windows Updates using
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | Deploy updates using Windows Update for Business (this topic) or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | Deploy updates using Windows Update for Business (this topic) or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
- [Update Windows 10 in the enterprise](index.md)
@@ -135,7 +135,7 @@ For more information about Update Compliance, see [Monitor Windows Updates using
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md
index c0d1218ade..abb64e0561 100644
--- a/windows/deployment/update/waas-mobile-updates.md
+++ b/windows/deployment/update/waas-mobile-updates.md
@@ -70,7 +70,7 @@ Only the following Windows Update for Business policies are supported for Window
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index 7eda1ffad1..1e0f4be7b7 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -33,7 +33,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
>[!NOTE]
>Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
- Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
+ Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
@@ -43,9 +43,9 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
| BranchCache |  |  | |  |
> [!NOTE]
-> System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache).
+> Microsoft Endpoint Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Microsoft Endpoint Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/configmgr/core/plan-design/hierarchy/client-peer-cache).
>
-> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic).
+> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Microsoft Endpoint Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic).
## Express update delivery
@@ -55,7 +55,7 @@ Windows 10 quality update downloads can be large because every package contains
> Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business.
### How Microsoft supports Express
-- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update.
+- **Express on Microsoft Endpoint Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update.
- **Express on WSUS Standalone**
Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
@@ -93,7 +93,7 @@ At this point, the download is complete and the update is ready to be installed.
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | Optimize update delivery for Windows 10 updates (this topic) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 1b1a144c38..812e47c937 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -112,7 +112,7 @@ The concept of servicing channels is new, but organizations can use the same man
In the Semi-Annual servicing channel, feature updates are available as soon as Microsoft releases them. Windows 10, version 1511, had few servicing tool options to delay feature updates, limiting the use of the Semi-Annual servicing channel. Starting with Windows 10, version 1607, more servicing tools that can delay feature updates for up to 365 days are available. This servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
-When Microsoft officially releases a feature update for Windows 10, it is made available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
+When Microsoft officially releases a feature update for Windows 10, it is made available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases. All customers, independent software vendors (ISVs), and partners should use this time for testing and piloting within their environments. After 2-4 months, we will transition to broad deployment and encourage customers and partners to expand and accelerate the deployment of the release. For customers using Windows Update for Business, the Semi-Annual Channel provides three months of additional total deployment time before being required to update to the next release.
@@ -163,9 +163,9 @@ There are many tools with which IT pros can service Windows as a service. Each o
- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the Semi-Annual Channel. Organizations can target which devices defer updates by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 device.
- **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes control over update deferment and provides centralized management using Group Policy. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the Semi-Annual Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune.
- **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready.
-- **System Center Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
+- **Microsoft Endpoint Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
-With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses System Center Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1.
+With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses Microsoft Endpoint Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1.
**Table 1**
@@ -190,7 +190,7 @@ With all these options, which an organization chooses depends on the resources,
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index b2f7bf1b6a..7e0bf21538 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -48,7 +48,7 @@ See [Assign devices to servicing channels for Windows 10 updates](waas-servicing
## Staying up to date
-The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
+The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Endpoint Configuration Manager, and third-party products) can be used to help with this process. [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 2f891c98c0..2eae42de3a 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -178,7 +178,7 @@ By enabling the Group Policy setting under **Computer Configuration\Administrati
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | Assign devices to servicing channels for Windows 10 updates (this topic) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md
index 66ffdd5dd6..d55a28a5c1 100644
--- a/windows/deployment/update/waas-servicing-differences.md
+++ b/windows/deployment/update/waas-servicing-differences.md
@@ -87,7 +87,7 @@ Moving to the cumulative model for legacy OS versions continues to improve predi
Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates. Security-only Packages are not part of the C/D preview program.
> [!NOTE]
-> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as System Center Configuration Manager that rely on it, will not see preview updates for older versions of Windows 10.
+> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as Microsoft Endpoint Configuration Manager that rely on it, will not see preview updates for older versions of Windows 10.
> [!NOTE]
> Preview updates for Windows 10 are not named differently than their LCU counterparts and do not contain the word 'Preview'. They can be identified by their release date (C or D week) and their classification as non-security updates.
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index 66702a34a3..e82f2eebde 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -32,7 +32,7 @@ Windows 10 spreads the traditional deployment effort of a Windows upgrade, which
- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
-- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
+- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md).
>[!NOTE]
@@ -56,7 +56,7 @@ Each time Microsoft releases a Windows 10 feature update, the IT department shou
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 8b7d1bcfd2..5119f6f5be 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -138,7 +138,7 @@ We recommend that you set up a ring to receive preview builds by joining the Win
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md
index 71296b4265..30af2075e1 100644
--- a/windows/deployment/update/waas-wufb-intune.md
+++ b/windows/deployment/update/waas-wufb-intune.md
@@ -282,7 +282,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
index 5898646433..7a204e0bab 100644
--- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
+++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
@@ -73,7 +73,7 @@ If devices are not showing up as expected, find a representative device and foll
5. Check the output of the script in the command window and/or log **UA_dateTime_machineName.txt** to ensure that all steps were completed successfully.
6. If you are still seeing errors you can't diagnose, then consider open a support case with Microsoft Support through your regular channel and provide this information.
-If you want to check a large number of devices, you should run the latest script at scale from your management tool of choice (for example, System Center Configuration Manager) and check the results centrally.
+If you want to check a large number of devices, you should run the latest script at scale from your management tool of choice (for example, Microsoft Endpoint Configuration Manager) and check the results centrally.
If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog.
@@ -284,12 +284,12 @@ Beyond the cost of Windows operating system licenses, there is no additional cos
Note that different Azure Log Analytics plans have different data retention periods, and the Windows Analytics solutions inherit the workspace's data retention policy. So, for example, if your workspace is on the free plan then Windows Analytics will retain the last week's worth of "daily snapshots" that are collected in the workspace.
-### Why do SCCM and Upgrade Readiness show different counts of devices that are ready to upgrade?
-System Center Configuration Manager (SCCM) considers a device ready to upgrade if *no installed app* has an upgrade decision of “not ready” (that is, they are all "ready" or "in progress"), while Upgrade Readiness considers a device ready to upgrade only if *all* installed apps are marked “ready”.
+### Why do Microsoft Endpoint Configuration Manager and Upgrade Readiness show different counts of devices that are ready to upgrade?
+Microsoft Endpoint Configuration Manager considers a device ready to upgrade if *no installed app* has an upgrade decision of “not ready” (that is, they are all "ready" or "in progress"), while Upgrade Readiness considers a device ready to upgrade only if *all* installed apps are marked “ready”.
Currently, you can choose the criteria you wish to use:
-- To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector).
-- To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet.
+- To use the Configuration Manager criteria, create the collection of devices ready to upgrade within the Configuration Manager console (using the analytics connector).
+- To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the Configuration Manager collection from that spreadsheet.
### How does Upgrade Readiness collect the inventory of devices and applications?
For details about this process and some tips, see [How does Upgrade Readiness in WA collects application inventory for your OMS workspace?](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-does-Upgrade-Readiness-in-WA-collects-application-inventory/ba-p/213586) on the Windows Analytics blog.
diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md
index e8fdb8a2c2..45520df78e 100644
--- a/windows/deployment/windows-autopilot/user-driven.md
+++ b/windows/deployment/windows-autopilot/user-driven.md
@@ -28,7 +28,7 @@ Windows Autopilot user-driven mode is designed to enable new Windows 10 devices
After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be suppressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available.
-Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
+Today, Windows Autopilot user-driven mode supports Azure Active Directory and Hybrid Azure Active Directory joined devices. See [What is a device identity](https://docs.microsoft.com/azure/active-directory/devices/overview) for more information about these two join options.
## Available user-driven modes
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index 64cfa25866..c70d65a6ce 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -149,3 +149,20 @@ The **Review problem reports** tool opens, showing you your Windows Error Report
+## Known Issues with Diagnostic Data Viewer
+
+### Microsoft Edge diagnostic data appearing as a blob of text
+
+**Applicable to:** The new Microsoft Edge (v. 79.x.x.x or higher)
+
+**Issue:** In some cases, diagnostic data collected and sent from the New Microsoft Edge fails to be translated by the decoder. When decoding fails, the data appears as a blob of text in the Diagnostic Data Viewer. We are working on a fix for this issue.
+
+**Workaround:**
+
+- Restart your computer and open Diagnostic Data Viewer.
+
+*OR*
+
+- Restart the *DiagTrack* service, through the Services tab in task manager, and open Diagnostic Data Viewer.
+
+**Background:** Some of the diagnostic data collected from the new Microsoft Edge is sent using a Protocol Buffers (protobuf) to reduce network bandwidth and to improve data transfer efficiency. Diagnostic Data Viewer has a decoding capability to translate this protobuf format into human readable text. Due to a bug, sometimes the decoder fails to translate these protobuf messages and hence some of the New Microsoft Edge diagnostic data will appear as a blob of encoded text.
\ No newline at end of file
diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml
index f6f7b30864..0554cb4e28 100644
--- a/windows/release-information/resolved-issues-windows-10-1903.yml
+++ b/windows/release-information/resolved-issues-windows-10-1903.yml
@@ -37,7 +37,6 @@ sections:
Unable to discover or connect to Bluetooth devices using some Realtek adapters Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.
Gamma ramps, color profiles, and night light settings do not apply in some cases Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
Unable to discover or connect to Bluetooth devices using some Qualcomm adapters Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.
dGPU occasionally disappear from device manager on Surface Book 2 Some apps or games may close or fail to open on Surface Book 2 devices with Nvidia dGPU.
Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start on devices in which the operating system language was changed between updates.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.
RASMAN service may stop working and result in the error “0xc0000005” The RASMAN service may stop working with VPN profiles configured as an Always On VPN connection.
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows LogsinEvent Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.
This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).
To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903
Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903
Server: Windows 10, version 1909; Windows Server, version 1903
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809
Resolution: This issue was resolved with updated drivers from your device manufacturer (OEM) or Intel. The safeguard hold has been removed.
Note If you are still experiencing the issue described, please contact your device manufacturer (OEM).
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.
To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.
MSRT might fail to install and be re-offered from Windows Update or WSUS The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
IA64 and x64 devices may fail to start after installing updates After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.
After installing KB4534310, your desktop wallpaper when set to \"Stretch\" might display as black.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Workaround: To mitigate the issue, you can do one of the following:
Set your custom image to an option other than \"Stretch\", such as “Fill”, “Fit”, “Tile”, or “Center”, or
Choose a custom wallpaper that matches the resolution of your desktop.
Next steps: We are working on a resolution and estimate a solution will be available in mid-February for organizations who have purchased Windows 7 Extended Security Updates (ESU).
After installing KB4534310, your desktop wallpaper when set to \"Stretch\" might display as black.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Workaround: To mitigate the issue, you can do one of the following:
Set your custom image to an option other than \"Stretch\", such as “Fill”, “Fit”, “Tile”, or “Center”, or
Choose a custom wallpaper that matches the resolution of your desktop.
Next steps: We are working on a resolution and estimate a solution will be available mid-February, which will be released to all customers running Windows 7 and Windows Server 2008 R2 SP1.
The January2020 optional monthly “D” release for Windows 10, version 1909 and Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
January 28, 2020 08:00 AM PT
January 2020 Windows \"C\" optional release is available.
The January 2020 optional monthly “C” release for all supported versions of Windows is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
Windows 7 reached end of support on January 14, 2020. If your organization has not yet been able to complete your transition from Windows 7 to Windows 10, and want to continue to receive security updates while you complete your upgrade projects, please read How to get Extended Security Updates for eligible Windows devices. For more information on end of service dates for currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
The January 2020 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
January 14, 2020 08:00 AM PT
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 6bd34daec8..e37e6d8711 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -34,8 +34,11 @@
#### [Web protection]()
##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
-##### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
-##### [Respond to web threats](microsoft-defender-atp/web-protection-response.md)
+##### [Web threat protection]()
+###### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md)
+###### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
+###### [Respond to web threats](microsoft-defender-atp/web-protection-response.md)
+##### [Web content filtering](microsoft-defender-atp/web-content-filtering.md)
#### [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
#### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md)
@@ -400,6 +403,9 @@
####### [Get machine by ID](microsoft-defender-atp/get-machine-by-id.md)
####### [Get machine log on users](microsoft-defender-atp/get-machine-log-on-users.md)
####### [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md)
+####### [Get installed software](microsoft-defender-atp/get-installed-software.md)
+####### [Get discovered vulnerabilities](microsoft-defender-atp/get-discovered-vulnerabilities.md)
+####### [Get security recommendation](microsoft-defender-atp/get-security-recommendations.md)
####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
@@ -450,6 +456,34 @@
####### [Get user related alerts](microsoft-defender-atp/get-user-related-alerts.md)
####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
+###### [Score]()
+####### [Score methods and properties](microsoft-defender-atp/score.md)
+####### [List exposure score by machine group](microsoft-defender-atp/get-machine-group-exposure-score.md)
+####### [Get exposure score](microsoft-defender-atp/get-exposure-score.md)
+####### [Get device secure score](microsoft-defender-atp/get-device-secure-score.md)
+
+###### [Software]()
+####### [Software methods and properties](microsoft-defender-atp/software.md)
+####### [List software](microsoft-defender-atp/get-software.md)
+####### [Get software by Id](microsoft-defender-atp/get-software-by-id.md)
+####### [List software version distribution](microsoft-defender-atp/get-software-ver-distribution.md)
+####### [List machines by software](microsoft-defender-atp/get-machines-by-software.md)
+####### [List vulnerabilities by software](microsoft-defender-atp/get-vuln-by-software.md)
+
+###### [Vulnerability]()
+####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
+####### [Get all vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
+####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md)
+####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md)
+
+###### [Recommendation]()
+####### [Recommendation methods and properties](microsoft-defender-atp/recommendation.md)
+####### [List all recommendations](microsoft-defender-atp/get-all-recommendations.md)
+####### [Get recommendation by Id](microsoft-defender-atp/get-recommendation-by-id.md)
+####### [Get recommendation by software](microsoft-defender-atp/get-recommendation-software.md)
+####### [Get recommendation by machines](microsoft-defender-atp/get-recommendation-machines.md)
+####### [Get recommendation by vulnerabilities](microsoft-defender-atp/get-recommendation-vulnerabilities.md)
+
##### [How to use APIs - Samples]()
###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md)
###### [Power BI](microsoft-defender-atp/api-power-bi.md)
@@ -457,11 +491,18 @@
###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
+#### [Windows updates (KB) info]()
+##### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection.md)
+
+#### [Common Vulnerabilities and Exposures (CVE) to KB map]()
+##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md)
+
+#### [Pull detections to your SIEM tools]()
#### [Raw data streaming API]()
##### [Raw data streaming (preview)](microsoft-defender-atp/raw-data-export.md)
##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
-
+
#### [SIEM integration]()
##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
index 8be692ccbc..a040722887 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@@ -74,3 +74,8 @@ See how you can [improve your security configuration](https://docs.microsoft.com
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
index bff2f62710..c3f4376a4a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
@@ -1,7 +1,7 @@
---
title: Onboarding tools and methods for Windows 10 machines
description: Onboard Windows 10 machines so that they can send sensor data to the Microsoft Defender ATP sensor
-keywords: Onboard Windows 10 machines, group policy, system center configuration manager, mobile device management, local script, gp, sccm, mdm, intune
+keywords: Onboard Windows 10 machines, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -31,7 +31,7 @@ Machines in your organization must be configured so that the Microsoft Defender
The following deployment tools and methods are supported:
- Group Policy
-- System Center Configuration Manager
+- Microsoft Endpoint Configuration Manager
- Mobile Device Management (including Microsoft Intune)
- Local script
@@ -39,7 +39,7 @@ The following deployment tools and methods are supported:
Topic | Description
:---|:---
[Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on machines.
-[Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on machines.
+[Onboard Windows machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on machines.
[Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on machine.
[Onboard Windows 10 machines using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints.
[Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI machines.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 08b54bfbe4..f6e320c931 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -129,7 +129,7 @@ Once completed, you should see onboarded servers in the portal within an hour.
To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below.
> [!NOTE]
-> The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script. For more information on how to deploy scripts in System Center Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs).
+> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Microsoft Endpoint Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
Supported tools include:
- Local script
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index ae15f3e5c4..9cb8182798 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -25,13 +25,13 @@ ms.custom: asr
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the System Center Configuration Manager (SCCM) and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the Microsoft Endpoint Configuration Manager and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of trusted software. If an app isn't on the list, Controlled folder access will block it from making changes to files inside protected folders.
Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list.
-Apps can also be manually added to the trusted list via SCCM and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console.
+Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console.
Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index 80c8e25156..1b8c03d660 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -33,11 +33,11 @@ You can enable attack surface reduction rules by using any of these methods:
* [Microsoft Intune](#intune)
* [Mobile Device Management (MDM)](#mdm)
-* [System Center Configuration Manager (SCCM)](#sccm)
+* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
-Enterprise-level management such as Intune or SCCM is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
+Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
## Exclude files and folders from ASR rules
@@ -99,9 +99,9 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
> [!NOTE]
> Be sure to enter OMA-URI values without spaces.
-## SCCM
+## Microsoft Endpoint Configuration Manager
-1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
1. Click **Home** > **Create Exploit Guard Policy**.
1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
1. Choose which rules will block or audit actions and click **Next**.
@@ -111,7 +111,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
## Group Policy
> [!WARNING]
-> If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
+> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -134,7 +134,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
## PowerShell
>[!WARNING]
->If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
+>If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index 40cbdce038..511c7973f6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -30,7 +30,7 @@ You can enable controlled folder access by using any of these methods:
* [Windows Security app](#windows-security-app)
* [Microsoft Intune](#intune)
* [Mobile Device Management (MDM)](#mdm)
-* [System Center Configuration Manager (SCCM)](#sccm)
+* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
@@ -78,9 +78,9 @@ For more information about disabling local list merging, see [Prevent or allow u
Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
-## SCCM
+## Microsoft Endpoint Configuration Manager
-1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
2. Click **Home** > **Create Exploit Guard Policy**.
3. Enter a name and a description, click **Controlled folder access**, and click **Next**.
4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 36853a0451..9c926b6d06 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -32,12 +32,12 @@ Many features from the Enhanced Mitigation Experience Toolkit (EMET) are include
You can enable each mitigation separately by using any of these methods:
-- [Windows Security app](#windows-security-app)
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Windows Security app](#windows-security-app)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
@@ -121,14 +121,14 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab
Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode.
-## SCCM
+## Microsoft Endpoint Configuration Manager
-1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-2. Click **Home** > **Create Exploit Guard Policy**.
-3. Enter a name and a description, click **Exploit protection**, and click **Next**.
-4. Browse to the location of the exploit protection XML file and click **Next**.
-5. Review the settings and click **Next** to create the policy.
-6. After the policy is created, click **Close**.
+1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. Click **Home** > **Create Exploit Guard Policy**.
+1. Enter a name and a description, click **Exploit protection**, and click **Next**.
+1. Browse to the location of the exploit protection XML file and click **Next**.
+1. Review the settings and click **Next** to create the policy.
+1. After the policy is created, click **Close**.
## Group Policy
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index 7f23be0e27..db54d852de 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -30,7 +30,7 @@ You can enable network protection by using any of these methods:
* [Microsoft Intune](#intune)
* [Mobile Device Management (MDM)](#mdm)
-* [System Center Configuration Manager (SCCM)](#sccm)
+* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
@@ -49,9 +49,9 @@ You can enable network protection by using any of these methods:
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
-## SCCM
+## Microsoft Endpoint Configuration Manager
-1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
1. Click **Home** > **Create Exploit Guard Policy**.
1. Enter a name and a description, click **Network protection**, and click **Next**.
1. Choose whether to block or audit access to suspicious domains and click **Next**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
index 5f8fc8a0da..da28a46770 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
@@ -46,7 +46,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
> [!TIP]
> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
+You can also use Group Policy, Intune, MDM, or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
## Review controlled folder access events in Windows Event Viewer
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
index c91de23386..8c836888bb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
@@ -57,6 +57,10 @@ Machines | Run API calls such as get machines, get machines by ID, information a
Machine Actions | Run API call such as Isolation, Run anti-virus scan and more.
Indicators | Run API call such as create Indicator, get Indicators and delete Indicators.
Users | Run API calls such as get user related alerts and user related machines.
+Score | Run API calls such as get exposure score or get device secure score.
+Software | Run API calls such as list vulnerabilities by software.
+Vulnerability | Run API calls such as list machines by vulnerability.
+Recommendation | Run API calls such as Get recommendation by Id.
## Related topic
- [Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
new file mode 100644
index 0000000000..1735811830
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
@@ -0,0 +1,108 @@
+---
+title: List all recommendations
+description: Retrieves a list of all security recommendations affecting the organization.
+keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List all recommendations
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of all security recommendations affecting the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+Content-type: json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
+ "value": [
+ {
+ "id": "va-_-microsoft-_-windows_10",
+ "productName": "windows_10",
+ "recommendationName": "Update Windows 10",
+ "weaknesses": 397,
+ "vendor": "microsoft",
+ "recommendedVersion": "",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": true,
+ "activeAlert": false,
+ "associatedThreats": [
+ "3098b8ef-23b1-46b3-aed4-499e1928f9ed",
+ "40c189d5-0330-4654-a816-e48c2b7f9c4b",
+ "4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
+ "e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
+ "94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
+ ],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 7.674418604651163,
+ "totalMachineCount": 37,
+ "exposedMachinesCount": 7,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Windows 10"
+ }
+ ]
+}
+```
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
new file mode 100644
index 0000000000..e0e4243d76
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
@@ -0,0 +1,96 @@
+---
+title: Get all vulnerabilities
+description: Retrieves a list of all the vulnerabilities affecting the organization
+keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get all vulnerabilities
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of all the vulnerabilities affecting the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of vulnerabilities in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+Content-type: json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities",
+ "value": [
+ {
+ "id": "CVE-2019-0608",
+ "name": "CVE-2019-0608",
+ "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 4,
+ "publishedOn": "2019-10-08T00:00:00Z",
+ "updatedOn": "2019-12-16T16:20:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ]
+ {
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
new file mode 100644
index 0000000000..dfd844de6b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
@@ -0,0 +1,84 @@
+---
+title: Get Device Secure score
+description: Retrieves the organizational device secure score.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get Device Secure score
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves the organizational device secure score.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+## HTTP request
+```
+GET /api/configurationScore
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with the with device secure score data in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/configurationScore
+```
+
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
+ "time": "2019-12-03T09:15:58.1665846Z",
+ "score": 340,
+ "rbacGroupId": null
+}
+```
+
+## Related topics
+- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
new file mode 100644
index 0000000000..f41e0af06d
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
@@ -0,0 +1,93 @@
+---
+title: Get discovered vulnerabilities
+description: Retrieves a collection of discovered vulnerabilities related to a given machine ID.
+keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get discovered vulnerabilities
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of discovered vulnerabilities related to a given machine ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the discovered vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2019-1348",
+ "name": "CVE-2019-1348",
+ "description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an attacker could exploit this vulnerability to overwrite arbitrary paths.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 1,
+ "publishedOn": "2019-12-13T00:00:00Z",
+ "updatedOn": "2019-12-13T00:00:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
new file mode 100644
index 0000000000..f57f5e53cf
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
@@ -0,0 +1,89 @@
+---
+title: Get exposure score
+description: Retrieves the organizational exposure score.
+keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get exposure score
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves the organizational exposure score.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+
+## HTTP request
+```
+GET /api/exposureScore
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with the exposure data in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/exposureScore
+```
+
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
+ "time": "2019-12-03T07:23:53.280499Z",
+ "score": 33.491554051195706,
+ "rbacGroupId": null
+}
+
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
new file mode 100644
index 0000000000..9263243f0d
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
@@ -0,0 +1,89 @@
+---
+title: Get installed software
+description: Retrieves a collection of installed software related to a given machine ID.
+keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per machine, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get installed software
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of installed software related to a given machine ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the installed software information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software",
+"value": [
+ {
+"id": "microsoft-_-internet_explorer",
+"name": "internet_explorer",
+"vendor": "microsoft",
+"weaknesses": 67,
+"publicExploit": true,
+"activeAlert": false,
+"exposedMachines": 42115,
+"impactScore": 46.2037163
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
new file mode 100644
index 0000000000..a85a0bc44e
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
@@ -0,0 +1,100 @@
+---
+title: List exposure score by machine group
+description: Retrieves a list of exposure scores by machine group.
+keywords: apis, graph api, supported apis, get, exposure score, machine group, machine group exposure score
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List exposure score by machine group
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of alerts related to a given domain address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+## HTTP request
+```
+GET /api/exposureScore/ByMachineGroups
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with a list of exposure score per machine group data in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/exposureScore/ByMachineGroups
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore",
+ "value": [
+ {
+ "time": "2019-12-03T09:51:28.214338Z",
+ "score": 41.38041766305988,
+ "rbacGroupId": 10
+ },
+ {
+ "time": "2019-12-03T09:51:28.2143399Z",
+ "score": 37.403726933165366,
+ "rbacGroupId": 11
+ },
+ {
+ "time": "2019-12-03T09:51:28.2143407Z",
+ "score": 26.390921344426033,
+ "rbacGroupId": 9
+ },
+ {
+ "time": "2019-12-03T09:51:28.2143414Z",
+ "score": 23.58823563070858,
+ "rbacGroupId": 5
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
new file mode 100644
index 0000000000..81d6659101
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
@@ -0,0 +1,92 @@
+---
+title: List machines by software
+description: Retrieve a list of machines that has this software installed.
+keywords: apis, graph api, supported apis, get, list machines, machines list, list machines by software, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List machines by software
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieve a list of machines that has this software installed.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/machineReferences
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK and a list of machines with the software installed in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
+ "computerDnsName": "dave_desktop",
+ "osPlatform": "Windows10",
+ "rbacGroupId": 9
+ },
+ {
+ "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
+ "computerDnsName": "jane_PC",
+ "osPlatform": "Windows10",
+ "rbacGroupId": 9
+ }
+]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
new file mode 100644
index 0000000000..5ee5fe1b47
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
@@ -0,0 +1,92 @@
+---
+title: List machines by vulnerability
+description: Retrieves a list of machines affected by a vulnerability.
+keywords: apis, graph api, supported apis, get, machines list, vulnerable machines, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List machines by vulnerability
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of machines affected by a vulnerability.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities/{cveId}/machineReferences
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+Content-type: json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "235a2e6278c63fcf85bab9c370396972c58843de",
+ "computerDnsName": "h1mkn_PC",
+ "osPlatform": "Windows10",
+ "rbacGroupId": 1268
+ },
+ {
+ "id": "afb3f807d1a185ac66668f493af028385bfca184",
+ "computerDnsName": "chat_Desk ",
+ "osPlatform": "Windows10",
+ "rbacGroupId": 410
+ }
+ ]
+ }
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
new file mode 100644
index 0000000000..6a56d41c99
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
@@ -0,0 +1,97 @@
+---
+title: Get recommendation by Id
+description: Retrieves a security recommendation by its ID.
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by ID
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a security recommendation by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+Content-type: json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity",
+ "id": "va-_-google-_-chrome",
+ "productName": "chrome",
+ "recommendationName": "Update Chrome",
+ "weaknesses": 38,
+ "vendor": "google",
+ "recommendedVersion": "",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": false,
+ "activeAlert": false,
+ "associatedThreats": [],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 3.9441860465116285,
+ "totalMachineCount": 6,
+ "exposedMachinesCount": 5,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Chrome"
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
new file mode 100644
index 0000000000..d74dc47279
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@@ -0,0 +1,84 @@
+---
+title: Get recommendation by machines
+description: Retrieves a list of machines associated with the security recommendation.
+keywords: apis, graph api, supported apis, get, security recommendation for vulnerable machines, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by machines
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of machines associated with the security recommendation.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/machineReferences
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of machines associated with the security recommendation.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
+ "computerDnsName": "niw_pc",
+ "osPlatform": "Windows10",
+ "rbacGroupId": 2154
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
new file mode 100644
index 0000000000..de192c1e9f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
@@ -0,0 +1,85 @@
+---
+title: Get recommendation by software
+description: Retrieves a security recommendation related to a specific software.
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by software
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a security recommendation related to a specific software.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+Content-type: json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
+ "id": "google-_-chrome",
+ "name": "chrome",
+ "vendor": "google",
+ "weaknesses": 38,
+ "publicExploit": false,
+ "activeAlert": false,
+ "exposedMachines": 5,
+ "impactScore": 3.94418621
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
new file mode 100644
index 0000000000..c9ca363c20
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
@@ -0,0 +1,94 @@
+---
+title: Get recommendation by vulnerabilities
+description: Retrieves a list of vulnerabilities associated with the security recommendation.
+keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by vulnerabilities
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of vulnerabilities associated with the security recommendation.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+Content-type: json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2019-13748",
+ "name": "CVE-2019-13748",
+ "description": "Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
+ "severity": "Medium",
+ "cvssV3": 6.5,
+ "exposedMachines": 0,
+ "publishedOn": "2019-12-10T00:00:00Z",
+ "updatedOn": "2019-12-16T12:15:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
new file mode 100644
index 0000000000..61ca64ff6b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
@@ -0,0 +1,101 @@
+---
+title: Get security recommendations
+description: Retrieves a collection of security recommendations related to a given machine ID.
+keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per machine, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get security recommendations
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of security recommendations related to a given machine ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/recommendations
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
+ "value": [
+ {
+ "id": "va-_-git-scm-_-git",
+ "productName": "git",
+ "recommendationName": "Update Git to version 2.24.1.2",
+ "weaknesses": 3,
+ "vendor": "git-scm",
+ "recommendedVersion": "2.24.1.2",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": false,
+ "activeAlert": false,
+ "associatedThreats": [],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 0,
+ "totalMachineCount": 0,
+ "exposedMachinesCount": 1,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Git"
+ },
+…
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
new file mode 100644
index 0000000000..c57fe74368
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
@@ -0,0 +1,86 @@
+---
+title: Get software by Id
+description: Retrieves a list of exposure scores by machine group.
+keywords: apis, graph api, supported apis, get, software, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get software by Id
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves software details by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the specified software data in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity",
+ "id": "microsoft-_-edge",
+ "name": "edge",
+ "vendor": "microsoft",
+ "weaknesses": 467,
+ "publicExploit": true,
+ "activeAlert": false,
+ "exposedMachines": 172,
+ "impactScore": 2.39947438
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
new file mode 100644
index 0000000000..2ba8c06b69
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
@@ -0,0 +1,90 @@
+---
+title: List software version distribution
+description: Retrieves a list of your organization's software version distribution
+keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List software version distribution
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of your organization's software version distribution.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/distributions
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with a list of software distributions data in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions",
+ "value": [
+ {
+ "version": "11.0.17134.1039",
+ "installations": 1,
+ "vulnerabilities": 11
+ },
+ {
+ "version": "11.0.18363.535",
+ "installations": 750,
+ "vulnerabilities": 0
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
new file mode 100644
index 0000000000..1ec2bcccd1
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
@@ -0,0 +1,89 @@
+---
+title: List software
+description: Retrieves a list of software inventory
+keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List software inventory API
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves the organization software inventory.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the software inventory in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software",
+ "value": [
+ {
+ "id": "microsoft-_-edge",
+ "name": "edge",
+ "vendor": "microsoft",
+ "weaknesses": 467,
+ "publicExploit": true,
+ "activeAlert": false,
+ "exposedMachines": 172,
+ "impactScore": 2.39947438
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
new file mode 100644
index 0000000000..6fa52754b7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
@@ -0,0 +1,92 @@
+---
+title: List vulnerabilities by software
+description: Retrieve a list of vulnerabilities in the installed software.
+keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities by software
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieve a list of vulnerabilities in the installed software.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/vulnerabilities
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2017-0140",
+ "name": "CVE-2017-0140",
+ "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
+ "severity": "Medium",
+ "cvssV3": 4.2,
+ "exposedMachines": 1,
+ "publishedOn": "2017-03-14T00:00:00Z",
+ "updatedOn": "2019-10-03T00:03:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ]
+}
+```
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
new file mode 100644
index 0000000000..e4ccb6c433
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
@@ -0,0 +1,89 @@
+---
+title: Get vulnerability by Id
+description: Retrieves vulnerability information by its ID.
+keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get vulnerability by ID
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves vulnerability information by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities/{cveId}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+Content-type: json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity",
+ "id": "CVE-2019-0608",
+ "name": "CVE-2019-0608",
+ "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 4,
+ "publishedOn": "2019-10-08T00:00:00Z",
+ "updatedOn": "2019-12-16T16:20:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+}
+```
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category.png
new file mode 100644
index 0000000000..8c4e86272a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category600.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category600.png
new file mode 100644
index 0000000000..d01215dee9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category600.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-summary.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-summary.png
new file mode 100644
index 0000000000..d9fc4ed73a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-summary.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-content-filtering-summary.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-content-filtering-summary.png
new file mode 100644
index 0000000000..c6c86c4c3b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-content-filtering-summary.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-report-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-report-details.png
new file mode 100644
index 0000000000..bba1d35a38
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-report-details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-reports.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-reports.png
new file mode 100644
index 0000000000..58fd253994
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-reports.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-protection.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection.png
new file mode 100644
index 0000000000..7b47ead343
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index 4edb6f1e70..a38094be67 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -22,6 +22,7 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+[!include[Prerelease information](../../includes/prerelease.md)]
## Methods
Method|Return Type |Description
@@ -30,6 +31,9 @@ Method|Return Type |Description
[Get machine](get-machine-by-id.md) | [machine](machine.md) | Get a [machine](machine.md) by its identity.
[Get logged on users](get-machine-log-on-users.md) | [user](user.md) collection | Get the set of [User](user.md) that logged on to the [machine](machine.md).
[Get related alerts](get-machine-related-alerts.md) | [alert](alerts.md) collection | Get the set of [alert](alerts.md) entities that were raised on the [machine](machine.md).
+[Get installed software](get-installed-software.md) | [software](software.md) collection | Retrieves a collection of installed software related to a given machine ID.
+[Get discovered vulnerabilities](get-discovered-vulnerabilities.md) | [vulnerability](vulnerability.md) collection | Retrieves a collection of discovered vulnerabilities related to a given machine ID.
+[Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID.
[Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
[Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
@@ -52,29 +56,4 @@ riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. P
exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is Aad Joined).
machineTags | String collection | Set of [machine](machine.md) tags.
-
-
-## Json representation
-
-```json
-{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
- "osPlatform": "Windows10",
- "version": "1709",
- "osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "Active",
- "rbacGroupId": 140,
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "test tag 2" ]
-}
-```
\ No newline at end of file
+exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
index e23db78609..f838be1390 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
@@ -31,7 +31,7 @@ Acknowledging that customer environments and structures can vary, Microsoft Defe
## Endpoint onboarding and portal access
-Machine onboarding is fully integrated into System Center Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for machines management.
+Machine onboarding is fully integrated into Microsoft Endpoint Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for machines management.
Microsoft Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure:
- Globally distributed organizations and security teams
@@ -50,7 +50,6 @@ The Microsoft Defender ATP APIs can be grouped into three:
- Raw data streaming API
- SIEM integration
-
## Microsoft Defender ATP APIs
Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form.
@@ -70,10 +69,8 @@ For more information see, [Raw data streaming API](raw-data-export.md).
## SIEM API
When you enable security information and event management (SIEM) integration it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. For more information see, [SIEM integration](enable-siem-integration.md)
-
## Related topics
- [Access the Microsoft Defender Advanced Threat Protection APIs ](apis-intro.md)
- [Supported APIs](exposed-apis-list.md)
- [Technical partner opportunities](partner-integration.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index b2c1bdcbf9..5c52a93ff5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -1,6 +1,6 @@
---
title: Minimum requirements for Microsoft Defender ATP
-description: Understand the licensing requirements and requirements for onboarding machines to the sercvie
+description: Understand the licensing requirements and requirements for onboarding machines to the service
keywords: minimum requirements, licensing, comparison table
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -183,7 +183,7 @@ For more information, see [Windows Defender Antivirus compatibility](../windows-
## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Microsoft Defender ATP agent will successfully onboard.
-If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
+If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 98d455063a..3da4badfe6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -30,12 +30,12 @@ It helps organizations discover vulnerabilities and misconfigurations in real-ti
## Next-generation capabilities
Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.
-It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
+It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft Microsoft Endpoint Configuration Manager.
It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery
-- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
+- Built-in remediation processes through Microsoft Intune and Configuration Manager
### Real-time discovery
@@ -55,7 +55,7 @@ Threat & Vulnerability Management helps customers prioritize and focus on those
### Seamless remediation
Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
-- Remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
+- Remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
@@ -70,3 +70,8 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
index 7d9e52a115..ea9ee7efc8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
@@ -34,7 +34,7 @@ Follow the corresponding instructions depending on your preferred deployment met
## Offboard Windows 10 machines
- [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script)
- [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy)
-- [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager)
+- [Offboard machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager)
- [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools)
## Offboard Servers
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index f67f450978..1247c43078 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -31,7 +31,8 @@ Reduce your attack surfaces by minimizing the places where your organization is
|[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. |
|[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. |
|[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. |
-|[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) |
+|[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) |
+|[Web protection](./web-protection-overview.md) |Secure your machines against web threats and help you regulate unwanted content.
|[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) |
|[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) |
|[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index b02f8e485d..4cde145e4c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -43,6 +43,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
+- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list) Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information.
+
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
new file mode 100644
index 0000000000..221645d516
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
@@ -0,0 +1,59 @@
+---
+title: Recommendation methods and properties
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Recommendation resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
+[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
+[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
+[Get recommendation machines](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of machines associated with the security recommendation
+[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Recommendation ID
+productName | String | Related software name
+recommendationName | String | Recommendation name
+Weaknesses | Long | Number of discovered vulnerabilities
+Vendor | String | Related vendor name
+recommendedVersion | String | Recommended version
+recommendationCategory | String | Recommendation category. Possible values are: “Accounts”, “Application”, “Network”, “OS”, “SecurityStack
+subCategory | String | Recommendation sub-category
+severityScore | Double | Potential impact of the configuration to the organization’s configuration score (1-10)
+publicExploit | Boolean | Public exploit is available
+activeAlert | Boolean | Active alert is associated with this recommendation
+associatedThreats | String collection | Threat analytics report is associated with this recommendation
+remediationType | String | Remediation type. Possible values are: “ConfigurationChange”,“Update”,“Upgrade”,”Uninstall”
+Status | Enum | Recommendation exception status. Possible values are: “Active” and “Exception”
+configScoreImpact | Double | Configuration score impact
+exposureImpacte | Double | Exposure score impact
+totalMachineCount | Long | Number of installed machines
+exposedMachinesCount | Long | Number of installed machines that are exposed to vulnerabilities
+nonProductivityImpactedAssets | Long | Number of machines which are not affected
+relatedComponent | String | Related software component
diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md
new file mode 100644
index 0000000000..9a903d296f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/score.md
@@ -0,0 +1,77 @@
+---
+title: Score methods and properties
+description: Retrieves your organization's exposure score, device secure score, and exposure score by machine group
+keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by machine group
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Score resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
+[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
+[List exposure score by machine group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by machine group.
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+Score | Double | The current score.
+Time | DateTime | The date and time in which the call for this API was made.
+RbacGroupId | Nullable Int | RBAC Group ID.
+
+
+### Response example for getting machine groups score:
+
+```
+GET https://api.securitycenter.windows.com/api/exposureScore/byMachineGroups
+```
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore",
+ "value": [
+ {
+ "time": "2019-12-03T07:26:49.9376328Z",
+ "score": 41.38041766305988,
+ "rbacGroupId": 10
+ },
+ {
+ "time": "2019-12-03T07:26:49.9376375Z",
+ "score": 23.58823563070858,
+ "rbacGroupId": 5
+ },
+ {
+ "time": "2019-12-03T07:26:49.9376382Z",
+ "score": 37.403726933165366,
+ "rbacGroupId": 11
+ },
+ {
+ "time": "2019-12-03T07:26:49.9376388Z",
+ "score": 26.323200116475423,
+ "rbacGroupId": 9
+ }
+ ]
+}
+
+
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md
new file mode 100644
index 0000000000..49e8e4c12d
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/software.md
@@ -0,0 +1,47 @@
+---
+title: Software methods and properties
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Software resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[List software](get-software.md) | Software collection | List the organizational software inventory.
+[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
+[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
+[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of machines that are associated with the software ID.
+[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Software ID
+Name | String | Software name
+Vendor | String | Software vendor name
+Weaknesses | Long | Number of discovered vulnerabilities
+publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
+activeAlert | Boolean | Active alert is associated with this software
+exposedMachines | Long | Number of exposed machines
+impactScore | Double | Exposure score impact of this software
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 5f9dcadac9..7df11c3d9e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -42,7 +42,7 @@ Ensure that your machines:
> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
-- Are onboarded to Microsoft Intune and System Center Configuration Manager (SCCM). If you are use SCCM, update your console to the latest May version 1905
+- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
- Have at least one security recommendation that can be viewed in the machine page
- Are tagged or marked as co-managed
@@ -212,3 +212,9 @@ After you have identified which software and software versions are vulnerable du
- [Advanced hunting overview](overview-hunting.md)
- [All advanced hunting tables](advanced-hunting-reference.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
index 53233130eb..e4cd47a5a8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
@@ -40,15 +40,13 @@ If you have completed the onboarding process and don't see machines in the [Mach
If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur.
-### Troubleshoot onboarding issues when deploying with System Center Configuration Manager
-When onboarding machines using the following versions of System Center Configuration Manager:
+### Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager
+When onboarding machines using the following versions of Configuration Manager:
- System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager
-- System Center Configuration Manager (current branch) version 1511
-- System Center Configuration Manager (current branch) version 1602
-Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console.
+Deployment with the above-mentioned versions of Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console.
If the deployment fails, you can check the output of the script on the machines.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 74b76d9984..97a1b56853 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -26,7 +26,7 @@ ms.topic: conceptual
Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable machine vulnerability context during incident investigations
-- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM)
+- Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager
You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index ee48894e3f..ad6de378c5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -48,3 +48,7 @@ Reduce the exposure score by addressing what needs to be remediated based on the
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index a7dbb7c0ea..ffd3002549 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -1,6 +1,6 @@
---
title: Remediation and exception
-description: Remediate security weaknesses and fill exceptions by integrating Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
+description: Remediate security weaknesses and fill exceptions by integrating Microsoft Intune and Microsoft Endpoint Configuration Manager.
keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -133,5 +133,10 @@ The exception impact shows on both the Security recommendations page column and
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index 047a7888c1..a33b2a7311 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -26,9 +26,9 @@ ms.date: 04/11/2019
[!include[Prerelease information](../../includes/prerelease.md)]
-The cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
+The cyber security weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
-Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collect information from your environment.
+Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
## The basis of the security recommendation
Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time.
@@ -110,3 +110,8 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index 0eb7c6a988..4428d8a925 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -73,3 +73,9 @@ You can report a false positive when you see any vague, inaccurate version, inco
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index aa146289f2..1ffd2a0270 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -133,3 +133,8 @@ You can report a false positive when you see any vague, inaccurate, missing, or
- [Software inventory](tvm-software-inventory.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
new file mode 100644
index 0000000000..0ede996269
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
@@ -0,0 +1,50 @@
+---
+title: Vulnerability methods and properties
+description: Retrieves vulnerability information
+keywords: apis, graph api, supported apis, get, vulnerability
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Vulnerability resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
+[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
+[List machines by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of machines that are associated with the vulnerability ID
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Vulnerability ID
+Name | String | Vulnerability title
+Description | String | Vulnerability description
+Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical”
+cvssV3 | Double | CVSS v3 score
+exposedMachines | Long | Number of exposed machines
+publishedOn | DateTime | Date when vulnerability was published
+updatedOn | DateTime | Date when vulnerability was updated
+publicExploit | Boolean | Public exploit exists
+exploitVerified | Boolean | Exploit is verified to work
+exploitInKit | Boolean | Exploit is part of an exploit kit
+exploitTypes | String collection | Exploit impact. Possible values are: “Denial of service”, “Local privilege escalation”, “Denial of service”
+exploitUris | String collection | Exploit source URLs
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
new file mode 100644
index 0000000000..5a60f9e9ae
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -0,0 +1,171 @@
+---
+title: Web content filtering
+description: Use web content filtering in Microsoft Defender ATP to track and regulate access to websites based on their content categories.
+keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Web content filtering
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
+
+Web content filtering is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns.
+
+You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions.
+
+Web content filtering is available on most major web browsers, with blocks performed by SmartScreen (Edge) and Network Protection (Internet Explorer, Chrome, Firefox, and all other browsers). See the prerequisites section for more information about browser support.
+
+To summarize the benefits:
+
+- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away
+- You can conveniently deploy varied policies to various sets of users using the machine groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
+- You can access web reports in the same central location, with visibility over actual blocks and web usage
+
+## User experience
+
+The standard blocking experience is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection.
+For a more user-friendly experience, consider using SmartScreen on Edge.
+
+## Prerequisites
+
+Before trying out this feature, make sure you have the following:
+
+- Windows 10 Enterprise E5 license
+- Access to Microsoft Defender Security Center portal
+- Machines running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update (for Network Protection on Internet Explorer, Edge, Chrome, or Firefox)
+- Machines running Windows 10 May 2019 Update (version 1903) or later (for a better user experience from SmartScreen on Edge). Note that if SmartScreen is not turned on, Network Protection will take over the blocking
+- A valid license with a partner data provider
+
+## Data handling
+
+For this feature, we will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
+
+## Partner licensing
+
+In order to give customers access to various sources of web content categorization data, we are very excited to partner with data providers for this feature. We’ve chosen [Cyren](https://www.cyren.com/threat-intelligence) as our first partner, who we’ve worked with closely to build an integrated solution.
+
+### About Cyren and Threat Intelligence Service for Microsoft Defender ATP
+
+Cyren’s URL filtering includes 70 categories, providing partners with the ability to build powerful and advanced web security applications. Cyren’s comprehensive categories provide the necessary flexibility for any implementation requirement.
+
+The broad range of categories enables numerous applications:
+
+- Protecting users browsing the web from threats such as malware and phishing sites
+- Ensuring employee productivity
+- Consumer services such as parental control
+
+Cyren's web content classification technology is integrated by design into Microsoft Defender ATP to enable web filtering and auditing capabilities.
+
+Learn more at https://www.cyren.com/products/url-filtering.
+
+### Cyren permissions
+
+"Sign in and read user profile" allows Cyren to read your tenant info from your Microsoft Defender ATP account, such as your tenant ID, which will be tied to your Cyren license.
+
+"Read and Write Integration settings" exists under the WindowsDefenderATP scope within permissions. This line allows Cyren to add/modify/revoke Cyren license status on the Microsoft Defender ATP portal.
+
+### Signing up for a Cyren License
+
+Cyren is offering a 60-day free trial for all Microsoft Defender ATP customers. To sign up, please follow the steps below from the portal.
+
+>[!NOTE]
+>A user with AAD app admin/global admin permissions is required to complete these steps.
+
+1. Go to **Reports > Web protection** from the side navigation
+2. Select the **Connect to a partner** button
+3. Go through the flow from the flyout to register and connect your Cyren account
+
+## Turn on web content filtering
+
+From the left-hand navigation menu, select **Settings > General > Advanced Features**. Scroll down until you see the entry for **Web content filtering**. Switch the toggle to **On** and **Save preferences**.
+
+### Configure web content filtering policies
+
+Web content filtering policies specify which site categories are blocked on which machine groups. To manage the policies, go to **Settings > Rules > Web content filtering**.
+
+Use the filter to locate policies that contain certain blocked categories or are applied to specific machine groups.
+
+### Create a policy
+
+To add a new policy:
+
+1. Select **Add policy** on the **Web content filtering** page in **Settings**.
+2. Specify a name.
+3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories.
+4. Specify the policy scope. Select the machine groups to specify where to apply the policy. Only machines in the selected machine groups will be prevented from accessing websites in the selected categories.
+5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected machines.
+
+>[!NOTE]
+>If you are removing a policy or changing machine groups at the same time, this might cause a delay in policy deployment.
+
+## Web content filtering cards and details
+
+Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering.
+
+### Web activity by category
+
+This card lists the parent web content categories with the largest percentage change in the number of access attempts, whether they have increased or decreased. You can use this card to understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information about that particular category.
+
+In the first 30 days of using this feature, your organization might not have sufficient data to display in this card.
+
+
+
+### Web content filtering summary card
+
+This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category.
+
+
+
+### Web activity summary card
+
+This card displays the total number of requests for web content in all URLs.
+
+
+
+### View card details
+
+You can access the **Report details** for each card by selecting a table row or colored bar from the chart in the card. The report details page for each card contains extensive statistical data about web content categories, website domains, and machine groups.
+
+
+
+- **Web categories**: Lists the web content categories that have had access attempts in your organization. Select a specific category to open a summary flyout.
+
+- **Domains**: Lists the web domains that have been accessed or blocked in your organization. Select a specific domain to view detailed information about that domain.
+
+- **Machine groups**: Lists all the machine groups that have generated web activity in your organization
+
+Use the time range filter at the top left of the page to select a time period. You can also filter the information or customize the columns. Select a row to open a flyout pane with even more information about the selected item.
+
+## Errors and issues
+
+### Why am I seeing the error "Need admin approval" when trying to connect to Cyren?
+
+You need to be logged in to an AAD account with either App administrator or Global Administrator privileges. Your IT admin would most likely either have these permissions and/or be able to grant them to you.
+
+### Limitations and known issues in this preview
+
+- Unassigned machines will have incorrect data shown within the report. In the Report details > Machine groups pivot, you may see a row with a blank Machine Group field. This group contains your unassigned machines in the interim before they get put into your specified group. The report for this row may not contain an accurate count of machines or access counts.
+
+- The data in our reports may not be congruent with other data on the site. We currently do not support real-time data processing for this feature, so you may see inconsistencies between the data in our reports and the URL entity page.
+
+## Related topics
+
+- [Web protection overview](web-protection-overview.md)
+- [Web threat protection](web-threat-protection.md)
+- [Monitor web security](web-protection-monitoring.md)
+- [Respond to web threats](web-protection-response.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
index da6e550794..36d58deb28 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
@@ -8,14 +8,13 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: lomayor
-author: lomayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 08/30/2019
---
# Monitor web browsing security
@@ -54,4 +53,6 @@ Select a domain to view the list of machines that have attempted to access URLs
## Related topics
- [Web protection overview](web-protection-overview.md)
+- [Web content filtering](web-content-filtering.md)
+- [Web threat protection](web-threat-protection.md)
- [Respond to web threats](web-protection-response.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
index 37f62a101c..d3dd75a836 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
@@ -1,5 +1,5 @@
---
-title: Overview of web protection in Microsoft Defender ATP
+title: Web protection
description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization
keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
search.product: eADQiWindows 10XVcnh
@@ -8,43 +8,44 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: lomayor
-author: lomayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 08/30/2019
---
-# Protect your organization against web threats
+# Web protection
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-Web protection in Microsoft Defender ATP uses [network protection](network-protection.md) to secure your machines against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web protection stops web threats without a web proxy and can protect machines while they are away or on premises. Web protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
+Web protection in Microsoft Defender ATP is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your machines against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft Defender Security Center by going to **Reports > Web protection**.
->[!Note]
->It can take up to an hour for machines to receive new customer indicators.
+
-With web protection, you also get:
+## Web threat protection
+
+The cards that make up web threat protection are **Web threat detections over time** and **Web threat summary**.
+
+Web threat protection includes:
- Comprehensive visibility into web threats affecting your organization
- Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the machines that access these URLs
- A full set of security features that track general access trends to malicious and unwanted websites
-## Prerequisites
-Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers.
+## Web content filtering
-To turn on network protection on your machines:
-- Edit the Microsoft Defender ATP security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-atp-security-baseline)
-- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md)
-
->[!Note]
->If you set network protection to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
+The cards that make up web content filtering are **Web activity by category**, **Web content filtering summary**, and **Web activity summary**.
+Web content filtering includes:
+- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away
+- You can conveniently deploy varied policies to various sets of users using the machine groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
+- You can access web reports in the same central location, with visibility over actual blocks and web usage
## In this section
+
Topic | Description
:---|:---
-[Monitor web security](web-protection-monitoring.md) | Monitor attempts to access malicious and unwanted websites.
-[Respond to web threats](web-protection-response.md) | Investigate and manage alerts related to malicious and unwanted websites. Understand how end users are notified whenever a web threat is blocked.
+[Web threat protection](web-threat-protection.md) | Stop access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked.
+[Web content filtering](web-content-filtering.md) | Track and regulate access to websites based on their content categories.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
index e963f8f504..e9e6949f27 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
@@ -8,14 +8,13 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: lomayor
-author: lomayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 08/30/2019
---
# Respond to web threats
@@ -67,4 +66,6 @@ With web protection in Microsoft Defender ATP, your end users will be prevented
## Related topics
- [Web protection overview](web-protection-overview.md)
-- [Monitor web security](web-protection-monitoring.md)
+- [Web content filtering](web-content-filtering.md)
+- [Web threat protection](web-threat-protection.md)
+- [Monitor web security](web-protection-monitoring.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
new file mode 100644
index 0000000000..66e0e293ed
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
@@ -0,0 +1,45 @@
+---
+title: Protect your organization against web threats
+description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization
+keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Protect your organization against web threats
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
+
+Web threat protection is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It uses [network protection](network-protection.md) to secure your machines against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect machines while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
+
+>[!Note]
+>It can take up to an hour for machines to receive new customer indicators.
+
+## Prerequisites
+Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers.
+
+To turn on network protection on your machines:
+- Edit the Microsoft Defender ATP security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-atp-security-baseline)
+- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md)
+
+>[!Note]
+>If you set network protection to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
+
+## Related topics
+
+- [Web protection overview](web-protection-overview.md)
+- [Web threat protection](web-threat-protection.md)
+- [Monitor web security](web-protection-monitoring.md)
+- [Respond to web threats](web-protection-response.md)
+- [Network protection](network-protection.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 1f3bb33e56..d726f7ff56 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -279,7 +279,7 @@ SAWs are computers that are built to help significantly reduce the risk of compr
To protect high-value assets, SAWs are used to make secure connections to those assets.
-Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool like System Center Configuration Manager, Intune, or any third-party device management, then Device Guard is very applicable. In that type of scenario, the organization has a good idea of the software that an average user is running.
+Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool like Microsoft Endpoint Configuration Manager, Intune, or any third-party device management, then Device Guard is very applicable. In that type of scenario, the organization has a good idea of the software that an average user is running.
It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it’s quite difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
index a76c0ab71a..c69288aada 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
@@ -26,7 +26,7 @@ manager: dansimp
You can manage and configure Windows Defender Antivirus with the following tools:
- Microsoft Intune
-- System Center Configuration Manager
+- Microsoft Endpoint Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instrumentation (WMI)
@@ -38,7 +38,7 @@ The articles in this section provide further information, links, and resources f
Article | Description
---|---
-[Manage Windows Defender Antivirus with Microsoft Intune and System Center Configuration Manager](use-intune-config-manager-windows-defender-antivirus.md)|Information about using Intune and System Center Configuration Manager to deploy, manage, report, and configure Windows Defender Antivirus
+[Manage Windows Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-windows-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Windows Defender Antivirus
[Manage Windows Defender Antivirus with Group Policy settings](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates
[Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Windows Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters
[Manage Windows Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-windows-defender-antivirus.md)| Instructions for using WMI to manage Windows Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 6a618ee75f..97287da999 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -73,7 +73,7 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev
### Enable block at first sight with Microsoft Endpoint Configuration Manager
-1. In Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
+1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
2. Click **Home** > **Create Antimalware Policy**.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
index ec2b578d1f..3532148261 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
@@ -1,7 +1,7 @@
---
title: Configure Windows Defender Antivirus features
description: You can configure Windows Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell.
-keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
+keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index ed7b30ece9..fc883cd71d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -79,7 +79,7 @@ The notification appears in the usual [quarantine list within the Windows Securi
#### Configure PUA protection in Windows Defender Antivirus
-You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or via PowerShell cmdlets.
+You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets.
You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log.
@@ -94,14 +94,14 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic
##### Use Configuration Manager to configure PUA protection
-PUA protection is enabled by default in the System Center Configuration Manager (Current Branch), starting with version 1606.
+PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch).
-See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (Current Branch).
+See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch).
-For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA).
+For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA).
> [!NOTE]
-> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in System Center Configuration Manager.
+> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager.
##### Use Group Policy to configure PUA protection
@@ -146,7 +146,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use
#### View PUA events
-PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or in Intune.
+PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune.
You can turn on email notifications to receive mail about PUA detections.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index 328b3fc5a0..985b6f0b7c 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -28,7 +28,7 @@ ms.custom: nextgen
Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
-You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
+You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection.
@@ -62,7 +62,7 @@ For more information about Intune device profiles, including how to create and c
**Use Configuration Manager to enable cloud-delivered protection:**
-See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
**Use Group Policy to enable cloud-delivered protection:**
@@ -139,5 +139,5 @@ See the following for more information and allowed parameters:
- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
- [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
+- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
index c238f05823..20d523d368 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
@@ -27,11 +27,11 @@ Windows Defender Antivirus allows you to determine if updates should (or should
## Check for protection updates before running a scan
-You can use System Center Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan.
+You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan.
### Use Configuration Manager to check for protection updates before running a scan
-1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
index fabe399119..9a6e186de0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -35,7 +35,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie
### Use Configuration Manager to configure catch-up protection updates
-1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Security intelligence updates** section and configure the following settings:
@@ -164,7 +164,7 @@ See the following for more information and allowed parameters:
### Use Configuration Manager to configure catch-up scans
-1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
index 0185b12a58..c67fd41aa8 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -36,7 +36,7 @@ You can also randomize the times when each endpoint checks and downloads protect
## Use Configuration Manager to schedule protection updates
-1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Security intelligence updates** section.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index b6e4410cd1..be5477b03f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -52,11 +52,11 @@ There are five locations where you can specify where an endpoint should obtain u
- [Microsoft Update](https://support.microsoft.com/help/12373/windows-update-faq)
- [Windows Server Update Service](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus)
-- [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/servers/manage/updates)
+- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
- [Network file share](https://docs.microsoft.com/windows-server/storage/nfs/nfs-overview)
- [Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.)
-To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, System Center Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads.
+To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads.
> [!IMPORTANT]
> If you have set [Microsoft Malware Protection Center Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) (MMPC) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services).
@@ -70,13 +70,13 @@ Each source has typical scenarios that depend on how your network is configured,
|Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.|
|Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.|
|File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.|
-|System Center Configuration Manager | You are using System Center Configuration Manager to update your endpoints.|
+|Microsoft Endpoint Configuration Manager | You are using Microsoft Endpoint Configuration Manager to update your endpoints.|
|Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively. Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
-You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.
+You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI.
> [!IMPORTANT]
-> If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
+> If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
The procedures in this article first describe how to set the order, and then how to set up the **File share** option if you have enabled it.
@@ -110,7 +110,7 @@ The procedures in this article first describe how to set the order, and then how
## Use Configuration Manager to manage the update location
-See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring System Center Configuration Manager (current branch).
+See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
## Use PowerShell cmdlets to manage the update location
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index 775068abed..7ebc368cbc 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -40,7 +40,7 @@ The cloud-delivered protection is always on and requires an active connection to
Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
-You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
+You can manage the distribution of updates through Windows Server Update Service (WSUS), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
## In this section
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 5c91ca4d4b..b3af31a231 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -193,15 +193,16 @@ Value DisableRealtimeMonitoring = 0
Configuring tamper protection in Intune can be targeted to your entire organization as well as to specific devices and user groups.
-### Can I configure tamper protection in System Center Configuration Manager?
-Currently, managing tamper protection through System Center Configuration Manager is not supported.
+### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?
+
+Currently we do not have support to manage Tamper Protection through Microsoft Endpoint Configuration Manager.
### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?
Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
-### What happens if I try to change Microsoft Defender ATP settings in Intune, System Center Configuration Manager, and Windows Management Instrumentation when tamper protection is enabled on a device?
+### What happens if I try to change Microsoft Defender ATP settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
You won’t be able to change the features that are protected by tamper protection; such change requests are ignored.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
index 16f606bbae..caea14600c 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
@@ -23,7 +23,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
+With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
index 78fed4d5d4..ad189470ba 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Review the results of Windows Defender AV scans
-description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Security app
+description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
keywords: scan results, remediation, full scan, quick scan
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -34,7 +34,7 @@ After an Windows Defender Antivirus scan completes, whether it is an [on-demand]
## Use Configuration Manager to review scan results
-See [How to monitor Endpoint Protection status](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection).
+See [How to monitor Endpoint Protection status](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
## Use the Windows Security app to review scan results
diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
index 66db88455e..f36197fe0f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
@@ -41,7 +41,7 @@ A full scan can be useful on endpoints that have encountered a malware threat to
## Use Configuration Manager to run a scan
-See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
+See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using Microsoft Endpoint Configuration Manager (current branch) to run a scan.
## Use the mpcmdrun.exe command-line utility to run a scan
diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
index e49771c6ae..b2b391a114 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -31,7 +31,7 @@ In addition to always-on real-time protection and [on-demand](run-scan-windows-d
You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
-This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
To configure the Group Policy settings described in this topic:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
index e6b6bf10d0..d04a0c0bd5 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.custom: nextgen
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager.
+You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager.
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
@@ -47,7 +47,7 @@ For more information about Intune device profiles, including how to create and c
## Use Configuration Manager to specify the level of cloud-delivered protection
-See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
## Use Group Policy to specify the level of cloud-delivered protection
@@ -77,6 +77,6 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
-- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
+- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
index 6ed604307a..df5a122dda 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Configure Windows Defender Antivirus with Configuration Manager and Intune
-description: Use System Center Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection
+description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection
keywords: scep, intune, endpoint protection, configuration
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -17,13 +17,13 @@ ms.reviewer:
manager: dansimp
---
-# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender Antivirus
+# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Windows Defender Antivirus
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans.
+If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender Antivirus.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index 326511d75c..80c59d0658 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -30,9 +30,9 @@ For a list of the cmdlets and their functions and available parameters, see the
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
> [!NOTE]
-> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/kb/927367).
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/kb/927367).
-Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
+Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
index 0e88dfd58b..bac24170b6 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
@@ -31,7 +31,7 @@ Windows Defender Antivirus has a number of specific WMI classes that can be used
The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender Antivirus, and includes example scripts.
-Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI.
+Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with WMI.
You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index e1d2d9c8e9..68f8c4587a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -59,11 +59,9 @@ Organizations running Windows 10 E5, version 1803 can also take advantage of eme
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+The following table describes the differences in cloud-delivered protection between recent versions of Windows and Configuration Manager.
-The following table describes the differences in cloud-delivered protection between recent versions of Windows and System Center Configuration Manager.
-
-
-Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center Configuration Manager 2012 | System Center Configuration Manager (Current Branch) | Microsoft Intune
+Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center 2012 Configuration Manager | Microsoft Endpoint Configuration Manager (Current Branch) | Microsoft Intune
---|---|---|---|---|---|---
Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service
Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version
@@ -76,8 +74,8 @@ You can also [configure Windows Defender AV to automatically receive new protect
Topic | Description
---|---
-[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with System Center Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
-[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
+[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
+[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
[Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
-[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence . You can enable and configure it with System Center Configuration Manager and Group Policy.
-[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy.
+[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy.
+[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 369ebfe876..64efaa5752 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -57,7 +57,7 @@ See the [Windows Defender Antivirus on Windows Server 2016](windows-defender-ant
>[!IMPORTANT]
>Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016.
>
->In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through System Center Configuration Manager.
+>In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager.
>
>Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
index 8837f79190..b8fbc245ce 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
@@ -56,7 +56,7 @@ See the [Manage Windows Defender Antivirus Security intelligence updates](manag
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint.
-The need to perform an offline scan will also be revealed in System Center Configuration Manager if you're using it to manage your endpoints.
+The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints.
The prompt can occur via a notification, similar to the following:
@@ -70,7 +70,7 @@ In Configuration Manager, you can identify the status of endpoints by navigating
Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
-
+
## Configure notifications
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 765289825b..1accae5758 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -143,7 +143,7 @@ To sign the existing catalog file, copy each of the following commands into an e
5. Copy the catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}.
- For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as System Center Configuration Manager. Doing this also simplifies the management of catalog versions.
+ For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as Microsoft Endpoint Configuration Manager. Doing this also simplifies the management of catalog versions.
## Add a catalog signing certificate to a Windows Defender Application Control policy
@@ -217,9 +217,9 @@ To simplify the management of catalog files, you can use Group Policy preference
Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy.
-## Deploy catalog files with System Center Configuration Manager
+## Deploy catalog files with Microsoft Endpoint Configuration Manager
-As an alternative to Group Policy, you can use System Center Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, System Center Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
+As an alternative to Group Policy, you can use Microsoft Endpoint Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Microsoft Endpoint Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
>[!NOTE]
>The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
@@ -292,9 +292,9 @@ After you create the deployment package, deploy it to a collection so that the c
Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy,.
-## Inventory catalog files with System Center Configuration Manager
+## Inventory catalog files with Microsoft Endpoint Configuration Manager
-When catalog files have been deployed to the computers within your environment, whether by using Group Policy or System Center Configuration Manager, you can inventory them with the software inventory feature of System Center Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
+When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Microsoft Endpoint Configuration Manager, you can inventory them with the software inventory feature of Microsoft Endpoint Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
>[!NOTE]
>A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names.
@@ -332,7 +332,7 @@ When catalog files have been deployed to the computers within your environment,
9. Now that you have created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files.
-At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in System Center Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
+At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in Microsoft Endpoint Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
1. Open the Configuration Manager console, and select the Assets and Compliance workspace.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 5fa737a5b4..128fb4d3a3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -18,29 +18,63 @@ ms.date: 05/17/2018
---
> [!NOTE]
-> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/).
+> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/).
# Deploy Windows Defender Application Control policies by using Microsoft Intune
**Applies to:**
-- Windows 10
-- Windows Server 2016
+- Windows 10
+- Windows Server 2016
+You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC). Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited.
-You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can either configure an Endpoint Protection profile for WDAC, or create a custom profile with an OMA-URI setting. By using an Endpoint Protection profile, you can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps as defined by the Intelligent Security Graph.
+In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies via the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
+
+## Using Intune's Built-In Policies
1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
-3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**.
+2. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**.
-4. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**:
+3. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**:
- **Application control code integrity policies**: Select **Audit only** to log events but not block any apps from running or select **Enforce** to allow only Windows components and Store apps to run.
- **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps.
- 
-
-To add a custom profile with an OMA-URI see, [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/intune/configuration/custom-settings-windows-10).
+ 
+
+## Using a Custom OMA-URI Profile
+
+### For 1903+ systems
+The steps to use Intune's Custom OMA-URI functionality to leverage the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) and deploy a custom WDAC policy to 1903+ systems are:
+
+1. Know a generated policy’s GUID, which can be found in the policy xml as ``
+2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+3. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
+4. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
+5. Add a row, then give your policy a name and use the following settings:
+ - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy
+ - **Data type**: Base64
+ - **Certificate file**: upload your binary format policy file
+
+ 
+
+> [!NOTE]
+> Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
+
+### For pre-1903 systems
+The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
+
+1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+2. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
+3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
+4. Add a row, then give your policy a name and use the following settings:
+ - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy)
+ - **Data type**: Base64
+ - **Certificate file**: upload your binary format policy file
+
+> [!NOTE]
+> Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png b/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png
new file mode 100644
index 0000000000..12ec2b924f
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png
new file mode 100644
index 0000000000..c37d55910d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png
new file mode 100644
index 0000000000..e132440266
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-oma-uri.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-oma-uri.png
new file mode 100644
index 0000000000..1ba4774163
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-oma-uri.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
index ef6e327975..6054e9f6bd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
@@ -27,7 +27,7 @@ ms.date: 05/03/2018
Because each computer running Windows 10 can have only one WDAC policy, you will occasionally need to merge two or more policies. For example, after a WDAC policy is created and audited, you might want to merge audit events from another WDAC policy.
> [!NOTE]
-> Because only one SiPolicy.p7b file can be active on a system, the last management authority to write the policy wins. If there was already a policy deployed by using Group Policy and then amanaged installer using System Center Configuration Manager (SCCM) targeted the same device, the SCCM policy would overwrite the SiPolicy.p7b file.
+> Because only one SiPolicy.p7b file can be active on a system, the last management authority to write the policy wins. If there was already a policy deployed by using Group Policy and then a managed installer using Microsoft Endpoint Configuration Manager targeted the same device, the Configuration Manager policy would overwrite the SiPolicy.p7b file.
To merge two WDAC policies, complete the following steps in an elevated Windows PowerShell session:
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 26bd6f527f..6d1d345b1e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -62,7 +62,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. |
-| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as System Center Configuration Manager, that has been defined as a managed installer. |
+| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.|
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
index cf12d9225c..db845a4507 100644
--- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
@@ -43,7 +43,7 @@ Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the
Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (MDATP) for better endpoint detection and response.
> [!NOTE]
-> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM)
+> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager.
Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized a number of new security IT responses, including tightening policies for application use and introducing application control.
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 87a4942ff4..04a21aa98f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -48,7 +48,7 @@ The first step is to define the desired "circle-of-trust" for your WDAC policies
For example, the DefaultWindows policy, which can be found under %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies, establishes a "circle-of-trust" that allows Windows, 3rd-party hardware and software kernel drivers, and applications from the Microsoft Store.
-Microsoft Endpoint Configuration Manager (previously known as System Center Configuration Manager (SCCM)), uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow SCCM and its dependencies, sets the managed installer policy rule, and additionally configures SCCM as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the SCCM administrator which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for SCCM's native WDAC integration.
+Microsoft Endpoint Configuration Manager, previously known as System Center Configuration Manager, uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for Configuration Manager's native WDAC integration.
The following questions can help you plan your WDAC deployment and determine the right "circle-of-trust" for your policies. They are not in priority or sequential order and are not meant to be an exhaustive set of design considerations.
@@ -62,7 +62,7 @@ Organizations with well-defined, centrally-managed app management and deployment
| - | - |
| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](use-windows-defender-application-control-with-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
| Some apps are centrally managed and deployed, but teams can install additional apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can leverage managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. |
-| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Windows Defender Antivirus and SmartScreen) to allow only apps and binaries that have positive reputation. |
+| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Windows Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. |
| Users and teams are free to download and install apps without restriction. | WDAC policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.|
### Are internally-developed line-of-business (LOB) apps and apps developed by 3rd parties digitally signed?
@@ -72,7 +72,7 @@ Traditional Win32 apps on Windows can run without being digitally signed. This p
| Possible answers | Design considerations |
| - | - |
| All apps used in your organization must be signed. | Organizations that enforce [codesigning](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. WDAC rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). |
-| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows 10 tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific app catalog signatures to existing apps as a part of the app deployment process which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed app catalogs. |
+| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows 10 tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. |
### Are there specific groups in your organization that need customized application control policies?
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 22df45d2a2..d516a6f73a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -38,7 +38,7 @@ After that initial download and installation, the WDAC component will check for
The reputation data on the client is rechecked periodically and enterprises can also specify that any cached reputation results are flushed on reboot.
>[!NOTE]
->Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, for example custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both System Center Configuration Manager (SCCM) and Microsoft Intune can be used to create and push a WDAC policy to your client machines.
+>Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, for example custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Configuration Manager and Microsoft Intune can be used to create and push a WDAC policy to your client machines.
Other examples of WDAC policies are available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy).
@@ -87,7 +87,7 @@ In order for the heuristics used by the ISG to function properly, a number of co
appidtel start
```
-For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the SCCM WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through SCCM then this step is required.
+For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the Configuration Manager WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through Configuration Manager then this step is required.
## Security considerations with the Intelligent Security Graph
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
index 8b552f93a6..c3a6983cd6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
@@ -1,6 +1,6 @@
---
title: Authorize apps deployed with a WDAC managed installer (Windows 10)
-description: Learn how to use a managed installer to automatically authorize apps added by a designated software distribution solution, such as SCCM.
+description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
@@ -28,7 +28,7 @@ ms.date: 06/13/2018
Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC).
This is especially true for enterprises with large, ever changing software catalogs.
-Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager.
+Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager.
A managed installer helps an IT admin balance security and manageability requirements when employing application execution control policies by providing an option that does not require specifying explicit rules for software that is being managed through a software distribution solution.
## How does a managed installer work?
@@ -159,7 +159,7 @@ Specify `-mionly` if you will not use the Intelligent Security Graph (ISG).
## Security considerations with managed installer
Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do.
-It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as System Center Configuration Manager.
+It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager.
Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed.
If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control.
diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
index 9496c86d29..c8d5d6ec1c 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -41,4 +41,4 @@ Your environment needs the following software to run Windows Defender Applicatio
|--------|-----------|
|Operating system|Windows 10 Enterprise edition, version 1709 or higher Windows 10 Professional edition, version 1803 or higher Windows 10 Professional for Workstations edition, version 1803 or higher Windows 10 Professional Education edition version 1803 or higher Windows 10 Education edition, version 1903 or higher Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. |
|Browser|Microsoft Edge and Internet Explorer|
-|Management system (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)
**-OR-**
[System Center Configuration Manager](https://docs.microsoft.com/sccm/)
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
+|Management system (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
index aa8c80886a..390bee5992 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
@@ -32,9 +32,9 @@ If an employee goes to an untrusted site through either Microsoft Edge or Intern
Application Guard has been created to target several types of systems:
-- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
+- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
-- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
+- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index 2669eb3ab6..2ce382c919 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -24,7 +24,7 @@ manager: dansimp
- Windows 10, version 1703 and later
-The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using System Center Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
+The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
The [Windows 10 IT pro troubleshooting topic](https://docs.microsoft.com/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](https://docs.microsoft.com/windows/windows-10/) can also be helpful for resolving issues.
@@ -34,7 +34,7 @@ In Windows 10, version 1709 and later, the section can be hidden from users of t
## Hide the Device performance & health section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app.
This can only be done in Group Policy.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index 875fd5bfae..27bf7e7c31 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -47,7 +47,7 @@ You can only use Group Policy to change these settings.
## Use Group Policy to hide non-critical notifications
-You can hide notifications that describe regular events related to the health and security of the machine. These are notifications that do not require an action from the machine's user. It can be useful to hide these notifications if you find they are too numerours or you have other status reporting on a larger scale (such as Update Compliance or System Center Configuration Manager reporting).
+You can hide notifications that describe regular events related to the health and security of the machine. These are notifications that do not require an action from the machine's user. It can be useful to hide these notifications if you find they are too numerous or you have other status reporting on a larger scale (such as Update Compliance or Microsoft Endpoint Configuration Manager reporting).
This can only be done in Group Policy.
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index af8816db71..56b6759416 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -33,7 +33,7 @@ In Windows 10, version 1709 and later, the app also shows information from third
In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**.
-
+
> [!NOTE]
> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
@@ -63,16 +63,16 @@ You can find more information about each section, including options for configur
- Click the icon in the notification area on the taskbar.
- 
+ 
- Search the Start menu for **Windows Security**.
- 
+ 
- Open an area from Windows **Settings**.
- 
+ 
> [!NOTE]
-> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products.
+> Settings configured with management tools, such as Group Policy, Microsoft Intune, or Microsoft Endpoint Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products.
## How the Windows Security app works with Windows security features
@@ -98,7 +98,7 @@ The Windows Security app operates as a separate app or process from each of the
It acts as a collector or single place to see the status and perform some configuration for each of the features.
-Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Security app. The Windows Security app itself will still run and show status for the other security features.
+Disabling any of the individual features (through Group Policy or other management tools, such as Microsoft Endpoint Configuration Manager) will prevent that feature from reporting its status in the Windows Security app. The Windows Security app itself will still run and show status for the other security features.
> [!IMPORTANT]
> Individually disabling any of the services will not disable the other services or the Windows Security app.
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
index 87aa58c2e4..9c4ca00884 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -83,5 +83,5 @@ As Windows 10 boots, a series of integrity measurements are taken by Windows Def
-After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
+After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
index d91fbb98a5..a17ad45ab9 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -83,5 +83,5 @@ As Windows 10 boots, a series of integrity measurements are taken by Windows Def
-After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
+After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md
index e3e3748b5c..48bfb00d06 100644
--- a/windows/security/threat-protection/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-baselines.md
@@ -45,13 +45,13 @@ Security baselines are an essential benefit to customers because they bring toge
For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine the appropriate value for each setting.
-In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects backups.
+In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects Backups.
## How can you use security baselines?
You can use security baselines to:
- Ensure that user and device configuration settings are compliant with the baseline.
-- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
+- Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
## Where can I get the security baselines?
@@ -73,7 +73,7 @@ You may also be interested in this msdn channel 9 video:
## See Also
-- [System Center Configuration Manager (SCCM)](https://www.microsoft.com/cloud-platform/system-center-configuration-manager)
+- [Microsoft Endpoint Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager)
- [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite)
- [Configuration Management for Nano Server](https://blogs.technet.microsoft.com/grouppolicy/2016/05/09/configuration-management-on-servers/)
- [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/)
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index f0786fa0aa..81d06744df 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -19,7 +19,7 @@ ms.reviewer:
**What is the Microsoft Security Compliance Manager (SCM)?**
-The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
+The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO Backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
More information about this change can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/).
@@ -40,9 +40,9 @@ The toolkit supports formats created by the Windows GPO backup feature (.pol, .i
Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features.
-**Does SCT support the creation of System Center Configuration Manager (SCCM) DCM packs?**
+**Does SCT support the creation of Microsoft Endpoint Configuration Manager DCM packs?**
-No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
+No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO Backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
**Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?**
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index 78f942c5a5..c5be88f4ea 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -45,13 +45,13 @@ Security baselines are an essential benefit to customers because they bring toge
For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine the appropriate value for each setting.
-In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects backups.
+In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects Backups.
## How can you use security baselines?
You can use security baselines to:
- Ensure that user and device configuration settings are compliant with the baseline.
-- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
+- Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
## Where can I get the security baselines?
@@ -73,7 +73,7 @@ You may also be interested in this msdn channel 9 video:
## See Also
-- [System Center Configuration Manager (SCCM)](https://www.microsoft.com/cloud-platform/system-center-configuration-manager)
+- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/)
- [Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/)
- [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/)
- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319)
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
index b2e5edb37f..aace786788 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
@@ -1,298 +1,299 @@
----
-title: What's new in Windows 10 Enterprise 2015 LTSC
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB).
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"]
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: low
-ms.topic: article
----
-
-# What's new in Windows 10 Enterprise 2015 LTSC
-
-**Applies to**
-- Windows 10 Enterprise 2015 LTSC
-
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
-
->[!NOTE]
->Features in Windows 10 Enterprise 2015 LTSC are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md).
-
-## Deployment
-
-### Provisioning devices using Windows Imaging and Configuration Designer (ICD)
-
-With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
-
-[Learn more about provisioning in Windows 10](/windows/configuration/provisioning-packages/provisioning-packages)
-
-## Security
-
-### Applocker
-
-Applocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md) for a list of operating system requirements.
-
-Enhancements to Applocker in Windows 10 include:
-
-- A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
-- A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
-- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx).
-
-[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
-
-### Bitlocker
-
-Enhancements to Applocker in Windows 10 include:
-
-- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.
-- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
-- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings."
-
-[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview).
-
-### Certificate management
-
-For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile)
-
-### Microsoft Passport
-
-In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
-
-Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
-
-### Security auditing
-
-In Windows 10, security auditing has added some improvements:
-- [New audit subcategories](#bkmk-auditsubcat)
-- [More info added to existing audit events](#bkmk-moreinfo)
-
-#### New audit subcategories
-
-In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
-- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
- When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event.
-- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
- Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
- A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
-
-#### More info added to existing audit events
-
-With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
-- [Changed the kernel default audit policy](#bkmk-kdal)
-- [Added a default process SACL to LSASS.exe](#bkmk-lsass)
-- [Added new fields in the logon event](#bkmk-logon)
-- [Added new fields in the process creation event](#bkmk-logon)
-- [Added new Security Account Manager events](#bkmk-sam)
-- [Added new BCD events](#bkmk-bcd)
-- [Added new PNP events](#bkmk-pnp)
-
-#### Changed the kernel default audit policy
-
-In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
-
-#### Added a default process SACL to LSASS.exe
-
-In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
-This can help identify attacks that steal credentials from the memory of a process.
-
-#### New fields in the logon event
-
-The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
-1. **MachineLogon** String: yes or no
- If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no.
-2. **ElevatedToken** String: yes or no
- If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown.
-3. **TargetOutboundUserName** String
- **TargetOutboundUserDomain** String
- The username and domain of the identity that was created by the LogonUser method for outbound traffic.
-4. **VirtualAccount** String: yes or no
- If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no.
-5. **GroupMembership** String
- A list of all of the groups in the user's token.
-6. **RestrictedAdminMode** String: yes or no
- If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes.
- For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx).
-
-#### New fields in the process creation event
-
-The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
-1. **TargetUserSid** String
- The SID of the target principal.
-2. **TargetUserName** String
- The account name of the target user.
-3. **TargetDomainName** String
- The domain of the target user..
-4. **TargetLogonId** String
- The logon ID of the target user.
-5. **ParentProcessName** String
- The name of the creator process.
-6. **ParentProcessId** String
- A pointer to the actual parent process if it's different from the creator process.
-
-#### New Security Account Manager events
-
-In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
-- SamrEnumerateGroupsInDomain
-- SamrEnumerateUsersInDomain
-- SamrEnumerateAliasesInDomain
-- SamrGetAliasMembership
-- SamrLookupNamesInDomain
-- SamrLookupIdsInDomain
-- SamrQueryInformationUser
-- SamrQueryInformationGroup
-- SamrQueryInformationUserAlias
-- SamrGetMembersInGroup
-- SamrGetMembersInAlias
-- SamrGetUserDomainPasswordInformation
-
-#### New BCD events
-
-Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD):
-- DEP/NEX settings
-- Test signing
-- PCAT SB simulation
-- Debug
-- Boot debug
-- Integrity Services
-- Disable Winload debugging menu
-
-#### New PNP events
-
-Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
-
-[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview).
-
-### Trusted Platform Module
-
-#### New TPM features in Windows 10
-
-The following sections describe the new and changed functionality in the TPM for Windows 10:
-- [Device health attestation](#bkmk-dha)
-- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support
-- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
-- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support
-
-### Device health attestation
-
-Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
-Some things that you can check on the device are:
-- Is Data Execution Prevention supported and enabled?
-- Is BitLocker Drive Encryption supported and enabled?
-- Is SecureBoot supported and enabled?
-
-> **Note** The device must be running Windows 10 and it must support at least TPM 2.0.
-
-[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview).
-
-### User Account Control
-
-User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
-
-You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
-
-For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
-
-In Windows 10, User Account Control has added some improvements:
-
-- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](https://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
-
-[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview).
-
-### VPN profile options
-
-Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including:
-
-- Always-on auto connection behavior
-- App=triggered VPN
-- VPN traffic filters
-- Lock down VPN
-- Integration with Microsoft Passport for Work
-
-[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options)
-
-
-## Management
-
-Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
-
-### MDM support
-
-MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more.
-
-MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
-
-Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=533172)
-
-### Unenrollment
-
-When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device.
-
-When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed.
-
-### Infrastructure
-
-Enterprises have the following identity and management choices.
-
-| Area | Choices |
-|---|---|
-| Identity | Active Directory; Azure AD |
-| Grouping | Domain join; Workgroup; Azure AD join |
-| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
-
- > **Note**
-With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512).
-
-
-### Device lockdown
-
-
-Do you need a computer that can only do one thing? For example:
-
-- A device in the lobby that customers can use to view your product catalog.
-- A portable device that drivers can use to check a route on a map.
-- A device that a temporary worker uses to enter data.
-
-You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select.
-
-You can also [configure a lockdown state](https://technet.microsoft.com/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify.
-
-Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/itpro/windows/manage/windows-10-start-layout-options-and-policies).
-
-### Customized Start layout
-
-A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout).
-
-Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight).
-
-## Updates
-
-Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
-
-By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
-
-- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
-
-- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.
-
-- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281).
-
-Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx).
-
-
-Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
-
-For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates).
-
-## Microsoft Edge
-
-Microsoft Edge is not available in the LTSC release of Windows 10.
-
-## See Also
-
-[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
-
+---
+title: What's new in Windows 10 Enterprise 2015 LTSC
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB).
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: low
+ms.topic: article
+---
+
+# What's new in Windows 10 Enterprise 2015 LTSC
+
+**Applies to**
+- Windows 10 Enterprise 2015 LTSC
+
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
+
+>[!NOTE]
+>Features in Windows 10 Enterprise 2015 LTSC are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md).
+
+## Deployment
+
+### Provisioning devices using Windows Imaging and Configuration Designer (ICD)
+
+With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
+
+[Learn more about provisioning in Windows 10](/windows/configuration/provisioning-packages/provisioning-packages)
+
+## Security
+
+### AppLocker
+
+AppLocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md) for a list of operating system requirements.
+
+Enhancements to AppLocker in Windows 10 include:
+
+- A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
+- A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
+- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx).
+
+[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
+
+### BitLocker
+
+Enhancements to AppLocker in Windows 10 include:
+
+- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.
+- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
+- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings."
+
+[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview).
+
+### Certificate management
+
+For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile)
+
+### Microsoft Passport
+
+In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
+
+Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
+
+### Security auditing
+
+In Windows 10, security auditing has added some improvements:
+- [New audit subcategories](#bkmk-auditsubcat)
+- [More info added to existing audit events](#bkmk-moreinfo)
+
+#### New audit subcategories
+
+In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
+- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
+ When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event.
+- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
+ Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
+ A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
+
+#### More info added to existing audit events
+
+With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
+- [Changed the kernel default audit policy](#bkmk-kdal)
+- [Added a default process SACL to LSASS.exe](#bkmk-lsass)
+- [Added new fields in the logon event](#bkmk-logon)
+- [Added new fields in the process creation event](#bkmk-logon)
+- [Added new Security Account Manager events](#bkmk-sam)
+- [Added new BCD events](#bkmk-bcd)
+- [Added new PNP events](#bkmk-pnp)
+
+#### Changed the kernel default audit policy
+
+In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
+
+#### Added a default process SACL to LSASS.exe
+
+In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
+This can help identify attacks that steal credentials from the memory of a process.
+
+#### New fields in the logon event
+
+The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
+1. **MachineLogon** String: yes or no
+ If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no.
+2. **ElevatedToken** String: yes or no
+ If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown.
+3. **TargetOutboundUserName** String
+ **TargetOutboundUserDomain** String
+ The username and domain of the identity that was created by the LogonUser method for outbound traffic.
+4. **VirtualAccount** String: yes or no
+ If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no.
+5. **GroupMembership** String
+ A list of all of the groups in the user's token.
+6. **RestrictedAdminMode** String: yes or no
+ If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes.
+ For more info on restricted admin mode, see [Restricted Admin mode for RDP](https://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx).
+
+#### New fields in the process creation event
+
+The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
+1. **TargetUserSid** String
+ The SID of the target principal.
+2. **TargetUserName** String
+ The account name of the target user.
+3. **TargetDomainName** String
+ The domain of the target user..
+4. **TargetLogonId** String
+ The logon ID of the target user.
+5. **ParentProcessName** String
+ The name of the creator process.
+6. **ParentProcessId** String
+ A pointer to the actual parent process if it's different from the creator process.
+
+#### New Security Account Manager events
+
+In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
+- SamrEnumerateGroupsInDomain
+- SamrEnumerateUsersInDomain
+- SamrEnumerateAliasesInDomain
+- SamrGetAliasMembership
+- SamrLookupNamesInDomain
+- SamrLookupIdsInDomain
+- SamrQueryInformationUser
+- SamrQueryInformationGroup
+- SamrQueryInformationUserAlias
+- SamrGetMembersInGroup
+- SamrGetMembersInAlias
+- SamrGetUserDomainPasswordInformation
+
+#### New BCD events
+
+Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD):
+- DEP/NEX settings
+- Test signing
+- PCAT SB simulation
+- Debug
+- Boot debug
+- Integrity Services
+- Disable Winload debugging menu
+
+#### New PNP events
+
+Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
+
+[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview).
+
+### Trusted Platform Module
+
+#### New TPM features in Windows 10
+
+The following sections describe the new and changed functionality in the TPM for Windows 10:
+- [Device health attestation](#bkmk-dha)
+- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support
+- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
+- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support
+
+### Device health attestation
+
+Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
+Some things that you can check on the device are:
+- Is Data Execution Prevention supported and enabled?
+- Is BitLocker Drive Encryption supported and enabled?
+- Is SecureBoot supported and enabled?
+
+> **Note** The device must be running Windows 10 and it must support at least TPM 2.0.
+
+[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview).
+
+### User Account Control
+
+User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
+
+You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
+
+For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
+
+In Windows 10, User Account Control has added some improvements:
+
+- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](https://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
+
+[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview).
+
+### VPN profile options
+
+Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including:
+
+- Always-on auto connection behavior
+- App=triggered VPN
+- VPN traffic filters
+- Lock down VPN
+- Integration with Microsoft Passport for Work
+
+[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options)
+
+
+## Management
+
+Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
+
+### MDM support
+
+MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more.
+
+MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
+
+Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=533172)
+
+### Unenrollment
+
+When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device.
+
+When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed.
+
+### Infrastructure
+
+Enterprises have the following identity and management choices.
+
+| Area | Choices |
+|---|---|
+| Identity | Active Directory; Azure AD |
+| Grouping | Domain join; Workgroup; Azure AD join |
+| Device management | Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
+
+ > **Note**
+With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512).
+
+
+### Device lockdown
+
+
+Do you need a computer that can only do one thing? For example:
+
+- A device in the lobby that customers can use to view your product catalog.
+- A portable device that drivers can use to check a route on a map.
+- A device that a temporary worker uses to enter data.
+
+You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select.
+
+You can also [configure a lockdown state](https://technet.microsoft.com/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify.
+
+Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/itpro/windows/manage/windows-10-start-layout-options-and-policies).
+
+### Start layout
+
+A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout).
+
+Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight).
+
+## Updates
+
+Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
+
+By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
+
+- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
+
+- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.
+
+- **Use with existing tools** such as Microsoft Endpoint Configuration Manager and the [Enterprise Mobility Suite](https://docs.microsoft.com/enterprise-mobility-security).
+
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr).
+
+
+Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
+
+For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates).
+
+## Microsoft Edge
+
+Microsoft Edge is not available in the LTSC release of Windows 10.
+
+## See Also
+
+[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
+
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index 683b980e8f..727cc608be 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -1,178 +1,179 @@
----
-title: What's new in Windows 10 Enterprise 2016 LTSC
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB).
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"]
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: low
-ms.topic: article
----
-
-# What's new in Windows 10 Enterprise 2016 LTSC
-
-**Applies to**
-- Windows 10 Enterprise 2016 LTSC
-
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
-
->[!NOTE]
->Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607.
-
-## Deployment
-
-### Windows Imaging and Configuration Designer (ICD)
-
-In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
-
-Windows ICD now includes simplified workflows for creating provisioning packages:
-
-- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)
-- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates)
-- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain)
-
-[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
-
-### Windows Upgrade Readiness
-
->[!IMPORTANT]
->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release.
-
-Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
-
-With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
-
-Use Upgrade Readiness to get:
-
-- A visual workflow that guides you from pilot to production
-- Detailed computer and application inventory
-- Powerful computer level search and drill-downs
-- Guidance and insights into application and driver compatibility issues, with suggested fixes
-- Data driven application rationalization tools
-- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
-- Data export to commonly used software deployment tools
-
-The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready.
-
-[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
-
-## Security
-
-### Credential Guard and Device Guard
-
-Isolated User Mode is now included with Hyper-V so you don't have to install it separately.
-
-### Windows Hello for Business
-
-When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
-
-Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC:
-
-- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
-- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
-- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**.
-
-
-[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification)
-
-### Bitlocker
-
-#### New Bitlocker features
-
-- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
- It provides the following benefits:
- - The algorithm is FIPS-compliant.
- - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
- >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
-
-### Security auditing
-
-#### New Security auditing features
-
-- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices.
-
-### Trusted Platform Module
-
-#### New TPM features
-
-- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
-
-### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP)
-
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-
-Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
-
-- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy)
-- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip)
-
-[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip)
-
-### Windows Defender
-
-Several new features and management options have been added to Windows Defender in this version of Windows 10.
-
-- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
-- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans.
-- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
-- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal.
-- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus).
-- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times.
-
-### Windows Defender Advanced Threat Protection (ATP)
-
-With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
-
-[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
-
-### VPN security
-
-- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
-- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
-- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
-- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
-
-## Management
-
-### Use Remote Desktop Connection for PCs joined to Azure Active Directory
-
-From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc)
-
-### Taskbar configuration
-
-Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies)
-
-### Mobile device management and configuration service providers (CSPs)
-
-Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607).
-
-### Shared PC mode
-
-This version of Windows 10, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc)
-
-### Application Virtualization (App-V) for Windows 10
-
-Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally.
-
-With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
-
-[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started)
-
-### User Experience Virtualization (UE-V) for Windows 10
-
-Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options.
-
-With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
-
-With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
-
-[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows)
-
-## See Also
-
-[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
-
+---
+title: What's new in Windows 10 Enterprise 2016 LTSC
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB).
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: low
+ms.topic: article
+---
+
+# What's new in Windows 10 Enterprise 2016 LTSC
+
+**Applies to**
+- Windows 10 Enterprise 2016 LTSC
+
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
+
+>[!NOTE]
+>Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607.
+
+## Deployment
+
+### Windows Imaging and Configuration Designer (ICD)
+
+In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
+
+Windows ICD now includes simplified workflows for creating provisioning packages:
+
+- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)
+- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates)
+- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain)
+
+[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
+
+### Windows Upgrade Readiness
+
+>[!IMPORTANT]
+>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release.
+
+Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
+
+With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+
+Use Upgrade Readiness to get:
+
+- A visual workflow that guides you from pilot to production
+- Detailed computer and application inventory
+- Powerful computer level search and drill-downs
+- Guidance and insights into application and driver compatibility issues, with suggested fixes
+- Data driven application rationalization tools
+- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+- Data export to commonly used software deployment tools
+
+The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready.
+
+[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
+
+## Security
+
+### Credential Guard and Device Guard
+
+Isolated User Mode is now included with Hyper-V so you don't have to install it separately.
+
+### Windows Hello for Business
+
+When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+
+Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC:
+
+- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
+- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
+- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**.
+
+
+[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification)
+
+### BitLocker
+
+#### New BitLocker features
+
+- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
+ It provides the following benefits:
+ - The algorithm is FIPS-compliant.
+ - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
+ >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
+
+### Security auditing
+
+#### New Security auditing features
+
+- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices.
+
+### Trusted Platform Module
+
+#### New TPM features
+
+- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
+
+### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP)
+
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+
+Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
+
+- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy)
+- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip)
+
+[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip)
+
+### Windows Defender
+
+Several new features and management options have been added to Windows Defender in this version of Windows 10.
+
+- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
+- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans.
+- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
+- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal.
+- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus).
+- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times.
+
+### Windows Defender Advanced Threat Protection (ATP)
+
+With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
+
+[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+
+### VPN security
+
+- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
+- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
+- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
+- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
+
+## Management
+
+### Use Remote Desktop Connection for PCs joined to Azure Active Directory
+
+From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc)
+
+### Taskbar configuration
+
+Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies)
+
+### Mobile device management and configuration service providers (CSPs)
+
+Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607).
+
+### Shared PC mode
+
+This version of Windows 10, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc)
+
+### Application Virtualization (App-V) for Windows 10
+
+Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally.
+
+With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
+
+[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started)
+
+### User Experience Virtualization (UE-V) for Windows 10
+
+Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options.
+
+With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
+
+With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
+
+[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows)
+
+## See Also
+
+[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
+
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index cff1ffcf2c..d409feafd2 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -413,7 +413,7 @@ If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.micro
### Co-management
-Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
@@ -478,7 +478,7 @@ You can now register your Azure AD domains to the Windows Insider Program. For m
### Optimize update delivery
-With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
>[!NOTE]
> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index 0ca95a49ea..e49c027a4d 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -42,9 +42,9 @@ With Windows 10, you can create provisioning packages that let you quickly and e
[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
-### Bitlocker
+### BitLocker
-#### New Bitlocker features in Windows 10, version 1511
+#### New BitLocker features in Windows 10, version 1511
- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
It provides the following benefits:
@@ -54,7 +54,7 @@ With Windows 10, you can create provisioning packages that let you quickly and e
>[!NOTE]
>Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
-#### New Bitlocker features in Windows 10, version 1507
+#### New BitLocker features in Windows 10, version 1507
@@ -280,7 +280,7 @@ Enterprises have the following identity and management choices.
|---|---|
| Identity | Active Directory; Azure AD |
| Grouping | Domain join; Workgroup; Azure AD join |
-| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
+| Device management | Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
**Note:** With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512).
@@ -326,9 +326,9 @@ By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279
- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.
-- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281).
+- **Use with existing tools** such as Microsoft Endpoint Configuration Manager and the [Enterprise Mobility Suite](https://docs.microsoft.com/enterprise-mobility-security).
-Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx).
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr).
Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 71c7f06847..1a4c0d57c0 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -195,7 +195,7 @@ We recently added the option to download Windows 10 Insider Preview builds using
### Optimize update delivery
-With changes delivered in Windows 10, version 1703, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+With changes delivered in Windows 10, version 1703, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
>[!NOTE]
> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index e13290b34f..051d5d4b6e 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -134,7 +134,7 @@ Portions of the work done during the offline phases of a Windows update have bee
### Co-management
-**Intune** and **System Center Configuration Manager** policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+**Intune** and **Microsoft Endpoint Configuration Manager** policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 45feb23e75..f13c8d694c 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -53,7 +53,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update
## Servicing
-- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon!
+- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index a9384caf8b..89e6ad37a5 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -32,7 +32,7 @@ If you are updating from an older version of Windows 10 (version 1809 or earlier
### Windows Server Update Services (WSUS)
-Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. System Center Configuration Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054).
+Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Endpoint Configuration Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054).
The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903.