merge graph api

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -1443,6 +1443,11 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess</li>
 </ul>
 <p>Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).</p>
+<p>There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:</p>
+<ul>
+<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts</li>
+<li>Start/HideAppList</li>
+</ul>
 </td></tr>
 </tbody>
 </table>

windows/client-management/mdm/policy-csp-privacy.md

@@ -34,11 +34,11 @@ ms.date: 08/21/2017
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
@@ -48,6 +48,9 @@ ms.date: 08/21/2017
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
 
+> [!Note]  
+> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
+
 <p style="margin-left: 20px">The following list shows the supported values:
 
 -   0 (default)– Not allowed.

windows/client-management/mdm/policy-csp-start.md

@@ -448,10 +448,10 @@ ms.date: 08/09/2017
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
@@ -462,7 +462,10 @@ ms.date: 08/09/2017
 > [!NOTE]
 > This policy requires reboot to take effect.
 
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list.
+<p style="margin-left: 20px">Allows IT Admins to configure Start by collapsing or removing the all apps list.
+
+> [!Note]
+> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. 
 
 <p style="margin-left: 20px">The following list shows the supported values:
 

windows/deployment/deploy-enterprise-licenses.md

@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
 localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 

windows/deployment/deploy-whats-new.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 ms.prod: w10
 ms.sitesec: library
 ms.pagetype: deploy
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 

windows/deployment/update/waas-servicing-channels-windows-10-updates.md

@@ -181,12 +181,12 @@ During the life of a device, it may be necessary or desirable to switch between
 <td align="left">Use media to upgrade to the latest Windows Insider Program build.</td>
 </tr>
 <tr class="odd">
-<td align="left">Long-Term Servicing Channel (Targeted)</td>
-<td align="left">Use media to upgrade to a later Long-Term Servicing Channel build. (Note that the Long-Term Servicing Channel build must be a later build.)</td>
+<td align="left">Semi-Annual Channel (Targeted)</td>
+<td align="left">Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.</td>
 </tr>
 <tr class="even">
-<td align="left">Long-Term Servicing Channel</td>
-<td align="left">Use media to upgrade to a later Long-Term Servicing Channel for Business build (Long-Term Servicing Channel build plus fixes). Note that it must be a later build.</td>
+<td align="left">Semi-Annual Channel</td>
+<td align="left">Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.</td>
 </tr>
 </tbody>
 </table>

windows/deployment/vda-subscription-activation.md

@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
 localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 

windows/deployment/windows-10-enterprise-e3-overview.md

@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 

windows/deployment/windows-10-enterprise-subscription-activation.md

@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
 localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 

windows/deployment/windows-10-poc-mdt.md

@@ -7,6 +7,7 @@ ms.sitesec: library
 ms.pagetype: deploy
 keywords: deployment, automate, tools, configure, mdt
 ms.localizationpriority: high
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 

windows/deployment/windows-10-poc-sc-config-mgr.md

@@ -7,6 +7,7 @@ ms.sitesec: library
 ms.pagetype: deploy
 keywords: deployment, automate, tools, configure, sccm
 ms.localizationpriority: high
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 

windows/deployment/windows-10-poc.md

@@ -7,6 +7,7 @@ ms.sitesec: library
 ms.pagetype: deploy
 keywords: deployment, automate, tools, configure, mdt, sccm
 ms.localizationpriority: high
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 
@@ -771,6 +772,27 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Add-DnsServerForwarder -IPAddress 192.168.0.2
     </pre>
 
+    **Configure service and user accounts**
+
+    Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
+
+    >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+    On DC1, open an elevated Windows PowerShell prompt and type the following commands:
+
+    <pre style="overflow-y: visible">
+    New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
+    Set-ADUser -Identity user1 -PasswordNeverExpires $true
+    Set-ADUser -Identity administrator -PasswordNeverExpires $true
+    Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
+    </pre>
+
 12. Minimize the DC1 VM window but **do not stop** the VM.
 
     Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain.
@@ -984,27 +1006,6 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Restart-Computer
     </pre>
 
-### Configure service and user accounts
-
-Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
-
->To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
-<pre style="overflow-y: visible">
-New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
-Set-ADUser -Identity user1 -PasswordNeverExpires $true
-Set-ADUser -Identity administrator -PasswordNeverExpires $true
-Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
-Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
-Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
-</pre>
-
 This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
 
 ## Appendix A: Verify the configuration

windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md

@@ -82,7 +82,7 @@ Reporting | Configure time out for detections in non-critical failed state | Not
 Reporting | Configure time out for detections in recently remediated state | Not used
 Reporting | Configure time out for detections requiring additional action | Not used
 Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
-Root | Turn off Windows Defender Antivirus | Not used
+Root | Turn off Windows Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly)
 Root | Define addresses to bypass proxy server | Not used
 Root | Define proxy auto-config (.pac) for connecting to the network | Not used
 Root | Define proxy server for connecting to the network | Not used

windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,193 @@
+---
+title: Windows Defender Advanced Threat Protection exposed APIs  
+description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
+keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+---
+
+# Windows Defender ATP exposed APIs 
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+-	Create an app
+-	Get an access token
+-	Run queries on the graph API
+
+### Before you begin
+Before using the APIs, you’ll need to create an app that you’ll use to authenticate against the graph. You’ll need to create a native app to use for the adhoc queries. 
+
+## Create an app
+
+1.	Log on to [Azure](https://portal.azure.com).
+
+2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
+
+    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
+
+3.	In the Create window, enter the following information then click **Create**.
+
+    ![Image of Create application window](images/atp-azure-create.png)
+
+    - **Name:** WinATPGraph
+    - **Application type:** Native
+    - **Redirect URI:** `https://localhost`
+
+
+4.	Navigate and select the newly created application.
+    ![Image of new app in Azure](images/atp-azure-atp-app.png)
+
+5.	Click **All settings** > **Required permissions** > **Add**.
+
+    ![Image of All settings, then required permissions](images/atp-azure-required-permissions.png)
+
+6.	Click **Select an API** > **Microsoft Graph**, then click **Select**.
+
+    ![Image of API access and API selection](images/atp-azure-api-access.png)
+
+
+7. Click **Select permissions** and select **Sign in and read user profile** then click **Select**.
+
+    ![Image of select permissions](images/atp-azure-select-permissions.png)
+
+You can now use the code snippets in the following sections to query the API using the created app ID.
+
+## Get an access token
+1.	Get the Client ID from the application you created.
+
+2. Use the **Client ID**. For example:
+    ```
+    private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+    private const string resourceId = "https://graph.microsoft.com";
+    private const string clientId = "{YOUR CLIENT ID/APP ID HERE}";
+    private const string redirect = "https://localhost"; 
+    HttpClient client = new HttpClient();
+    AuthenticationContext auth = new AuthenticationContext(authority);
+    var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result;
+    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken);
+    ```
+
+## Query the graph
+Once the bearer token is retrieved, you can easily invoke the graph APIs. For example:
+
+```
+client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); 
+// sample endpoint
+string ep = @"https://graph.microsoft.com/{VERSION}/alerts?$top=5";
+HttpResponseMessage response = client.GetAsync(ep).Result;
+string resp = response.Content.ReadAsStringAsync().Result;
+Console.WriteLine($"response for: {ep} \r\n {resp}");
+```
+## Supported APIs
+
+| Entity | Action | Description | Functions | Route |
+|---------|---------------|--------------------------------------------------------------------------|--------------------------------------------|-------------------------------------------|
+| Actor | Get | Retrieves an actor report from the CMS. | $top, $select, $count | /actor/{id} |
+|  | GetAlerts | Retrieves all alerts related to a given actor. | $expand, $top, $select, $count | /actor/{id}/alerts |
+| Alerts | Get | Retrieves top recent alerts | $top, $select, $count, $skip, $expand | /alerts |
+|  | Get | Retrieves an alert by its ID | $top, $select, $count, $expand | /alerts/{id} |
+|  | GetMachines | Retrieves all machines related to a specific alert | $top, $select, $count | /alerts/{id}/machines |
+|  | GetFiles | Retrieves all files related to a specific alert | $top, $select, $count | /alerts/{id}/files |
+|  | GetActor | Retrieves the actor related to the specific alert | $top, $select, $count | /alerts/{id}/actor |
+|  | GetDomains | Retrieves all domains related to a specific alert | $top, $select, $count | /alerts/{id}/domains |
+|  | GetIPs | Retrieves all IPs related to a specific alert | $top, $select, $count | /alerts/{id}/ips |
+| Machine | Get | Retrieves a collection of recently seen machines | $top, $select, $count, $skip | /machines |
+|  | Get | Retrieves a machine entity by ID | $top, $select, $count | /machines/{id} |
+|  | GetAlerts | Retrieves a collection of alerts related to a given machine ID | $top, $select, $count, $expand | /machines/{id}/alerts |
+|  | GetLogOnUsers | Retrieves a collection of logged on users related to a given machine ID | $top, $select, $count | /machines/{id}/logonusers |
+|  | Find | Find a machine entity around a specific timestamp by FQDN or internal IP | $top, $select, $count, $expand(logonusers) | /machines/find(key={id},timestamp={time}) |
+| User | Get | Retrieve a User entity by key (user name or domain\user) | $top, $select, $count | /users/{id} |
+|  | GetAlerts | Retrieves a collection of alerts related to a given user ID | $top, $select, $count, $expand | /users/{id}/alerts |
+|  | GetMachines | Retrieves a collection of machines related to a given user ID | $top, $select, $count | /users/{id}/machines |
+| Domain | Get | Retrieves a domain entity | $top, $select, $count | /domains/{id} |
+|  | GetAlerts | Retrieves a collection of alerts related to a given domain address | $top, $select, $count, $expand | /domains/{id}/alerts |
+|  | GetMachines | Retrieves a collection of machines related to a given domain address | $top, $select, $count | /domains/{id}/machines |
+|  | Stats | Retrieves the prevalence for the given domain |  | /domains/{id}/stats |
+| IP | Get | Retrieves an IP entity | $top, $select, $count | /ips/{id} |
+|  | GetAlerts | Retrieves a collection of alerts related to a given IP address | $top, $select, $count, $expand | /ips/{id}/alerts |
+|  | GetMachines | Retrieves a collection of machines related to a given IP address | $top, $select, $count | /ips/{id}/machines |
+|  | Stats | Retrieves the prevalence for the given IP |  | /ips/{id}/stats |
+| File | Get | Retrieves a file by identifier(Sha1, Sha256, MD5) | $top, $select, $count | /files/{id} |
+|  | GetAlerts | Retrieves a collection of alerts related to a given file hash | $top, $select, $count, $expand | /files/{id}/alerts |
+|  | GetMachines | Retrieves a collection of machines related to a given file hash | $top, $select, $count | /files{id}/machines |
+|  | Stats | Retrieves the prevalence for the given file |  | /files/{id}/machines |
+
+### Example queries
+After creating the application, you can run the following queries.
+
+Fetching the top 20 alerts with machine information:
+```
+private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+private const string resourceId = "https://graph.microsoft.com";
+private const string clientId = "{YOUR CLIENT ID/APP ID HERE}";
+private const string redirect = "https://localhost";
+HttpClient client = new HttpClient();
+AuthenticationContext auth = new AuthenticationContext(authority);
+var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result;
+client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken);
+var ep = $"{resourceId}/{apiVersion}/alerts?$top=20&$expand=machine"; // the query itself in yellow
+HttpResponseMessage response = client.GetAsync(ep).Result;
+string resp = response.Content.ReadAsStringAsync().Result;
+Console.WriteLine($"response for: {ep} \r\n {resp}");
+``` 
+
+Response:
+```
+{
+    "@odata.context": "https://graph.microsoft-ppe.com/testwdatp/$metadata#Alerts",
+    "@odata.count": 20,
+    "@odata.nextLink": "https://graph.microsoft-ppe.com/testwdatp/alerts?$top=20&$expand=machine&$skip=20",
+    "value": [
+        {
+            "id": "636341278149188342_1960231459",
+            "severity": "Medium",
+            "status": "New",
+            "description": "A process has injected code into another process using process hollowing technique, indicating suspicious code being run in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.",
+            "recommendedAction": "1. Investigate the machine's timeline for any other indicators around the time of this alert \n2. Validate contextual information about the relevant components such as file prevalence, other machines it was observed on etc. \n3. Contact the machine's user to verify whether they received an email with a suspicious attachment or link around the time of the alert.\n4. Run a full malware scan on the machine, this may reveal additional related components. \n5. Consider submitting the relevant file(s) for deep analysis for detailed behavioral information. \n6. If initial investigation confirms suspicions, contact your incident response team for forensic analysis.",
+            "alertCreationTime": "2017-06-27T02:36:53.7841015Z",
+            "category": "Installation",
+            "title": "Process hollowing detected",
+            "threatFamilyName": null,
+            "detectionSource": null,
+            "classification": null,
+            "determination": null,
+            "assignedTo": null,
+            "resolvedTime": null,
+            "lastEventTime": "2017-06-29T10:11:54.2872094Z",
+            "firstEventTime": "2017-06-27T02:30:23.9320988Z",
+            "machine": {
+                "id": "67e5ef2c2eab150cc8638e21dba19c1b0a41ad0b",
+                "computerDnsName": null,
+                "firstSeen": "0001-01-01T00:00:00Z",
+                "isOnline": false,
+                "osPlatform": null,
+                "osVersion": null,
+                "systemProductName": null,
+                "lastIpAddress": null,
+                "lastExternalIpAddress": null,
+                "agentVersion": null,
+                "osBuild": null,
+                "healthStatus": "Active",
+                "isAadJoined": null
+            }
+        },
+}….
+
+```
+Related topics
+- Create and build Power BI reports