from master

mdop/mbam-v25/mbam-25-supported-configurations.md

@@ -464,6 +464,12 @@ The following table lists the operating systems that are supported for MBAM Clie
 </tr>
 </thead>
 <tbody>
+<tr class="even">
+    <td align="left"><p>Windows 10 IoT</p></td>
+    <td align="left"><p>Enterprise</p></td>
+    <td align="left"><p></p></td>
+    <td align="left"><p>32-bit or 64-bit</p></td>
+</tr>  
 <tr class="odd">
 <td align="left"><p>Windows 10</p></td>
 <td align="left"><p>Enterprise</p></td>
@@ -518,6 +524,12 @@ The following table lists the operating systems that are supported for MBAM Grou
 </tr>
 </thead>
 <tbody>
+ <tr class="even">
+      <td align="left"><p>Windows 10 IoT</p></td>
+      <td align="left"><p>Enterprise</p></td>
+      <td align="left"><p></p></td>
+      <td align="left"><p>32-bit or 64-bit</p></td>
+ </tr>
 <tr class="odd">
 <td align="left"><p>Windows 10</p></td>
 <td align="left"><p>Enterprise</p></td>

mdop/mbam-v25/release-notes-for-mbam-25-sp1.md

@@ -136,10 +136,12 @@ Digging this further with Fiddler – it does look like once we click on Reports
 
 **Workaround:** Looking at the site.master code and noticed the X-UA mode was dictated as IE8. As IE8 is WAY past the end of life, and customer is using IE11. Update the setting to the below code. This allows the site to utilize IE11 rendering technologies
 
-<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
+    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
 
 Original setting is: 
-<meta http-equiv="X-UA-Compatible" content="IE=8" />
+
+    <meta http-equiv="X-UA-Compatible" content="IE=8" />
+
 
 This is the reason why the issue was not seen with other browsers like Chrome, Firefox etc.
 

store-for-business/distribute-apps-from-your-private-store.md

@@ -21,7 +21,7 @@ ms.date: 3/19/2018
 -   Windows 10
 -   Windows 10 Mobile
 
-The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Micrsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
+The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
 
 You can make an app available in your private store when you acquire the app, or you can do it later from your inventory. Once the app is in your private store, employees can claim and install the app.
 

windows/configuration/change-history-for-configure-windows-10.md

@@ -10,7 +10,7 @@ ms.localizationpriority: high
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
-ms.date: 06/05/2018
+ms.date: 06/19/2018
 ---
 
 # Change history for Configure Windows 10
@@ -22,6 +22,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
 New or changed topic | Description
 --- | ---
 [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)  | Updated instructions for using Microsoft Intune to configure a kiosk.
+[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Added new Group Policy to remove "Recently added" list from Start menu.
 
 ## May 2018
 

windows/configuration/windows-10-start-layout-options-and-policies.md

@@ -10,7 +10,7 @@ author: jdeckerms
 ms.author: jdecker
 ms.topic: article
 ms.localizationpriority: high
-ms.date: 05/24/2018
+ms.date: 06/19/2018
 ---
 
 # Manage Windows 10 Start and taskbar layout
@@ -51,7 +51,7 @@ The following table lists the different parts of Start and any applicable policy
 | User tile | MDM: **Start/HideUserTile**</br>**Start/HideSwitchAccount**</br>**Start/HideSignOut**</br>**Start/HideLock**</br>**Start/HideChangeAccountSettings**</br></br>Group Policy: **Remove Logoff on the Start menu** | none  |
 | Most used | MDM: **Start/HideFrequentlyUsedApps**</br></br>Group Policy: **Remove frequent programs from the Start menu** | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Show most used apps** |
 | Suggestions</br>-and-</br>Dynamically inserted app tile | MDM: **Allow Windows Consumer Features**</br></br>Group Policy: **Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences**</br></br>**Note:** This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu. | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Occasionally show suggestions in Start** |
-| Recently added | MDM: **Start/HideRecentlyAddedApps** | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Show recently added apps** |
+| Recently added | MDM: **Start/HideRecentlyAddedApps**<br>Group Policy: **Computer configuration**\\**Administrative Template**\\**Start Menu and Taskbar**\\**Remove "Recently Added" list from Start Menu** (for Windows 10, version 1803) | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Show recently added apps** |
 | Pinned folders | MDM: **AllowPinnedFolder** | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Choose which folders appear on Start** |
 | Power | MDM: **Start/HidePowerButton**</br>**Start/HideHibernate**</br>**Start/HideRestart**</br>**Start/HideShutDown**</br>**Start/HideSleep**</br></br>Group Policy: **Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands** | none |
 | Start layout | MDM: **Start layout**</br>**ImportEdgeAssets**</br></br>Group Policy: **Prevent users from customizing their Start screen**</br></br>**Note:** When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.</br></br>**Start layout** policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. | none |

windows/deployment/update/update-compliance-get-started.md

@@ -27,6 +27,9 @@ Steps are provided in sections that follow the recommended setup process:
 
 Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
 
+>[!IMPORTANT]
+>Update Compliance is a free solution for Azure subscribers.
+
 If you are already using OMS, skip to step **6** to add Update Compliance to your workspace.
 
 >[!NOTE]

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -1974,7 +1974,7 @@ You can turn off Windows Update by setting the following registry entries:
 
     -and-
 
--   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to "".
+-   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to " ".
 
 
 You can turn off automatic updates by doing one of the following. This is not recommended.

windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md

@@ -88,6 +88,7 @@ The following table shows the TPM owner authorization values in the registry.
 | 2          | Delegated |
 | 4          | Full      |
 
+A value of 5 means discard the **Full** TPM owner authorization for TPM 1.2 but keep it for TPM 2.0.
  
 If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose.
 

windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md

@@ -31,6 +31,7 @@ Some ways to store credentials are not protected by Windows Defender Credential
 -   Digest and CredSSP credentials
     -   When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
 -   Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- 
+-  Kerberos service tickets are not protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is.
 -  When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
 -  Windows logon cached password verifiers (commonly called "cached credentials")
 do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md

@@ -193,18 +193,16 @@ In this example, you'd get the following info:
 Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
 
 ### Add an AppLocker policy file
-For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
+Now we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. The first example shows how to create a Packaged App rule for Store apps. The second example shows how to create an Executable rule by using a path for unsigned apps. For more info, see [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview).
 
-**To create an app rule and xml file using the AppLocker tool**
+**To create a Packaged App rule rule and xml file**
 1.	Open the Local Security Policy snap-in (SecPol.msc).
     
-2.	In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
+2.	In the left pane, click **Application Control Policies** > **AppLocker** > **Packaged App Rules**.
 
     ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png)
 
-3.	Right-click in the right-hand pane, and then click **Create New Rule**.
-
-    The **Create Packaged app Rules** wizard appears.
+3. Right-click **Packaged App Rules** > **Create New Rule**.
 
 4. On the **Before You Begin** page, click **Next**.
 
@@ -262,6 +260,39 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
     ```
 12.	After you’ve created your XML file, you need to import it by using Microsoft Intune.
 
+**To create an Executable rule and xml file for unsigned apps**
+1. Open the Local Security Policy snap-in (SecPol.msc).
+    
+2. In the left pane, click **Application Control Policies** > **AppLocker** > **Executable Rules**.
+
+3. Right-click **Executable Rules** > **Create New Rule**.
+
+   ![Local security snap-in, showing the Executable Rules](images/create-new-path-rule.png)
+
+4. On the **Before You Begin** page, click **Next**.
+
+5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
+
+6. On the **Conditions** page, click **Path** and then click **Next**.
+
+    ![Create Packaged app Rules wizard, showing the Publisher](images/path-condition.png)
+
+7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files".
+
+    ![Create Packaged app Rules wizard, showing the Select applications page](images/select-path.png)
+
+8. On the **Exceptions** page, add any exceptions and then click **Next**.
+
+9. On the **Name** page, type a name and description for the rule and then click **Create**.
+
+10.	In the left pane, right-click **AppLocker** > **Export policy**.
+
+11.	In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
+
+    The policy is saved and you’ll see a message that says 1 rule was exported from the policy.
+
+12.	After you’ve created your XML file, you need to import it by using Microsoft Intune.
+
 **To import your Applocker policy file app rule using Microsoft Intune**
 1.	From the **App Rules** area, click **Add**.
     

windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md

@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 ms.author: justinha
-ms.date: 05/30/2018
+ms.date: 06/18/2018
 ms.localizationpriority: medium
 ---
 
@@ -39,7 +39,7 @@ As an admin, you can address the question of who gets access to your data by usi
 In the end, all of these security measures have one thing in common: employees will tolerate only so much inconvenience before looking for ways around the security restrictions. For example, if you don’t allow employees to share files through a protected system, employees will turn to an outside app that more than likely lacks security controls.
 
 ### Using data loss prevention systems
-To help address this security insufficiency, company’s developed data loss prevention (also known as DLP) systems. Data loss prevention systems require:
+To help address this security insufficiency, companies developed data loss prevention (also known as DLP) systems. Data loss prevention systems require:
 - **A set of rules about how the system can identify and categorize the data that needs to be protected.** For example, a rule set might contain a rule that identifies credit card numbers and another rule that identifies Social Security numbers.
 
 - **A way to scan company data to see whether it matches any of your defined rules.** Currently, Microsoft Exchange Server and Exchange Online provide this service for email in transit, while Microsoft SharePoint and SharePoint Online provide this service for content stored in document libraries.

windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md

@@ -42,7 +42,6 @@ You can define the conditions for when entities are identified as malicious or s
    - File hash
    - Certificate
    - IP address
-   - DNS
   
 3. Click **Add system exclusion**.
 

windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md

@@ -10,21 +10,25 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/24/2018
+ms.date: 06/19/2018
 ---
 
 # Onboard machines to the Windows Defender ATP service
 
 **Applies to:**
 
+- Windows 7 SP1 Enterprise
+- Windows 7 SP1 Pro
+- Windows 8.1 Enterprise
+- Windows 8.1 Pro
 - Windows 10 Enterprise
 - Windows 10 Education
 - Windows 10 Pro
 - Windows 10 Pro Education
-- macOS
-- Linux
 - Windows Server 2012 R2
 - Windows Server 2016
+- macOS
+- Linux
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease information](prerelease.md)]
@@ -44,6 +48,38 @@ Windows Defender Advanced Threat Protection requires one of the following Micros
 
 For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
 
+## Hardware and software requirements
+### Supported Windows versions
+- Windows 7 SP1 Enterprise
+- Windows 7 SP1 Pro
+- Windows 8.1 Enterprise
+- Windows 8.1 Pro
+- Windows 10
+  - Windows 10 Enterprise
+  - Windows 10 Education
+  - Windows 10 Pro
+  - Windows 10 Pro Education
+- Windows server
+  - Windows Server 2012 R2
+  - Windows Server 2016
+  - Windows Server, version 1803
+
+Machines on your network must be running one of these editions.
+
+The hardware requirements for Windows Defender ATP on machines is the same as those for the supported editions.
+
+> [!NOTE]
+> Machines that are running mobile versions of Windows are not supported.
+
+
+### Other supported operating systems
+>[!NOTE]
+>You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work. 
+
+-  macOS X
+-  Linux
+
+
 ## Windows Defender Antivirus configuration requirement
 The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. 
 
@@ -61,7 +97,8 @@ For more information, see [Windows Defender Antivirus compatibility](../windows-
 Topic | Description
 :---|:---
 [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise.
-[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) |  Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP 
+[Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)| Onboard Windows 7 and Windows 8.1 machines to Windows Defender ATP. 
+[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) |  Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP. 
 [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data. 
 [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service.
 [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.

windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md

@@ -114,7 +114,7 @@ This tile shows statistics related to automated investigations in the last 30 da
 
 ![Image of automated investigations statistics](images/atp-automated-investigations-statistics.png)
 
-You can click on **Automated investigations**, **Remidated investigations**, and **Alerts investigated** to navigate to the **Invesgations** page, filtered by the appropriate category. This lets you see a detailed breakdown of investigations in context.
+You can click on **Automated investigations**, **Remidated investigations**, and **Alerts investigated** to navigate to the **Investigations** page, filtered by the appropriate category. This lets you see a detailed breakdown of investigations in context.
 
 ## Users at risk
 The tile shows you a list of user accounts with the most active alerts and the number of alerts seen on high, medium, or low alerts.