Merge remote-tracking branch 'refs/remotes/origin/master' into vs-7955147

windows/keep-secure/TOC.md

@@ -680,6 +680,7 @@
 ### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
 #### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
 #### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
+#### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
 #### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
 ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
 ##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)

windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md

@@ -1,6 +1,6 @@
 ---
-title: Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality (Windows 10)
-description: Add multiple apps to your enterprise data protection (EDP) allowed app list at the same time, by using the Microsoft Intune Custom URI functionality and AppLocker.
+title: Add apps to your enterprise data protection (EDP) policy by using Microsoft Intune and custom URI functionality (Windows 10)
+description: Add apps to your enterprise data protection (EDP) allowed app list, by using the Microsoft Intune custom URI functionality and AppLocker.
 ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880
 keywords: EDP, Enterprise Data Protection, protected apps, protected app list
 ms.prod: w10
@@ -18,34 +18,35 @@ author: eross-msft
 
 <span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
-Add multiple apps to your enterprise data protection (EDP) allowed app list at the same time, by using the Microsoft Intune Custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, see [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
+You can add apps to your enterprise data protection (EDP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
 
-**Important**  
+>**Important**  
 Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
 
-If you only want to add one app at a time, you can follow the instructions in the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic.
-
-**To add Universal Windows Platform (UWP) apps**
-
+## Add Store apps
 1.  Go to the AppLocker UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
 
-2.  Double-click **Application Control Policies**, double-click **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**.<p>
-The **Automatically Generate Packaged app Rules** wizard opens, letting you create EDP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
+2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**.
 
-3.  In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.<p>
-You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
+    The **Automatically Generate Packaged app Rules** wizard opens, letting you create EDP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
 
-4.  Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.<p>
-This name should be easily recognizable, such as *EDP_UniversalApps_Rules*.
+3.  In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
 
-5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.<p>
-**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.<p>
-**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+    You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
+
+4.  Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
+
+    This name should be easily recognizable, such as *EDP_StoreApps_Rules*.
+
+5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
+
+    >**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
 
 6.  In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
 
-7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.<p>
-**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
+
+    >**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
 
 8.  Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
 
@@ -59,36 +60,42 @@ This name should be easily recognizable, such as *EDP_UniversalApps_Rules*.
 
 13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
 
-14. Copy the text that has a **Type** of Appx, within the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
+14. Copy the text that has a **Type** of `Appx`, within the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
 
     ```
-    <RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
+        <RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
     ```
 
 15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>
 After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
 
-**To add Classic Windows applications**
+## Add Desktop apps
+1.  Open the Local Security Policy snap-in (SecPol.msc).
 
-1.  Go to the AppLocker UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
+2.  In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.
 
-2.  Double-click **Application Control Policies**, double-click **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.<p>
-The **Automatically Generate Executable Rules** wizard opens, letting you create EDP-protected app polices by analyzing the files within a specific folder.
+    The **Automatically Generate Executable Rules** wizard opens, letting you create EDP-protected app polices by analyzing the files within a specific folder.
 
-3.  In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.<p>
-You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
+3.  In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
 
-4.  Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.<p>
-This name should be easily recognizable, such as *EDP_ClassicApps_Rules*.
+    You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
 
-5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.<p>
-**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.<p>
-**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+4.  Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
+
+    This name should be easily recognizable, such as *EDP_DesktopApps_Rules*.
+
+5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
+
+    >**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
+    
+    <p>
+    >**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
 
 6.  In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
 
-7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.<p>
-**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
+
+    >**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
 
 8.  Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
 
@@ -102,14 +109,15 @@ This name should be easily recognizable, such as *EDP_ClassicApps_Rules*.
 
 13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
 
-14. Copy the text that has a **Type** of EXE, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
+14. Copy the text that has a **Type** of `EXE`, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
 
     ``` 
-    <RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
+        <RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
     ```
 
-15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>
-After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
+15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
+
+    After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
 
 ##Related topics
 - [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)

windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,39 @@
+---
+title: Assign user access to the Windows Defender Advanced Threat Protection portal
+description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal. 
+keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Assign user access to the Windows Defender ATP portal
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Azure Active Directory
+- Office 365
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). User can be assigned one of the following levels of permissions:
+- Full access (Read and Write)
+- Read only access
+
+**Full access** <br>
+Users with full access can log in, view all system information as well as resolve alerts, submit files for deep analysis, and download the onboarding package.
+Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
+
+**Read only access** <br>
+Users with read only access can log in, view all alerts, and related information. 
+They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
+Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
+
+Your administrator can assign roles using the Office 365 portal, or in the Azure classic portal, or by using the AAD module for Windows PowerShell. 
+For more information, see [Assigning admin roles in Office 365](https://support.office.com/en-us/article/Assigning-admin-roles-in-Office-365-eac4d046-1afd-4f1a-85fc-8219c79e1504?ui=en-US&rs=en-US&ad=US) and [Assigning administrator roles in Azure Active Directory](https://azure.microsoft.com/en-us/documentation/articles/active-directory-assign-admin-roles/).
+

windows/keep-secure/change-history-for-keep-windows-10-secure.md

@@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 |----------------------|-------------|
 |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New |
 |[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New |
+|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New |
 
 
 ## June 2016

windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md

@@ -1,13 +1,13 @@
 ---
 title: Configure Windows Defender ATP endpoints
 description: Use Group Policy or SCCM to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service.
-keywords: configure endpoints, client onboarding, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm, system center configuration manager
+keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm, system center configuration manager
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: iaanw
+author: mjcaparas
 ---
 
 # Configure Windows Defender ATP endpoints
@@ -19,16 +19,24 @@ author: iaanw
 
 <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
-You can use a Group Policy (GP) configuration package, a System Center Configuration Manager (SCCM) package, or an automated script to configure endpoints.
+Endpoints in your organization must be configured so that the Windows Defender ATP service can get telemetry from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization. 
 
-## Configure with Group Policy
-Using the GP configuration package ensures your endpoints will be correctly configured to report to the Windows Defender ATP service.
+Windows Defender ATP supports the following deployment tools and methods:
 
-> **Note**&nbsp;&nbsp;To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. The endpoints must be running Windows 10 Insider Preview Build 14332 or later.
+- Group Policy
+- System Center Configuration Manager (current branch) version 1606 
+- System Center 2012 Configuration manager or later versions
+- Mobile Device Management
+- Microsoft Intune
+- Local script
+
+## Configure endpoints with Group Policy
+
+> **Note**&nbsp;&nbsp;To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. 
 
 1.  Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
-    a.  Click **Client onboarding** on the **Navigation pane**.
+    a.  Click **Endpoint Management** on the **Navigation pane**.
 
     b.  Select **Group Policy**, click **Download package** and save the .zip file.
 
@@ -50,12 +58,17 @@ Using the GP configuration package ensures your endpoints will be correctly conf
 
 For additional settings, see the [Additional configuration settings section](additional-configuration-windows-defender-advanced-threat-protection.md).
 
+## Configure endpoints with System Center Configuration Manager (current branch) version 1606
+System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section.
 
-## Configure with System Center Configuration Manager
+> **Note**&nbsp;&nbsp; If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later.
+
+## Configure endpoints with System Center 2012 Configuration Manager or later versions
+You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in System Center 2012 Configuration Manager or later versions, including: System Center 2012 R2 Configuration Manager, System Center Configuration Manager and System Center Configuration Manager (current branch), version 1602 or earlier. 
 
 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
-    a. Click **Client onboarding** on the **Navigation pane**.
+    a. Click **Endpoint Management** on the **Navigation pane**.
 
     b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file.
 
@@ -67,15 +80,62 @@ For additional settings, see the [Additional configuration settings section](add
 
     a. Choose a predefined device collection to deploy the package to.
 
+## Configure endpoints with Mobile Device Management tools
+You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints. 
+
+For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
+
+> **Note**&nbsp;&nbsp; If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later.
+
+## Configure endpoints with Microsoft Intune
+
+For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
+
+> **Note**&nbsp;&nbsp; If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later.
+
+1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+ 
+    a.  Click **Endpoint Management** on the **Navigation pane**.
+
+    b.  Select **Microsoft Intune**, click **Download package** and save the .zip file.
+
+2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATP.onboarding*.
+
+3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
+
+These policies are categorized into two groups:
+- Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
+    - Onboarding
+    - Health Status for onboarded machines
+    - Configuration for onboarded machines
+- Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to:
+    - Offboarding
+    - Health Status for offboarded machines
+    - Configuration for offboarded machines
+
+> **Warning**&nbsp;&nbsp;These two groups must not be deployed on the same machine at same time, otherwise this will cause unpredictable collisions.
+
+Policy | OMA-URI | Type | Description | Value
+:---|:---|:---|:---|:---
+Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Onboarding | Copy content from onboarding MDM file
+Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is running | TRUE
+ | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Onboarded to Windows Defender ATP | 1
+  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Onboarded to Organization ID | Use OrgID from onboarding file
+ Configuration for onboarded machines  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | Windows Defender ATP Sample sharing is enabled | 0 or 1 <br> Default value: 1
+ Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Offboarding | Copy content from offboarding MDM file
+ Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is not running | FALSE
+  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Offboarded from Windows Defender ATP  | 0
+
+> **Note**&nbsp;&nbsp;Policies **Health Status for onboarded machines** and **Health Status for offboarded machines** use read-only properties and can't be remediated.
+
+## Configure endpoints individually with a local script
 
-## Configure endpoints individually with an automated script
-<a name="manual"></a>
 You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
 
 
 1.  Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
-    a.  Click **Client onboarding** on the **Navigation pane**.
+    a.  Click **Endpoint Management** on the **Navigation pane**.
 
     b.  Select **Local Script**, click **Download package** and save the .zip file.
 
@@ -97,7 +157,6 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
 See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry.
 
 ## Related topics
-<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
 - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
 - [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
 - [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)

windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md

@@ -116,15 +116,16 @@ For more information on how to use Netsh see, [Netsh Commands for Windows Hypert
 
 If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
 
-- us.vortex-win.data.microsoft.com  
+- *.blob.core.windows.net
+- crl.microsoft.com
 - eu.vortex-win.data.microsoft.com
 - sevillegwcus.microsoft.com
 - sevillegweus.microsoft.com
-- sevillegwweu.microsoft.com
 - sevillegwneu.microsoft.com
+- sevillegwweu.microsoft.com
+- us.vortex-win.data.microsoft.com 
 - www.microsoft.com
-- crl.microsoft.com
-- \*.blob.core.windows.net
+
 
 If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP  sensor is connecting from system context, make sure anonymous traffic is permitted to the above listed URLs.
 
@@ -165,13 +166,13 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
 
 7. Repeat the same steps for the remaining URLs with the following arguments:
 
-    - portqry.exe -n eu.vortex-win.data.microsoft.com -e 443 -p tcp
-    - portqry.exe -n sevillegwcus.microsoft.com -e 443 -p tcp
-    - portqry.exe -n sevillegweus.microsoft.com -e 443 -p tcp
-    - portqry.exe -n sevillegwweu.microsoft.com -e 443 -p tcp
-    - portqry.exe -n sevillegwneu.microsoft.com -e 443 -p tcp
-    - portqry.exe -n www.microsoft.com -e 80 -p tcp
-    - portqry.exe -n crl.microsoft.com -e 80 -p tcp
+   - portqry.exe -n eu.vortex-win.data.microsoft.com -e 443 -p tcp
+   - portqry.exe -n sevillegwcus.microsoft.com -e 443 -p tcp
+   - portqry.exe -n sevillegweus.microsoft.com -e 443 -p tcp
+   - portqry.exe -n sevillegwweu.microsoft.com -e 443 -p tcp
+   - portqry.exe -n sevillegwneu.microsoft.com -e 443 -p tcp
+   - portqry.exe -n www.microsoft.com -e 80 -p tcp
+   - portqry.exe -n crl.microsoft.com -e 80 -p tcp
 
 8. Verify that each URL shows that the name is **resolved** and the connection status is **listening**.
 

windows/keep-secure/credential-guard.md

@@ -29,7 +29,8 @@ Credential Guard isolates secrets that previous versions of Windows stored in th
 
 For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
 
-Credential Guard also does not allow older variants of NTLM, unconstrained Kerberos delegation, and Kerberos authentication protocols and cipher suites when using default derived credentials, including NTLMv1, MS-CHAPv2, and weaker Kerberos encryption types, such as DES.
+Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption.
+
 Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
 
 ![Credential Guard overview](images/credguard.png)

windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md

@@ -84,7 +84,7 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
 
 A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
 
-> **Note**  Depending on machine availability, sample collection time can vary. There is a 1-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
+> **Note**  Depending on machine availability, sample collection time can vary. There is a 3-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
 
 ## View deep analysis report
 

windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md

@@ -43,15 +43,4 @@ Internet connectivity on endpoints is also required. See [Configure Windows Defe
 
 Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section.
 
-### Deployment channel operating system requirements
 
-You can choose to onboard endpoints with a scheduled Group Policy (GP) or System Center Configuration Manager (SCCM) update (using a configuration package that you download from the portal or during the service onboarding wizard), or by manually running a script to modify the registry.
-
-The following describes the minimum operating system or software version
-required for each deployment channel.
-
-Deployment channel | Minimum server requirements
-:---|:---
-Group Policy settings | Windows Server 2008 R2
-System Center Configuration Manager | SCCM 2012
-Manual (script) | No minimum requirements

windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md

@@ -14,7 +14,7 @@ author: iaanw
 
 **Applies to:**
 
-- Windows 10 TAP program
+- Windows 10 Insider Preview Build 14332 or later
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
@@ -34,7 +34,7 @@ You need to onboard to Windows Defender ATP before you can use the service.
 ## In this section
 Topic | Description
 :---|:---
-[Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn how you can use the configuration package to configure endpoints in your enterprise.
+[Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise.
 [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
 [Additional configuration settings] (additional-configuration-windows-defender-advanced-threat-protection.md) | Learn how to configure settings for sample sharing used in the deep analysis feature.
 [Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) | Learn how you can monitor the onboarding to ensure your endpoints are correctly configured and are sending telemetry reports.

windows/keep-secure/overview-create-edp-policy.md

@@ -1,6 +1,6 @@
 ---
 title: Create an enterprise data protection (EDP) policy (Windows 10)
-description: Microsoft Intune and System Center Configuration Manager (version 1605 Technical Preview or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+description: Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
 ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
 ms.prod: w10
 ms.mktglfcycl: explore
@@ -17,13 +17,13 @@ author: eross-msft
 
 <span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
-Microsoft Intune and System Center Configuration Manager (version 1605 Technical Preview or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
 
 ## In this section
 |Topic |Description |
 |------|------------|
 |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
-|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |Configuration Manager (version 1605 Technical Preview or later) helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
+|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
  
 
  

windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md

@@ -1,7 +1,7 @@
 ---
 title: Windows Defender Advanced Threat Protection portal overview
 description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
-keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, client onboarding, advanced attacks
+keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, endpoint management, advanced attacks
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -44,12 +44,12 @@ You can navigate through the portal using the menu options available in all sect
 Area | Description
 :---|:---
 (1) Settings | Provides access to configuration settings such as time zone, alert suppression rules, and license information.
-(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Client onboarding**.
+(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Endpoint Management**.
 **Dashboard**	| Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
 **Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
 **Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
 **Preferences setup**|	Shows the settings you selected <!--during [service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md),-->and lets you update your industry preferences and retention policy period.
-**Client onboarding**|	Allows you to download the onboarding configuration package.
+**Endpoint Management**|	Allows you to download the onboarding configuration package.
 (3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view.
 (4) Search | Search for machines, files, external IP Addresses, or domains across endpoints. The drop-down combo box allows you to select the entity type.
 

windows/keep-secure/protect-enterprise-data-using-edp.md

@@ -27,7 +27,7 @@ You’ll need this software to run EDP in your enterprise:
 
 |Operating system | Management solution |
 |-----------------|---------------------|
-|Windows 10 Insider Preview | Microsoft Intune<br>-OR-<br>System Center Configuration Manager (version 1605 Tech Preview or later)<br>-OR-<br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
+|Windows 10 Insider Preview | Microsoft Intune<br>-OR-<br>System Center Configuration Manager Technical Preview version 1605 or later<br>-OR-<br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
 
 ## How EDP works
 EDP helps address your everyday challenges in the enterprise. Including:
@@ -89,13 +89,4 @@ Use the following table to identify the scenarios that require Azure Rights Mana
 ## Next steps
 After deciding to use EDP in your enterprise, you need to:
 
--   [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)
-
- 
-
- 
-
-
-
-
-
+-   [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)

windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md

@@ -112,7 +112,7 @@ page.
 
 Follow the steps in the onboarding wizard to complete the onboarding process.
 
-At the end of the wizard, you can download the Group Policy configuration package which you will use to configure endpoints on your network. You can also download the package from the **Client onboarding** menu on the portal after you have completed the onboarding wizard.
+At the end of the wizard, you can download the Group Policy configuration package which you will use to configure endpoints on your network. You can also download the package from the **Endpoint Management** menu on the portal after you have completed the onboarding wizard.
 
 ## Related topics
 - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)

windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md

@@ -55,6 +55,29 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection
 
 If the **OnboardingState** value is not set to **1**, you can use Event Viewer to review errors on the endpoint.
 
+If you configured your endpoints with a deployment tool that required a script, you can check  the event viewer for the onboarding script results.
+<br>
+**Check the result of the script**:
+
+1. Click **Start**, type **Event Viewer**, and press **Enter**.
+
+2. Go to **Windows Logs** > **Application**.
+
+3. Look for an event from **WDATPOnboarding** event source.
+
+If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue.
+> **Note**&nbsp;&nbsp;The following event IDs are specific to the onboarding script only. 
+
+Event ID | Error Type | Resolution steps
+:---|:---|:---
+5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```
+10 | Onboarding data couldn't be written to registry |  Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```. Verify that the script was ran as an administrator.
+15 |  Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). 
+30 |  The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
+35 |  The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```. The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer].(event-error-codes-windows-defender-advanced-threat-protection.md). 
+40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). 
+
+<br>
 **Use Event Viewer to identify and adress onboarding errors**:   
 
 1. Click **Start**, type **Event Viewer**, and press **Enter**.
@@ -76,9 +99,10 @@ If the **OnboardingState** value is not set to **1**, you can use Event Viewer t
 Event ID | Message | Resolution steps
 :---|:---|:---
 5 | Windows Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
-6 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
-7 |  Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then [run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
+6 | Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
+7 |  Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
 15 | Windows Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
+25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
 
 
 ### Ensure the Windows Defender ATP service is enabled
@@ -104,7 +128,7 @@ If the the service is running, then the result should look like the following sc
 
   ![Result of the sq query sense command](images/sc-query-sense-autostart.png)
 
-If the service **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+If the service ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set the service to automatically start.
 
 **Change the Windows Defender ATP service startup type from the command line:**
 
@@ -192,7 +216,7 @@ If the service is enabled, then the result should look like the following screen
 
 ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
 
-If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+If the ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set the service to automatically start.
 
 
 
@@ -330,6 +354,55 @@ To ensure that sensor has service connectivity, follow the steps described in th
 
 If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.    
 
+## Troubleshoot onboarding issues using Microsoft Intune
+You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
+
+Use the following tables to understand the possible causes of issues while onboarding:
+
+- Microsoft Intune error codes and OMA-URIs table
+- Known issues with non-compliance table
+- Mobile Device Management (MDM) event logs table
+
+If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint Management** section of the portal, and run it in an elevated command prompt.  
+
+**Microsoft Intune error codes and OMA-URIs**:
+
+Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
+:---|:---|:---|:---|:---
+0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding <br> Offboarding |  **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <br><br> **Troubleshooting steps:** <br> Check the event IDs in the [Ensure the endpoint is onboarded successfully](#ensure-the-endpoint-is-onboarded-successfully) section. <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+ | | | Onboarding <br> Offboarding <br> SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it. <br><br> **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. <br> <br> If it doesn't exist, open an elevated command and add the key. 
+  | | | SenseIsRunning <br> OnboardingState <br> OrgId |  **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed. <br><br> **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues). <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+   | | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms:  Enterprise, Education, and Professional. <br> Server is not supported. 
+   0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient.  | All |  **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms:  Enterprise, Education, and Professional. 
+
+<br>
+**Known issues with non-compliance**
+
+The following table provides information on issues with non-compliance and how you can address the issues.
+
+Case | Symptoms | Possible cause and troubleshooting steps
+:---|:---|:---
+1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already. <br><br> **Troubleshooting steps:** Wait for OOBE to complete.
+2 |  Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. |  **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start. <br><br> **Troubleshooting steps:** The issue should automatically be fixed within 24 hours.
+3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time.
+
+<br>
+**Mobile Device Management (MDM) event logs**
+
+View the MDM event logs to troubleshoot issues that might arise during onboarding:
+
+Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider 
+
+Channel name: Admin
+
+ID | Severity | Event description | Description
+:---|:---|:---|:---
+1801 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Get Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3) | Windows Defender ATP has failed to get specific node's value. <br> TokenName: Contains node name that caused the error. <br> Result: Error details.  
+1802 | Information | Windows Defender Advanced Threat Protection CSP: Get Node's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3) |  Windows Defender ATP has completed to get specific node's value. <br> TokenName: Contains node name <br><br> Result: Error details or succeeded.
+1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ATP has completed to get specific node's value. <br><br> TokenName: Contains node name that caused the error <br><br> Result: Error details.
+1820 | Information | Windows Defender Advanced Threat Protection CSP: Set Nod's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ATP has completed to get specific node's value. <br><br> TokenName: Contains node name <br><br> Result: Error details or succeeded.
+
+
 <!--
 
 ## There are no users in the Azure Active Directory

windows/manage/change-history-for-manage-and-update-windows-10.md

@@ -12,6 +12,12 @@ author: jdeckerMS
 
 This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+## July 2016
+
+| New or changed topic | Description |
+| ---|---|
+| [Windows 10 servicing options](introduction-to-windows-10-servicing.md)  | Added detailed content on servicing branches, moved from [Windows 10 servicing overview](../plan/windows-10-servicing-options.md). |
+
 ## June 2016
 
 | New or changed topic | Description |

windows/plan/change-history-for-plan-for-windows-10-deployment.md

@@ -13,6 +13,13 @@ author: TrudyHa
 
 This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+## July 2016
+
+
+| New or changed topic                                                                                                                             | Description |
+|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
+| [Windows 10 servicing overview](windows-10-servicing-options.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](../manage/introduction-to-windows-10-servicing.md) page. |
+
 ## May 2016
 
 

windows/plan/windows-10-servicing-options.md

@@ -34,14 +34,13 @@ This new model uses simpler deployment methods, reducing the overall amount of e
 
 The concept of branching goes back many years, and represents how Windows has traditionally been written and serviced. Each release of Windows was from a particular branch of the Windows code, and updates would be made to that release for the lifecycle of that release. This concept still applies now with Windows 10, but is much more visible because it is incorporated directly into the servicing model.
 
-With Windows 10, Microsoft has implemented the following new servicing options:
-
-![branches](images/branch.png)
+Microsoft has implemented the following new servicing options in Windows 10:
 
 **Windows Insider Program**: To see new features before they are released, to provide feedback on those new features, and to initially validate compatibility with existing applications and hardware, a small number of PCs can leverage the Windows Insider Program branch. These are typically dedicated lab machines used for IT testing, secondary PCs used by IT administrators, and other non-critical devices.<BR>
 **Current Branch (CB)**: For early adopters, IT teams, and other broader piloting groups, the Current Branch (CB) can be used to further validate application compatibility and newly-released features.<BR>
 **Current Branch for Business (CBB)**. For the majority of people in an organization, the Current Branch for Business (CBB) allows for a staged deployment of new features over a longer period of time.<BR>
 **Long-Term Servicing Branch (LTSB)**: For critical or specialized devices (for example, operation of factory floor machinery, point-of-sale systems, automated teller machines), the Long-Term Servicing Branch (LTSB) provides a version of Windows 10 Enterprise that receives no new features, while continuing to be supported with security and other updates for a long time. (Note that the Long-Term Servicing Branch is a separate Windows 10 Enterprise image, with many in-box apps, including Microsoft Edge, Cortana, and Windows Store, removed.)<BR>
+![branches](images/branch.png)
 
 These servicing options provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible. Most organizations will leverage all of these choices, with the mix determined by how individual PCs are used. Some examples are shown in the table below:
 
@@ -52,8 +51,8 @@ These servicing options provide pragmatic solutions to keep more devices more cu
 | Pharmaceuticals    | &lt;1%                  | 10%            | 50%                         | 40%                        |
 | Consulting         | 10%                     | 50%            | 35%                         | 5%                         |
 | Software developer | 30%                     | 60%            | 5%                          | 5%                         |
-
-Because every organization is different, the exact breakdown will vary even within a specific industry; these should be considered only examples, not specific recommendations. To determine the appropriate mix for a specific organization, profile how individual PCs are used within the organization, and target them with the appropriate branch.
+<BR>
+Because every organization is different, the exact breakdown will vary even within a specific industry. The examples shown above should not be taken as specific recommendations. To determine the appropriate mix for a specific organization, profile how individual PCs are used within the organization, and target them with the appropriate branch.
 
 -   Retailers often have critical devices (for example, point-of-sale systems) in stores which results in higher percentages of PCs on the Long-Term Servicing Branch. But those used by information workers in support of the retail operations would leverage Current Branch for Business to receive new features.
 
@@ -67,7 +66,7 @@ Because every organization is different, the exact breakdown will vary even with
 
 Note that there are few, if any, scenarios where an entire organization would use the Long-Term Servicing Branch for all PCs – or even for a majority of them.
 
-In addition to implementing these new servicing options, Microsoft streamlined the Windows product engineering and release cycle so that Microsoft can deliver new features, experiences, and functionality more quickly than ever. Microsoft also created new ways to deliver and install feature upgrades and servicing updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership.
+With these new servicing options, Microsoft streamlined the Windows product engineering and release cycle so that Microsoft can deliver new features, experiences, and functionality more quickly than ever. Microsoft also created new ways to deliver and install feature upgrades and servicing updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership.
 
 Windows 10 enables organizations to fulfill the desire to provide users with the latest features while balancing the need for manageability and cost control. To keep pace with technology, there are good business reasons to keep a significant portion of your enterprise's devices *current* with the latest release of Windows.