diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 107a70bff1..bf51ddcd42 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1352,6 +1352,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-siem",
+"redirect_document_id": false
+},
+{
"source_path": "windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection",
"redirect_document_id": true
diff --git a/devices/hololens/hololens-connect-devices.md b/devices/hololens/hololens-connect-devices.md
index a220b4570c..f75a5599df 100644
--- a/devices/hololens/hololens-connect-devices.md
+++ b/devices/hololens/hololens-connect-devices.md
@@ -45,10 +45,15 @@ HoloLens (1st gen) supports the following classes of Bluetooth devices:
### HoloLens (1st gen): Pair the clicker
1. Use the bloom gesture to go to **Start**, and then select **Settings**.
+
1. Select **Devices**, and make sure that Bluetooth is on.
+
1. Use the tip of a pen to press and hold the clicker pairing button until the clicker status light blinks white. Make sure to hold down the button until the light starts blinking.
+
The pairing button is on the underside of the clicker, next to the finger loop.
+
+
1. On the pairing screen, select **Clicker** > **Pair**.
## HoloLens 2: Connect USB-C devices
@@ -77,3 +82,10 @@ To use Miracast, follow these steps:
1. On the list of devices that appears, select an available device.
1. Complete the pairing to begin projecting.
+
+## Disable Bluetooth
+
+This procedure turns off the RF components of the Bluetooth radio and disables all Bluetooth functionality on Microsoft HoloLens.
+
+1. Use the bloom gesture (HoloLens (1st gen)) or the start gesture (HoloLens 2) to go to **Start**, and then select **Settings** > **Devices**.
+1. Move the slider switch for **Bluetooth** to the **Off** position.
diff --git a/devices/hololens/hololens2-autopilot.md b/devices/hololens/hololens2-autopilot.md
index 5589ec096d..39e0029ff0 100644
--- a/devices/hololens/hololens2-autopilot.md
+++ b/devices/hololens/hololens2-autopilot.md
@@ -71,7 +71,7 @@ Review the "[Requirements](https://docs.microsoft.com/windows/deployment/windows
Before you start the OOBE and provisioning process, make sure that the HoloLens devices meet the following requirements:
- The devices are not already members of Azure AD, and are not enrolled in Intune (or another MDM system). The Autopilot self-deploying process completes these steps. To make sure that all the device-related information is cleaned up, check the **Devices** pages in both Azure AD and Intune.
-- Every device can connect to the internet. You can use a wired or wireless connection.
+- Every device can connect to the internet. You can "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity.
- Every device can connect to a computer by using a USB-C cable, and that computer has the following available:
- Advanced Recovery Companion (ARC)
- The latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version)
@@ -185,24 +185,7 @@ The Enrollment Status Page (ESP) displays the status of the complete device conf
-### 8. Configure a custom configuration profile for HoloLens devices (known issue)
-
-1. In [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com), select **Devices** > **Configuration profiles** > **Create profile**.
-1. For **Platform**, specify **Windows 10 and later**, and for **Profile**, select **Custom**.
-1. Select **Create**.
-1. Enter a name for the profile, and then select **Settings** > **Configure**.
-
- 
-1. Select **Add**, and then specify the following information:
-
- - **Name**: SidecarPath
- - **OMA-URI**: ./images/Device/Vendor/MSFT/EnrollmentStatusTracking/DevicePreparation/PolicyProviders/Sidecar/InstallationState
- - **Data type**: Integer
- - **Value**: 2
-1. Select **OK** two times, and then select **Create** to create the profile.
-1. After Intune creates the configuration profile, assign the configuration profile to the device group for the HoloLens devices.
-
-### 9. Verify the profile status of the HoloLens devices
+### 8. Verify the profile status of the HoloLens devices
1. In Microsoft Endpoint Manager Admin Center, select **Devices** > **Windows** > **Windows enrollment** > **Devices**.
1. Verify that the HoloLens devices are listed, and that their profile status is **Assigned**.
@@ -234,7 +217,7 @@ At the end of OOBE, you can sign in to the device by using your user name and pa
## Known Issues
-- The list of supported languages for Autopilot deployment profiles includes languages that HoloLens does not support. Select a language that [HoloLens supports](hololens2-language-support.md).
+- You cannot install applications that use the device security context.
## Feedback
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index 92801e4289..4d8062c985 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -29,6 +29,7 @@
### [Deploy Surface devices](deploy.md)
### [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md)
+### [Windows Virtual Desktop on Surface](windows-virtual-desktop-surface.md)
### [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
### [Surface Pro X app compatibility](surface-pro-arm-app-performance.md)
### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
diff --git a/devices/surface/get-started.yml b/devices/surface/get-started.yml
index a11e35c584..131d77a578 100644
--- a/devices/surface/get-started.yml
+++ b/devices/surface/get-started.yml
@@ -52,8 +52,8 @@ landingContent:
url: microsoft-surface-deployment-accelerator.md
- text: Autopilot and Surface devices
url: windows-autopilot-and-surface-devices.md
- - text: Deploying, managing, and servicing Surface Pro X
- url: surface-pro-arm-app-management.md
+ - text: Windows Virtual Desktop on Surface
+ url: windows-virtual-desktop-surface.md
# Card
- title: Manage Surface devices
diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index 4599e50712..d44626e6a8 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -9,11 +9,11 @@ ms.sitesec: library
author: coveminer
ms.author: greglin
ms.topic: article
-ms.reviewer: scottmca
+ms.reviewer: hachidan
manager: laurawi
ms.localizationpriority: medium
audience: itpro
-ms.date: 05/11/2020
+ms.date: 05/26/2020
---
# Microsoft Surface Enterprise Management Mode
@@ -228,14 +228,27 @@ create a reset package using PowerShell to reset SEMM.
## Version History
-The latest version of SEMM released May 11, 2020 includes:
+### Version 2.71.139.0
+
+This version of SEMM adds support for Surface Dock 2 management features for Surface Book 3, Surface Laptop 3, and Surface Pro 7 including:
+
+- Enabling audio (locking/unlocking), Ethernet and USB ports
+- Ability to create dock packages for both authenticated and unauthenticated hosts
+
+### Version 2.70.130.0
+
+This version of SEMM includes:
+
- Support for Surface Go 2
- Support for Surface Book 3
- Bug fixes
-### Version 2.59.
-* Support to Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported.
-- Support to Wake on Power feature
+
+### Version 2.59.139.0
+
+* Support for Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported.
+
+- Support for Wake on Power feature
### Version 2.54.139.0
* Support to Surface Hub 2S
diff --git a/devices/surface/windows-virtual-desktop-surface.md b/devices/surface/windows-virtual-desktop-surface.md
new file mode 100644
index 0000000000..80434c8eb7
--- /dev/null
+++ b/devices/surface/windows-virtual-desktop-surface.md
@@ -0,0 +1,158 @@
+---
+title: Windows Virtual Desktop on Surface
+description: This article explains how Surface devices deliver an ideal end node for Windows Virtual Desktop solutions, providing customers with flexible form factors, Windows 10 modern device security and manageability, and support for persistent, on-demand & just-in-time work scenarios.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.localizationpriority: medium
+ms.sitesec: library
+author: coveminer
+ms.author: greglin
+ms.topic: article
+ms.date: 5/20/2020
+ms.reviewer: rohenr
+manager: laurawi
+audience: itpro
+---
+
+# Windows Virtual Desktop on Surface
+
+## Introduction
+
+Windows Virtual Desktop on Surface lets you run Virtual Desktop Infrastructure (VDI) on a Surface device blurring the lines between the local desktop experience and the virtual desktop where touch, pen, ink, and biometric authentication span both physical and virtual environments. Representing another milestone in the evolution of computing, Windows Virtual Desktop on Surface 1 combines Microsoft 365 - virtualized in the Azure cloud - with the advanced security protections, enterprise-level manageability, and enhanced productivity tools of Windows 10 on Surface. This fusion of premium form factor and Virtual Desktop Infrastructure in Azure provides exceptional customer value across user experiences, portability, security, business continuity, and modern management.
+
+### Windows Virtual Desktop
+
+Windows Virtual Desktop (WVD) is a comprehensive desktop and app virtualization service running in the Azure cloud. It’s the only virtual desktop infrastructure that delivers simplified management, multi-session Windows 10, optimizations for Office 365 ProPlus, and support for Remote Desktop Services (RDS) environments. With WVD you can quickly deploy and scale Windows desktops and apps on Azure and get built-in security and compliance features.
+
+### Windows Virtual Desktop partner integrations
+
+For a list of approved partner providers and independent software vendors for Windows Virtual Desktop, see [Windows Virtual Desktop partner integrations](https://docs.microsoft.com/azure/virtual-desktop/partners). Some partners also provide Virtual Desktop as a Service (DaaS). DaaS frees you from having to maintain your own virtual machines (VMs) by providing a fully managed, turnkey desktop and virtualization service. The ability to deliver customized desktops to users anywhere in the world enables companies to quickly adjust to changing market conditions by spinning up cloud desktops on-demand - when and where they’re needed.
+
+## Microsoft Surface Devices
+
+Surface engineering has long set new standards for innovation by going beyond the keyboard and mouse to imagine more natural ways of interacting with devices, whether by touch, voice, ink, or Surface Dial. And with chip-to-cloud integration of Microsoft 365 and the security and manageability of Windows 10 Pro, Surface delivers connected hardware, software, apps, and services the way they were intended. Although it’s possible to run WVD from Windows devices dating back to Windows 7, Microsoft Surface devices provide unique advantages including support for:
+
+- **Flexible form factors** - like 2-in-1 devices such as Surface Go 2, Surface Pro 7 and Surface Pro X with pen, touch and detachable keyboard.
+- **Persistent, on-demand and just-in-time work scenarios** - with offline and on-device access for more productive experiences.
+- **Windows 10 modern device security and manageability** - providing the flexibility to be productive anywhere.
+
+## Flexible form factors and premium user experience
+
+The Microsoft Surface for Business family comprises a diverse portfolio of form factors including traditional laptops, all-in-one machines, and 2-in-1 devices. Surface devices deliver experiences people love with the choice and flexibility they need in order to work on their terms.
+
+### The modern virtual desktop endpoint
+
+Surface 2-in-1 devices, including [Surface Go 2](https://www.microsoft.com/p/surface-go-2) (10.5”), [Surface Pro 7](https://www.microsoft.com/surface/devices/surface-pro-7/) (12”) and [Surface Pro X](https://www.microsoft.com/p/surface-pro-x/) (13”), provide users with the ideal cloud desktop endpoint bringing together the optimal balance of portability, versatility, power, and all-day battery. From site engineers relying on Surface Go 2 in tablet mode to financial advisors attaching Surface Pro 7 to a dock and multiple monitors, 2-in-1 devices deliver the versatility that has come to define the modern workplace.
+
+ Unlike traditional, fixed VDI “terminals”, Surface devices allow users to work from anywhere and enable companies to remain viable and operational during unforeseen events -- from severe weather to public health emergencies. With support for persistent, on-demand and just-in-time scenarios, Surface devices effectively help companies sustain ongoing operations and mitigate risk from disruptive events. Features designed to enhance productivity on Surface 2-in-1 devices include:
+
+- Vibrant, high resolution displays with 3:2 aspect ratio to get work done.
+- Natural inking and multi-touch for more immersive experiences.
+- With a wide variety of built-in and third-party accessibility features, Surface devices let you choose how to interact with your device, express ideas, and get work done.
+- Far-field mics and high-performance speakers for improved virtual meetings.
+- Biometric security including built-in, Windows Hello camera that comes standard on every Surface device.
+- Long battery life 2 and fast charging.
+- LTE options 3 on modern devices like Surface Pro X and Surface Go 2 for hassle-free and secure connectivity.
+- Support for a wide range of peripherals such as standard printers, 3D printers, cameras, credit card readers, barcode scanners, and many others. A large ecosystem of Designed for Surface partners provides licensed and certified Surface accessories.
+- Broad range of Device Redirection support.
+
+### Device Redirection Support
+
+The Surface-centric productivity experiences listed above become even more compelling in Windows Virtual Desktop environments by taking advantage of device redirection capabilities with Windows 10. Surface provides a broad range of device redirection support, especially when compared to OEM thin clients and fixed terminals, Android, iOS/macOS and Web-based access. The Windows Inbox (MSTSC) and Windows Desktop (MSRDC) clients provide the most device redirection capabilities including Input Redirection (keyboard, mouse, pen and touch), Port Redirection (serial and USB) and Other Redirections (cameras, clipboard, local drive/storage, location, microphones, printers, scanners, smart cards and speakers). For a detailed comparison of device redirection support refer to the [device redirection documentation](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare#redirection-support).
+
+### Familiar Desktop Experience
+
+Not only does running the Windows Desktop Client on Surface devices provide users with a broad set of device redirection capabilities, it lets everyone launch apps in familiar ways — directly from the Start Menu or Search bar.
+
+### Persistent, on-demand and just-in-time work scenarios
+
+Windows Virtual Desktop on Surface helps customers meet increasingly complex business and security requirements across industries, employee roles, and work environments. These include:
+
+- Multi-layered security of access to data and organizational resources.
+- Compliance with industry regulations.
+- Support for an increasingly elastic workforce.
+- Employee-specific needs across a variety of job functions.
+- Ability to support specialized, processor-intensive workloads.
+- Resilience for sustaining operations during disruptions.
+
+### Table 1. Windows Virtual Desktop business conversations
+
+| Security & regulation | Elastic workforce | Work Roles | Special workloads | Business continuity |
+| ---------------------------------------------------- | ---------------------------------------------------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------------------------- | ---------------------------------------------------- |
+| - Financial Services - Healthcare - Government | - Merger & acquisition - Short term employees - Contractors & partners | - BYOD & mobile - Customer support/service - Branch workers | - Design & engineering - Support for legacy apps - Software dev & test | - On demand - Just-in-Time (JIT) - Work @ Home |
+
+### Offline and on-device access for more productive experiences
+
+Traditionally, VDI solutions only work when the endpoint is connected to the internet. But what happens when the internet or power is unavailable for any reason (due to mobility, being on a plane, or power outages, and so on)?
+
+To support business continuity and keep employees productive, Surface devices can easily augment the virtual desktop experience with offline access to files, Microsoft 365 and third-party applications. Traditional apps like Microsoft Office, available across .x86, x64, Universal Windows Platform, ARM platforms, enable users to stay productive in “offline mode”. Files from the virtual desktop cloud environment can be synced locally on Surface using OneDrive for Business for offline access as well. You can have the confidence that all locally “cached” information is up-to-date and secure.
+
+In addition to adding support for offline access to apps and files, Surface devices are designed to optimize collaborative experiences like Microsoft Teams “On-Device”. Although some VDI solutions support the use of Teams through a virtual session, users can benefit from the more optimized experience provided by a locally installed instance of Teams. Localizing communications and collaboration apps for multimedia channels like voice, video, live captioning allows organizations to take full advantage of Surface devices’ ability to provide optimized Microsoft 365 experiences. The emergence of Surface artificial intelligence (AI) or “AI-on-device” brings new capabilities to life, such as eye gaze technology that adjusts the appearance of your eyes so the audience sees you looking directly at the camera when communicating via video.
+
+An alternative to locally installing traditional applications is to take advantage of the latest version of Microsoft Edge, which comes with support for Progressive Web Apps (PWA). PWAs are just websites that are progressively enhanced to function like native apps on supporting platforms. The qualities of a PWA combine the best of the web and native apps by additional features, such as push notifications, background data refresh, offline support, and more.
+
+### Virtual GPUs
+
+GPUs are ideal for AI compute and graphics-intensive workloads, helping customers to fuel innovation through scenarios like high-end remote visualization, deep learning, and predictive analytics. However, this isn’t ideal for professionals who need to work remotely or while on the go because varying degrees of internal GPU horsepower are tied to the physical devices, limiting mobility and flexibility.
+
+To solve for this Azure offers the N-series family of Virtual Machines with NVIDIA GPU capabilities (vGPU). With vGPUs, IT can either share GPU performance across multiple virtual machines, or power demanding workloads by assigning multiple GPUs to a single virtual machine. For Surface this means that no matter what device you’re using, from the highly portable Surface Go 2 to the slim and stylish Surface Laptop 3, your device has access to powerful server-class graphics performance. Surface and vGPUs allow you to combine all the things you love about Surface, to include pen, touch, keyboard, trackpad and PixelSense displays, with graphics capability only available in high performance computing environments.
+
+Azure N-series brings these capabilities to life on your Surface device allowing you to work in any way you want, wherever you go. [Learn more about Azure N-Series and GPU optimized virtual machine sizes.](https://docs.microsoft.com/azure/virtual-machines/sizes-gpu)
+
+## Microsoft 365 and Surface
+
+Even in a virtualized desktop environment, Microsoft 365 and Surface deliver the experiences employees love, the protection organizations demand, and flexibility for teams to work their way. According to Forrester Research: 4
+
+- Microsoft 365-powered Surface devices give users up to 5 hours in weekly productivity gains with up to 9 hours saved per week for highly mobile workers, providing organizations with 112 percent ROI on Microsoft 365 with Surface
+- 75 percent agree Microsoft 365-powered Surface devices help improve employee satisfaction and retention
+- agree that Microsoft 365- powered Surface devices have helped improve employee satisfaction and retention.
+
+### Security and management
+
+From chip to cloud, Microsoft 365 and Surface helps organizations stay protected and up to date.
+With both Surface hardware and software designed, built, and tested by Microsoft, users can be confident they’re productive and protected by leading technologies from chip to cloud. With increased numbers of users working remotely, protecting corporate data and intellectual property becomes more paramount than ever. Windows Virtual Desktop on Surface is designed around a zero-trust security model in which every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before granting access.
+
+By maximizing efficiencies from cloud computing, modern management enables IT to better serve the needs of users, stakeholders and customers in an increasingly competitive business environment. For example, you can get Surface devices up-and-running with minimal interaction from your team. Setup is automatic and self-serviced. Updates are quick and painless for both your team and your users. You can manage devices regardless of their physical location.
+
+Security and management features delivered with Windows Virtual Desktop on Surface include:
+
+- **Windows Update.** Keeping Windows up to date helps you stay ahead of new security threats. Windows 10 has been engineered from the ground up to be more secure and utilize the latest hardware capabilities to improve security. With a purpose-built UEFI 5 and Windows Update for Business that responds to evolving threats, end-to-end protection is secure and simplified.
+
+- **Hardware encryption.** Device encryption lets you protect the data on your Surface so it can only be accessed by authorized individuals. All Surface for Business devices feature a discrete Trusted Platform Module (dTPM) that is hardware-protected against intrusion while software uses protected keys and measurements to verify software validity.
+- **Windows Defender.** Windows Defender Antivirus brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices. The tool is built in and needs no extra agents to be deployed on-devices or in the VDI environment, simplifying management and optimizing device start up. Windows Defender is built in and needs no extra agents to be deployed on-device or in the VDI environment, simplifying management and optimizing device start up. The true out-of-the-box experience.
+- **Removable drives** - A subset of newer Surface devices feature removable SSD drives 6 providing greater control over data retention.
+- **Modern authentication -** Microsoft 365 and Surface is a unified platform delivering every Windows security feature (subject to licensing and enablement). All Surface portfolio devices ship with a custom-built camera, designed for Windows Hello for Business providing biometric security that persists seamlessly from on-device to VDI-based experiences.
+- **Modern firmware management** -Using Device Firmware Configuration Interface (DFCI),7 IT administrators can remotely disable hardware elements at a firmware level such as mics, USB ports, SD card slots, cameras, and Bluetooth which removes power to the peripheral. Windows Defender Credential Guard uses virtualization-based security so that only privileged system software can access them.
+- **Backward and forward compatibility** - Windows 10 devices provide backward and forward compatibility across hardware, software and services. Microsoft has a strong history of maintaining legacy support of hardware, peripherals, software and services while incorporating the latest technologies. Businesses can plan IT investments to have a long useful life.
+- **Bridge for legacy Windows 7 workloads** - For solution scenarios dependent on legacy Windows OS environments, enterprises can use VDI instances of Windows 7 running in Azure. This enables support on modern devices like Surface without the risk of relying on older Windows 7 machines that no longer receive the latest security updates. In addition to these “future proofing” benefits, migration of any legacy workloads becomes greatly simplified when modern Windows 10 hardware is already deployed.
+- **Zero-Touch Deployment** - Autopilot is the recommended modern management deployment option for Surface devices. Windows Autopilot on Surface is a cloud-based deployment technology in Windows 10. You can use Windows Autopilot on Surface to remotely deploy and configure devices in a zero-touch process right out of the box. Windows Autopilot-registered devices are identified over the Internet at first startup through a unique device signature that's called a hardware hash. They're automatically enrolled and configured by using modern management solutions such as Azure Active Directory (Azure AD) and mobile device management.
+
+### Surface devices: Minimizing environmental impacts
+
+Surface performs life cycle assessments to calculate the environmental impact of devices across key stages of product life cycle enabling Microsoft to minimize these impacts. Each Surface product has an ECO profile that includes details on greenhouse gas emissions, primary energy consumption and material composition data, packaging, recycling, and related criteria. To download profiles for each Surface device, see [ECO Profiles](https://www.microsoft.com/download/details.aspx?id=55974) on the Microsoft Download Center.
+
+## Summary
+
+Windows Virtual Desktop on Surface provides organizations with greater flexibility and resilience in meeting the diverse needs of users, stakeholders, and customers. Running Windows Virtual Desktop solutions on Surface devices provides unique advantages over continued reliance on legacy devices. Flexible form factors like Surface Go 2 and Surface Pro 7 connected to the cloud (or offline), enable users to be productive from anywhere, at any time. Whether employees work in persistent, on-demand, or just-in-time scenarios, Windows Virtual Desktop on Surface affords businesses with the versatility to sustain productivity throughout disruptions from public health emergencies or other unforeseen events. Using the built in, multi-layered security and modern manageability of Windows 10, companies can take advantage of an expanding ecosystem of cloud-based services to rapidly deploy and scale Windows desktops and apps. Simply put, Windows Virtual Desktop on Surface delivers critically needed technology to organizations and businesses of all sizes.
+
+## Learn more
+
+For more information, see the following resources:
+
+- [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)
+- [Surface for Business](https://www.microsoft.com/surface/business)
+- [Modernize your workforce with Microsoft Surface](https://boards.microsoft.com/public/prism/103849?token=754435c36d)
+- [A guide to Surface Technical Content and Solutions](https://boards.microsoft.com/public/prism/104362/category/90968?token=09e688ec4a)
+- [Microsoft zero-trust security](https://www.microsoft.com/security/business/zero-trust)
+
+
+----------
+
+1. Windows Virtual Desktop on Surface refers to running Azure Virtual Desktop Infrastructure on a Surface device and is described here as an architectural solution, not a separately available product.
+2. Battery life varies significantly with settings, usage and other factors.
+3. Service availability and performance subject to service provider’s network. Contact your service provider for details, compatibility, pricing, SIM card, and activation. See all specs and frequencies at surface.com.
+4. Forrester Consulting, “A Forrester Total Economic Impact™ Study: Maximizing Your ROI from Microsoft 365 Enterprise with Microsoft Surface,” commissioned by Microsoft, 2018.
+5. Surface Go and Surface Go 2 use a third-party UEFI and do not support DFCI. DFCI is currently available for Surface Book 3, Surface Laptop 3, Surface Pro 7, and Surface Pro X. Find out more about managing Surface UEFI settings.
+6. Removable SSD is available on Surface Laptop 3 and Surface Pro X. Note that hard drive is not user removable. Hard drive is only removable a by skilled technician following Microsoft instructions.
+7. DFCI is currently available for Surface Book 3, Surface Laptop 3, Surface Pro 7, and Surface Pro X. [Find out more](https://docs.microsoft.com/surface/manage-surface-uefi-settings) about managing Surface UEFI settings.
+
diff --git a/mdop/mbam-v1/evaluating-mbam-10.md b/mdop/mbam-v1/evaluating-mbam-10.md
index c7a6729376..f4c72234bf 100644
--- a/mdop/mbam-v1/evaluating-mbam-10.md
+++ b/mdop/mbam-v1/evaluating-mbam-10.md
@@ -55,21 +55,21 @@ Even when you set up a non-production instance of MBAM to evaluate in a lab envi
Prepare your computing environment for the MBAM installation. To do so, you must enable the Transparent Data Encryption (TDE) on the SQL Server instances that will host MBAM databases. To enable TDE in your lab environment, you can create a .sql file to run against the master database that is hosted on the instance of the SQL Server that MBAM will use.
-Note
You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of C:\Backup</em>. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.
+Note
You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of C:\Backup. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.
USE master;
GO
-CREATE MASTER KEY ENCRYPTION BY PASSWORD = &#39;P@55w0rd';
+CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'P@55w0rd';
GO
CREATE CERTIFICATE tdeCert WITH SUBJECT = 'TDE Certificate';
GO
BACKUP CERTIFICATE tdeCert TO FILE = 'C:\Backup\TDECertificate.cer'
WITH PRIVATE KEY (
FILE = 'C:\Backup\TDECertificateKey.pvk',
- ENCRYPTION BY PASSWORD = &#39;P@55w0rd');
+ ENCRYPTION BY PASSWORD = 'P@55w0rd');
GO
diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md
index 2169488622..598d24ea19 100644
--- a/windows/client-management/mdm/get-seat.md
+++ b/windows/client-management/mdm/get-seat.md
@@ -1,6 +1,6 @@
---
title: Get seat
-description: The Get seat operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business.
+description: The Get seat operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business.
ms.assetid: 715BAEB2-79FD-4945-A57F-482F9E7D07C6
ms.reviewer:
manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 09/18/2017
# Get seat
-The **Get seat** operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business.
+The **Get seat** operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business.
## Request
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 5697d954da..0ab027fca0 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -710,6 +710,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 07bf447af0..047fef66ae 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -2390,6 +2390,9 @@ The following diagram shows the Policy configuration service provider in tree fo
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
index 60ae0ffa10..9b2fcfb9c3 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@@ -16,10 +16,10 @@ manager: dansimp
To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. This opens the Feedback Hub application where you can provide more information to help diagnose reported issues.
-:::image type="content" source="../../../images/screenshot11.png" alt-text="Screenshot: Send feedback page":::
+:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Send feedback page":::
To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. This opens the Feedback Hub where more information on the issue can be provided.
-:::image type="content" source="../../../images/screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub":::
+:::image type="content" source="../screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub":::
In order for enterprise users to provide feedback, admins must unblock the Feedback Hub in the [Azure portal](https://portal.azure.com/). Go to the **Enterprise applications section** and enable **Users can allow apps to access their data**.
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index fc94b61cee..9bdf2f0ae6 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -17,7 +17,7 @@ ms.author: dansimp
Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more.
-:::image type="content" source="../../../images/screenshot1.png" alt-text="Screenshot: Cortana home page example":::
+:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example":::
## Where is Cortana available for use in my organization?
@@ -30,11 +30,11 @@ The Cortana app in Windows 10, version 2004 requires the latest Microsoft Store
Cortana requires a PC running Windows 10, version 1703 or later, as well as the following software to successfully run the included scenario in your organization.
>[!NOTE]
->A microphone is not required to use Cortana.
+>A microphone isn't required to use Cortana.
|**Software** |**Minimum version** |
|---------|---------|
-|Client operating system | Desktop: - Windows 10, version 2004 (recommended)
- Windows 10, version 103 (legacy version of Cortana)
Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see **How is my data processed by Cortana** below. |
+|Client operating system | Desktop: - Windows 10, version 2004 (recommended)
- Windows 10, version 1703 (legacy version of Cortana)
Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see **How is my data processed by Cortana** below. |
|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn’t required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word (“Cortana”) for hands-free activation or voice commands to easily ask for help. |
@@ -48,7 +48,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
### Cortana in Windows 10, version 2004 and later
-Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). For more information, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365).
+Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365).
#### How does Microsoft store, retain, process, and use Customer Data in Cortana?
@@ -71,7 +71,7 @@ First, the user must enable the wake word from within Cortana settings. Once it
The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening.
-:::image type="content" source="../../../images/screenshot2.png" alt-text="Microphone icon in the system tray indicating an assistant app is listening":::
+:::image type="content" source="../screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded.
@@ -85,4 +85,4 @@ Cortana is covered under the [Microsoft Privacy Statement](https://privacy.micro
## See also
-- [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818)
\ No newline at end of file
+- [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818)
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index 642a124de8..ae1cc6a4a5 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -22,9 +22,9 @@ manager: dansimp
4. Say **Cortana, what can you do?**.
-When you say "Cortana", Cortana will open in listening mode to acknowledge the wake word.
+When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.
-:::image type="content" source="../../../images/screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
+:::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
Once you finish saying your query, Cortana will open with the result.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
index 55a3d754d6..cd8da63e37 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@@ -20,7 +20,7 @@ manager: dansimp
Cortana will respond with the information from Bing.
-:::image type="content" source="../../../images/screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad":::
+:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad":::
>[!NOTE]
->This scenario requires Bing Answers to be enabled. For more information, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature).
\ No newline at end of file
+>This scenario requires Bing Answers to be enabled. To learn more, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature).
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
index 333199a0a5..5382e5665c 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@@ -16,11 +16,10 @@ manager: dansimp
This scenario helps you set up, review, and edit a reminder. For example, you can remind yourself to send someone a link to a document after a meeting.
-1. Select the **Cortana** icon in the taskbar and type _Remind me to send a link to the deck at 3:05pm_ and press **Enter**.
+1. Select the **Cortana** icon in the taskbar and type **Remind me to send a link to the deck at 3:05pm** and press **Enter**.
Cortana will create a reminder in Microsoft To Do and will remind you at the appropriate time.
-:::image type="content" source="../../../images/screenshot6.png" alt-text="Screenshot: Cortana set a reminder":::
-
-:::image type="content" source="../../../images/screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page":::
+:::image type="content" source="../screenshot6.png" alt-text="Screenshot: Cortana set a reminder":::
+:::image type="content" source="../screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page":::
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
index ec22777755..1a34778608 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@@ -14,7 +14,7 @@ manager: dansimp
# Test scenario 4 - Use Cortana to find free time on your calendar
-This process helps you find out if a time slot is free on your calendar.
+This scenario helps you find out if a time slot is free on your calendar.
1. Select the **Cortana** icon in the taskbar.
@@ -24,4 +24,4 @@ This process helps you find out if a time slot is free on your calendar.
Cortana will respond with your availability for that time, as well as nearby meetings.
-:::image type="content" source="../../../images/screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar":::
\ No newline at end of file
+:::image type="content" source="../screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar":::
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
index ee0bbe9a6e..6312ad8983 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@@ -20,6 +20,6 @@ Cortana can help you quickly look up information about someone or the org chart.
2. Type or select the mic and say, **Who is name of person in your organization's?**
-:::image type="content" source="../../../images/screenshot8.png" alt-text="Screenshot: Cortana showing name of person in your organization":::
+:::image type="content" source="../screenshot9.png" alt-text="Screenshot: Cortana showing name of person in your organization":::
-Cortana will respond with information about the person. You can select the person to open information about them in Microsoft Search.
\ No newline at end of file
+Cortana will respond with information about the person. You can select the person to see more information about them in Microsoft Search.
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
index 739f5afbfd..b2c7bdd9dd 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@@ -14,7 +14,7 @@ manager: dansimp
# Test scenario 6 – Change your language and perform a quick search with Cortana
-Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location or another.
+Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location.
1. Select the **Cortana** icon in the taskbar.
@@ -22,4 +22,4 @@ Cortana can help employees in regions outside the US search for quick answers li
3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**.
-:::image type="content" source="../../../images/screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish":::
\ No newline at end of file
+:::image type="content" source="../screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish":::
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
index c1b71aa782..14dfdcd3da 100644
--- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
+++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
@@ -32,8 +32,8 @@ Users cannot enable or disable the Bing Answer feature individually. So, if you
Sign in to the [Office Configuration Admin tool](https://config.office.com/).
Follow the steps [here](https://docs.microsoft.com/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below:
-
-:::image type="content" source="../../../images/screenshot3.png" alt-text="Screenshot: Bing policy example":::
+
+:::image type="content" source="../screenshot3.png" alt-text="Screenshot: Bing policy example":::
## How does Microsoft handle customer data for Bing Answers?
@@ -43,7 +43,7 @@ When a user enters a search query (by speech or text), Cortana evaluates if the
2. If it is not for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic.
-Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users/user groups in their organization.
+Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users and user groups in their organization.
## How the Bing Answer policy configuration is applied
Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an AAD group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.
\ No newline at end of file
diff --git a/windows/configuration/images/Shared_PC_1.png b/windows/configuration/images/Shared_PC_1.png
new file mode 100644
index 0000000000..bf145f6c19
Binary files /dev/null and b/windows/configuration/images/Shared_PC_1.png differ
diff --git a/windows/configuration/images/Shared_PC_2.png b/windows/configuration/images/Shared_PC_2.png
new file mode 100644
index 0000000000..c9d2362634
Binary files /dev/null and b/windows/configuration/images/Shared_PC_2.png differ
diff --git a/windows/configuration/images/Shared_PC_3.png b/windows/configuration/images/Shared_PC_3.png
new file mode 100644
index 0000000000..83b3a66fc8
Binary files /dev/null and b/windows/configuration/images/Shared_PC_3.png differ
diff --git a/images/screenshot1.png b/windows/configuration/screenshot1.png
similarity index 100%
rename from images/screenshot1.png
rename to windows/configuration/screenshot1.png
diff --git a/images/screenshot10.png b/windows/configuration/screenshot10.png
similarity index 100%
rename from images/screenshot10.png
rename to windows/configuration/screenshot10.png
diff --git a/images/screenshot11.png b/windows/configuration/screenshot11.png
similarity index 100%
rename from images/screenshot11.png
rename to windows/configuration/screenshot11.png
diff --git a/images/screenshot12.png b/windows/configuration/screenshot12.png
similarity index 100%
rename from images/screenshot12.png
rename to windows/configuration/screenshot12.png
diff --git a/images/screenshot2.png b/windows/configuration/screenshot2.png
similarity index 100%
rename from images/screenshot2.png
rename to windows/configuration/screenshot2.png
diff --git a/images/screenshot3.png b/windows/configuration/screenshot3.png
similarity index 100%
rename from images/screenshot3.png
rename to windows/configuration/screenshot3.png
diff --git a/images/screenshot4.png b/windows/configuration/screenshot4.png
similarity index 100%
rename from images/screenshot4.png
rename to windows/configuration/screenshot4.png
diff --git a/images/screenshot5.png b/windows/configuration/screenshot5.png
similarity index 100%
rename from images/screenshot5.png
rename to windows/configuration/screenshot5.png
diff --git a/images/screenshot6.png b/windows/configuration/screenshot6.png
similarity index 100%
rename from images/screenshot6.png
rename to windows/configuration/screenshot6.png
diff --git a/images/screenshot7.png b/windows/configuration/screenshot7.png
similarity index 100%
rename from images/screenshot7.png
rename to windows/configuration/screenshot7.png
diff --git a/images/screenshot8.png b/windows/configuration/screenshot8.png
similarity index 100%
rename from images/screenshot8.png
rename to windows/configuration/screenshot8.png
diff --git a/images/screenshot9.png b/windows/configuration/screenshot9.png
similarity index 100%
rename from images/screenshot9.png
rename to windows/configuration/screenshot9.png
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 95cf9806b1..289a37a0b6 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -58,7 +58,7 @@ Apps can take advantage of shared PC mode with the following three APIs:
### Customization
-Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table.
+Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring Shared PC mode for Windows](#configuring-shared-pc-mode-for-windows). The options are listed in the following table.
| Setting | Value |
|:---|:---|
@@ -80,16 +80,33 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
[Policies: Authentication](wcd/wcd-policies.md#authentication) (optional related setting) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts.
+## Configuring Shared PC mode for Windows
-## Configuring shared PC mode on Windows
You can configure Windows to be in shared PC mode in a couple different ways:
-- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune)
-
+- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps:
-- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in Windows Configuration Designer as **SharedPC**.
+ 1. Go to the [Microsoft Endpoint Manager portal](https://endpoint.microsoft.com/#home).
+ 2. Select **Devices** from the navigation.
+ 3. Under **Policy**, select **Configuration profiles**.
+ 4. Select **Create profile**.
+ 5. From the **Platform** menu, select **Windows 10 and later**.
+ 6. From the **Profile** menu, select **Shared multi-user device**.
-
+ 
+
+ 7. Select **Create**.
+ 8. Enter a name for the policy (e.g. My Win10 Shared devices policy). You can optionally add a description should you wish to do so.
+ 9. Select **Next**.
+ 10. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**.
+
+ 
+
+ 11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
+
+- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
+
+ 
- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index d4e56af1b7..d67f31c871 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -268,7 +268,7 @@
#### [Conclusion](update/feature-update-conclusion.md)
### [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md)
### Use Windows Update for Business
-#### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md)
+#### [What is Windows Update for Business?](update/waas-manage-updates-wufb.md)
#### [Configure Windows Update for Business](update/waas-configure-wufb.md)
#### [Enforcing compliance deadlines for updates](update/wufb-compliancedeadlines.md)
#### [Integrate Windows Update for Business with management solutions](update/waas-integrate-wufb.md)
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
new file mode 100644
index 0000000000..1e382897ed
--- /dev/null
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -0,0 +1,139 @@
+---
+title: Create a deployment plan
+description: Devise the number of deployment rings you need and how you want to populate them
+ms.prod: w10
+ms.mktglfcycl: manage
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Create a deployment plan
+
+A service management mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once this process is used for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
+
+When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices, and we’ve found that ring-based deployment is a methodology that works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades--they are simply a method by which to separate devices into a deployment timeline.
+
+At the highest level, each “ring” comprise a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
+
+A common ring structure comprises three deployment groups:
+
+- Preview: Planning and development
+- Limited: Pilot and validation
+- Broad: Wide deployment
+
+> [!NOTE]
+> Organizations often use different names for their “rings," for example:
+> - First > Fast > Broad
+> - Canaries > Early Adopters > Users
+> - Preview > Broad > Critical
+
+
+## How many rings should I have?
+
+There are no definite rules for exactly how many rings to have for your deployments. As mentioned previously, you might want to ensure zero downtime for mission-critical devices by putting them in their own ring. If you have a large
+organization, you might want to consider assigning devices to rings based on geographic location or the size of rings so that helpdesk resources are more available. Consider the needs of your business and introduce rings that make sense for your organization.
+
+## Advancing between rings
+
+There are basically two strategies for moving deployments from one ring to the next. One is service based, the other project based.
+
+- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the “red button” to stop further distribution.
+- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the “green button” to push the content to the next ring.
+
+When it comes to deployments, having manual steps in the process usually impedes update velocity, so a "red button" strategy is better when that is your goal.
+
+## Preview ring
+
+The purpose of the Preview ring is to evaluate the new features of the update. This is specifically *not* for broad parts of the organization but is limited to the people who are responsible for knowing what is coming next,
+generally IT administrators. Ultimately, this is the time the design and planning work happens so that when the public update is actually shipped, you can have greater confidence in the update.
+
+> [!NOTE]
+> Being part of the [Windows Insider Program](https://insider.windows.com/for-business/) gives you early access to Windows releases so that you can use Insider Preview builds in your Preview ring to validate your apps and infrastructure, preparing you for public Windows releases.
+
+
+### Who goes in the Preview ring?
+
+The Preview ring users are the most tech savvy and resilient people, who will not lose productivity if something goes wrong. In general, these are IT pros, and perhaps a few people in the business organization.
+
+During your plan and prepare phases, these are the activities you should focus on:
+
+- Work with Windows Insider Preview builds.
+- Identify the features and functionality your organization can or wants to use.
+- Establish who will use the features and how they will benefit.
+- Understand why you are putting the update out.
+- Plan for usage feedback.
+
+Remember, you are working with pre-release software in the Preview ring and you will be evaluating features and testing the update for a targeted release.
+
+> [!IMPORTANT]
+> If you are using Windows Insider (pre-release) releases for your preview ring and you are using WSUS or Windows Update for Business, be sure to set the following policies to allow for Preview builds:
+> - **Manage Preview Builds: 2 - Enable preview builds**
+> • Under **Branch Readiness Level**, select **When Preview Builds and Feature Updates are Received: 4--Windows Insider Program Slow**
+
+## Limited ring
+
+The purpose of the Limited ring is to validate the update on representative devices across the network. During this period, data, and feedback is generated to enable the decision to move forward to broader deployment. Desktop
+Analytics can help with defining a good Limited ring of representative devices and assist in monitoring the deployment.
+
+### Who goes in the Limited ring?
+
+The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented, and it's important that the people selected for this ring are using their devices regularly in order to generate the data you will need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don’t have the applications or device drivers that are truly a representative sample of your network.
+
+
+During your pilot and validate phases, these are the activities you should focus on:
+
+- Deploy new innovations.
+- Assess and act if issues are encountered.
+- Move forward unless blocked.
+
+When you deploy to the Limited ring, you’ll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring, because your Limited ring represents your organization across the board, and when you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly.
+
+## Broad deployment
+
+Once the devices in the Limited ring have had a sufficient stabilization period, it’s time for broad deployment across the network.
+
+### Who goes in the Broad deployment ring?
+
+In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision) broad deployment can occur relatively quickly.
+
+> [!NOTE]
+> In some instances, you might hold back on mission critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows 10 feature
+> updates to mission critical devices.
+
+During the broad deployment phase, these are the activities you should focus on:
+
+- Deploy to all devices in the organization.
+- Work through any final unusual issues that were not detected in your Limited ring.
+
+
+## Ring deployment planning
+
+Previously, we have provided methods for analyzing your deployments, but these have generally been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We have combined many of these tasks, and more, into a single interface with Desktop Analytics.
+
+
+[Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to
+make informed decisions about the readiness of your Windows devices.
+
+In Windows 10 deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Microsoft Endpoint Manager can help you assess app compatibility with the latest
+feature update and create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions.
+
+> [!IMPORTANT]
+> Desktop Analytics does not support preview (Windows Insider) builds; use Configuration Manager to deploy to your Preview ring. As noted previously, the Preview ring is a small group of devices represents your ecosystem very well in terms of app, driver, and hardware diversity.
+
+### Deployment plan options
+
+There are two ways to implement a ring deployment plan, depending on how you manage your devices:
+
+- If you are using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/about-deployment-plans).
+- If you are using Microsoft Intune, see [Create deployment plans directly in Intune](https://docs.microsoft.com/mem/intune/fundamentals/planning-guide).
+
+For more about Desktop Analytics, see these articles:
+
+- [How to set up Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/set-up)
+- [Tutorial: Deploy Windows 10 to Pilot](https://docs.microsoft.com/mem/configmgr/desktop-analytics/tutorial-windows10)
+- [Desktop Analytics documentation](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview)
+- [Intune deployment planning, design, and implementation guide](https://docs.microsoft.com/mem/intune/fundamentals/planning-guide)
\ No newline at end of file
diff --git a/windows/deployment/update/define-update-strategy.md b/windows/deployment/update/define-update-strategy.md
new file mode 100644
index 0000000000..d8fd47ee87
--- /dev/null
+++ b/windows/deployment/update/define-update-strategy.md
@@ -0,0 +1,59 @@
+---
+title: Define update strategy
+ms.reviewer:
+manager: laurawi
+description:
+keywords: updates, calendar, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+ms.prod: w10
+ms.mktglfcycl: manage
+audience: itpro
+author: jaimeo
+ms.localizationpriority: medium
+ms.audience: itpro
+author: jaimeo
+ms.topic: article
+ms.collection: M365-modern-desktop
+---
+
+# Define update strategy
+
+Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices.
+
+Today, more organizations are treating deployment as a continual process of updates which roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--withouth interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
+
+Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, an so you might choose to update annually. The 18/30 month lifecycle cadence lets you to allow some portion of you environment to move faster while a majority can move less quickly.
+
+
+
+## Calendar approaches
+
+You can use a calendar approach for either a faster 18-month or twice-per-year cadence or a 30-month or annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates.
+
+
+### Annual
+
+Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Configuration Manager and Microsoft 365 Apps release cycles:
+
+
+
+This approach provides approximately twelve months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version 20H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates.
+
+This cadence might be most suitable for you if any of these conditions apply:
+
+- You are just starting your journey with the Windows 10 servicing process. If you are unfamiliar with new processes that support Windows 10 servicing, moving from a once every 3-5 year project to a twice a year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
+- You want to wait and see how successful other companies are at adopting a Windows 10 feature update.
+- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the *second* half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months).
+
+
+### Rapid
+
+This calendar shows an example schedule that installs each feature update as it is released, twice per year:
+
+
+
+This cadence might be best for you if these conditions apply:
+
+- You have a strong appetite for change.
+- You want to continuously update supporting infrastructure and unlock new scenarios.
+- Your organization has a large population of information workers that can use the latest features and functionality in Windows 10 and Office.
+- You have experience with feature updates for Windows 10.
\ No newline at end of file
diff --git a/windows/deployment/update/images/DO-absolute-bandwidth.png b/windows/deployment/update/images/DO-absolute-bandwidth.png
new file mode 100644
index 0000000000..a13d5393e6
Binary files /dev/null and b/windows/deployment/update/images/DO-absolute-bandwidth.png differ
diff --git a/windows/deployment/update/images/annual-calendar.png b/windows/deployment/update/images/annual-calendar.png
new file mode 100644
index 0000000000..1ff15bed76
Binary files /dev/null and b/windows/deployment/update/images/annual-calendar.png differ
diff --git a/windows/deployment/update/images/rapid-calendar.png b/windows/deployment/update/images/rapid-calendar.png
new file mode 100644
index 0000000000..35aec71626
Binary files /dev/null and b/windows/deployment/update/images/rapid-calendar.png differ
diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md
new file mode 100644
index 0000000000..a2ff53df19
--- /dev/null
+++ b/windows/deployment/update/plan-define-readiness.md
@@ -0,0 +1,115 @@
+---
+title: Define readiness criteria
+ms.reviewer:
+manager: laurawi
+description: Identify important roles and figure out how to classify apps
+keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+ms.prod: w10
+ms.mktglfcycl: manage
+audience: itpro
+author: jaimeo
+ms.localizationpriority: medium
+ms.audience: itpro
+author: jaimeo
+ms.topic: article
+ms.collection: M365-modern-desktop
+---
+
+# Define readiness criteria
+
+## Figure out roles and personnel
+
+Planning and managing a deployment involves a variety of distinct activies and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
+
+### Process manager
+
+The process manager leads the update deployment process and has the authority to push the process forward--or halt it if necessary. They also have responsibilities in organizing these activities:
+
+
+|Compatibility workstream |Deployment |Capability and modernization |
+|---------|---------|---------|
+|[Assigning application priority](#set-criteria-for-rating-apps) | Reviewing infrastructure requirements | Determining infrastructure changes |
+|Application assessment | Validating infrastructure against requirements | Determining configuration changes |
+|Device assessment | Creating infrastructure update plan | Create capability proposal |
+
+It's the process manager's role to collect reports on remediation efforts, escalate failures, and to decide whether your environment is ready for pilot deployment and then broad deployment.
+
+
+This table sketches out one view of the other roles, with their responsibilities, relevant skills, and the deployment phases where they are needed:
+
+
+|Role |Responsibilities |Skills |Active phases |
+|---------|---------|---------|---------|
+|Process manager | Manages the process end to end; ensures inputs and outputs are captures; ensures that activities progress | IT service management | Plan, prepare, pilot deployment, broad deployment |
+|Application owner | Define application test plan; assign user acceptance testers; certify the application | Knowledge of critical and important applications | Plan, prepare, pilot deployment |
+|Application developer | Ensure apps are developed to stay compatible with current Windows versions | Application development; application remediation | Plan, prepare |
+|End-user computing | Typically a group including infrastructure engineers or deployment engineers who ensure upgrade tools are compatible with Windows | Bare-metal deployment; infrastructure management; application delivery; update management | Plan, prepare, pilot deployment, broad deployment |
+|Operations | Ensure that support is available for current Windows version. Provide post-deployment support, including user communication and rollbacks. | Platform security | Prepare, pilot deployment, broad deployment |
+|Security | Review and approve the security baseline and tools | Platform security | Prepare, pilot deployment |
+|Stakeholders | Represent groups affected by updates, for example, heads of finance, end-user services, or change management | Key decision maker for a business unit or department | Plan, pilot deployment, broad deployment |
+
+
+
+
+
+
+## Set criteria for rating apps
+
+Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren’t critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This will help you understand how best to deploy updates and how to resolve any issues that could arise.
+
+In the Prepare phase, you'll apply the criteria you define now to every app in your organization.
+
+Here's a suggested classification scheme:
+
+
+|Classification |Definition|
+|---------|---------|
+|Critical | The most vital applications that handle core business activities and processes. If these applications were not available, the business, or a business unit, couldn't function at all. |
+|Important | Applications that individual staff members need to support their productivity. Downtime here would affect individual users, but would only have a minimal impact on the business. |
+|Not important | There is no impact on the business if these apps are not available for a while. |
+
+Once you have classified your applications, you should agree what each classification means to the organization in terms of priority and severity. This will help ensure that you can triage problems with the right level of urgency. You should assign each app a time-based priority.
+
+Here's an example priority rating system; of course the specifics could vary for your organization:
+
+
+|Priority |Definition |
+|---------|---------|
+|1 | Any issues or risks identified must be investigated and resolved as soon as possible. |
+|2 | Start investigating risks and issues within two business days and fix them *during* the current deployment cycle. |
+|3 | Start investigating risks and issues within 10 business days. You don’t have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle. |
+|4 | Start investigating risks and issues within 20 business days. You can fix them in the current or any future development cycle. |
+
+Related to priority, but distinct, is the concept of severity. You should define a severity ranking as well, based on how you feel a problem with an app should affect the deployment cycle.
+
+Here's an example:
+
+
+|Severity |Effect |
+|---------|---------|
+|1 | Work stoppage or loss of revenue |
+|2 | Productivity loss for a business unit |
+|3 | Productivity loss for individual users |
+|4 | Minimal impact on users |
+
+## Example: a large financial corporation
+
+Using the suggested scheme, a financial corporation might classify their apps like this:
+
+
+|App |Classification |
+|---------|---------|
+|Credit processing app | Critical |
+|Frontline customer service app | Critical |
+|PDF viewer | Important |
+|Image processing app | Not important |
+
+Further, they might combine this classification with severity and priority rankings like this:
+
+
+|Classification |Severity |Priority |Response |
+|---------|---------|---------|---------|
+|Critical | 1 or 2 | 1 or 2 | For 1, stop deployment until resolved; for 2, stop deployment for affected devices or users only. |
+|Important | 3 or 4 | 3 or 4 | For 3, continue deployment, even for affected devices, as long as there is workaround guidance. |
+|Not important | 4 | 4 | Continue deployment for all devices. |
+
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
new file mode 100644
index 0000000000..29c3c93099
--- /dev/null
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -0,0 +1,76 @@
+---
+title: Determine application readiness
+ms.reviewer:
+manager: laurawi
+description: How to test your apps to know which need attention prior to deploying an update
+keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+ms.prod: w10
+ms.mktglfcycl: manage
+audience: itpro
+author: jaimeo
+ms.localizationpriority: medium
+ms.audience: itpro
+author: jaimeo
+ms.topic: article
+ms.collection: M365-modern-desktop
+---
+
+# Determine application readiness
+
+Before you deploy a Windows 10 update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps] with respect to their criticality in your organization.
+
+## Validation methods
+
+You can choose from a variety of methods to validate apps. Exactly which ones to use will depend on the specifics of your environment.
+
+
+|Validation method |Description |
+|---------|---------|
+|Full regression | A full quality assurance probing. Staff who know the application very well and can validate its core functionality should do this. |
+|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application they’re validating. |
+|Automated testing | Software performs tests automatically. The software will let you know whether the tests have passed or failed, and will provide detailed reporting for you automatically. |
+|Test in pilot | You pre-select users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. |
+|Reactive response | Applications are validated in late pilot, and no specific users are selected. These are normally applications aren't installed on many devices and aren’t handled by enterprise application distribution. |
+
+Combining the various validation methods with the app classifications you've previously established might look like this:
+
+
+|Validation method |Critical apps |Important apps |Not important apps |
+|---------|---------|---------|---------|
+|Full regression | x | | |
+|Smoke testing | | x | |
+|Automated testing | x | x | x |
+|Test in pilot | x | x | x |
+
+
+## Identify users
+
+Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you'll have to choose which users are best suited for validation testing. Some factors to consider include:
+
+- **Location**: If users are in different physical locations, can you support them and get validation feedback from the region they're in?
+- **Application knowledge**: Do the users have appropriate knowledge of how the app is supposed to work?
+- **Technical ability**: Do the users have enough technical competence to provide useful feedback from various test scenarios?
+
+You could seek volunteers who enjoy working with new features and include them in the pilot deployment. You might want to avoid using core users like department heads or project managers. Current application owners, operations personnel, and developers can help you identify the most appropriate pilot users.
+
+## Identify and set up devices for validation
+
+In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection will include devices representing all of the hardware models in your environment.
+
+There is more than one way to choose devices for app validation:
+
+- **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles.
+- **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems.
+- **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices.
+
+
+## Desktop Analytics
+
+Desktop Analytics can make all of the tasks discussed in this article significantly easier:
+
+- Creating and maintaining an application and device inventory
+- Assign owners to applications for testing
+- Automatically apply your app classifications (critical, important, not important)
+- Automatically identify application compatibility risks and provide recommendations for reducing those risks
+
+For more information, see [What is Desktop Analytics?](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview)
diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md
index a5d605d778..b4bb57aef5 100644
--- a/windows/deployment/update/waas-delivery-optimization-reference.md
+++ b/windows/deployment/update/waas-delivery-optimization-reference.md
@@ -119,7 +119,7 @@ Download mode dictates which download sources clients are allowed to use when do
By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
-[//]: # (Configuration Manager Boundary Group option; GroupID Source policy)
+[//]: # (Configuration Manager boundary group option; GroupID Source policy)
>[!NOTE]
>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)
diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md
index ac14bcf549..7bcf7c77c3 100644
--- a/windows/deployment/update/waas-delivery-optimization-setup.md
+++ b/windows/deployment/update/waas-delivery-optimization-setup.md
@@ -35,6 +35,9 @@ Delivery Optimization offers a great many settings to fine-tune its behavior (se
>[!NOTE]
>These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set.
+> [!NOTE]
+> Microsoft Intune includes a profile to make it easier to set Delivery Optimization policies. For details, see [Delivery Optimization settings for Intune](https://docs.microsoft.com/mem/intune/configuration/delivery-optimization-settings).
+
Quick-reference table:
| Use case | Policy | Recommended value | Reason |
@@ -66,6 +69,9 @@ To do this in Group Policy go to **Configuration\Policies\Administrative Templat
To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**.
+> [!NOTE]
+> For more about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization).
+
### Large number of mobile devices
@@ -139,7 +145,9 @@ Using the `-Verbose` option returns additional information:
- Bytes from CDN (the number of bytes received over HTTP)
- Average number of peer connections per download
-Starting in Window 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status.
+Starting in Windows 10, version 2004, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
+
+Starting in Windows 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status.
Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month.
@@ -166,6 +174,30 @@ You can now "pin" files to keep them persistent in the cache. You can only do th
#### Work with Delivery Optimization logs
+**Starting in Windows 10, version 2004:**
+
+`Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]`
+
+With no options, this cmdlet returns these data:
+
+- total number of files
+- number of foreground files
+- minimum file size for it to be cached
+- number of eligible files
+- number of files with peers
+- number of peering files [how different from the above?]
+- overall efficiency
+- efficiency in the peered files
+
+Using the `-ListConnections` option returns these detauls about peers:
+
+- destination IP address
+- peer type
+- status code
+- bytes sent
+- bytes received
+- file ID
+
**Starting in Windows 10, version 1803:**
`Get-DeliveryOptimizationLog [-Path ] [-Flush]`
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index d37589c3e6..40cf29568f 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -32,6 +32,15 @@ Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimi
>[!NOTE]
>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead.
+## New in Windows 10, version 2004
+
+- Enterprise network throttling: new settings have been added in Group Policy and MDM to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface:
+
+
+
+- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#microsoft-connected-cache).
+
+
## Requirements
The following table lists the minimum Windows 10 version that supports Delivery Optimization:
@@ -54,8 +63,16 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Windows Defender definition updates | 1511 |
| Office Click-to-Run updates | 1709 |
| Win32 apps for Intune | 1709 |
+| Office installations and updates | 2004 |
+| Xbox game pass games | 2004 |
+| MSIX apps (HTTP downloads only) | 2004 |
| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 |
+> [!NOTE]
+> Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910).
+
+
+
@@ -124,6 +141,30 @@ For the payloads (optional):
**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
+**How does Delivery Optimization handle VPNs?**
+Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
+
+If the connection is identified as a VPN, Delivery Optimization will not use any peer-to-peer activity. However, you can allow peer-to-peer activity over a VPN by using the {WE SHOULD NAME OR POINT TO THIS POLICY} policy.
+
+If you have defined a boundary group in Configuration Manager and have for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN.
+
+With split tunnelling, it's best to exclude the boundary group for the VPN devices to exclude it from using peer-to-peer. (In this case, those devices won't get the policy and will default to using LAN.) If you're using split tunnelling, you should allow direct access for these endpoints:
+
+Delivery Optimization service endpoint:
+- `https://*.prod.do.dsp.mp.microsoft.com`
+
+Delivery Optimization metadata:
+- `http://emdl.ws.microsoft.com`
+- `http://*.dl.delivery.mp.microsoft.com`
+
+Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads
+
+- `http://*.windowsupdate.com`
+- `https://*.delivery.mp.microsoft.com`
+- `https://*.update.microsoft.com`
+- `https://tsfe.trafficshaping.dsp.mp.microsoft.com`
+
+For more information about this if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
## Troubleshooting
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 0e9f6ba908..e0d6464259 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -1,5 +1,5 @@
---
-title: Deploy updates using Windows Update for Business (Windows 10)
+title: Windows Update for Business (Windows 10)
ms.reviewer:
manager: laurawi
description: Windows Update for Business lets you manage when devices received updates from Windows Update.
@@ -11,24 +11,118 @@ ms.author: jaimeo
ms.topic: article
---
-# Deploy updates using Windows Update for Business
+# What is Windows Update for Business?
**Applies to**
- Windows 10
-- Windows Server 2016
-- Windows Server 2019
-Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro for Workstation, and Education editions.
+
+Windows Update for Business is a free service that is available for all premium editions including Windows 10 Pro, Enterprise, Pro for Workstation, and Education editions.
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated.
+Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated.
-Specifically, Windows Update for Business allows for control over update offering and experience to allow for reliability and performance testing on a subset of systems before rolling out updates across the organization as well as a positive update experience for those within your organization.
+Specifically, Windows Update for Business allows for control over update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization as well as a positive update experience for those in your organization.
+
+## What can I do with Windows Update for Business?
+
+Windows Update for Business enables commercial customers to manage which Windows Updates are received when as well as the experience a device has when it receives them.
+
+You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as a variety of other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy).
+
+
+### Manage deployment of Windows Updates
+By using Windows Update for Business, you can control which types of Windows Updates are offered to devices in your ecosystem, when updates are applied, and deployment to devices in your organization in waves.
+
+### Manage which updates are offered
+Windows Update for Business enables an IT administrator to receive and manage a variety of different types of Windows Updates.
+
+## Types of updates managed by Windows Update for Business
+
+Windows Update for Business provides management policies for several types of updates to Windows 10 devices:
+
+- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released semi-annually in the fall and in the spring.
+- **Quality updates:** These are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates.
+- **Driver updates:** These are non-Microsoft drivers that are applicable to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer.
+- **Microsoft product updates**: These are updates for other Microsoft products, such as Office. Product updates are off by default. You can turn them on by using Windows Update for Business policies.
+
+
+## Offering
+You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period.
+
+### Manage when updates are offered
+You can defer or pause the installation of updates for a set period of time.
+
+#### Enroll in pre-release updates
+
+The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates:
+
+- Windows Insider Fast
+- Windows Insider Slow
+- Windows Insider Release Preview
+- Semi-annual Channel
+
+Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days are calculated against a release’s Semi-annual Channel release date. For exact release dates, see [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy.
+
+#### Defer an update
+
+A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates use the **Select when Preview Builds and Feature Updates are Received** policy.
+
+
+|Category |Maximum deferral period |
+|---------|---------|
+|Feature updates | 365 days |
+|Quality updates | 30 days |
+|Non-deferrable | none |
+
+
+
+#### Pause an update
+
+If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated.
+If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set.
+
+To pause feature updates use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates).
+
+Built in benefits:
+When updating from Windows Update you get the added benefits of built in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks.
+
+### Recommendations
+
+For the best experience with Windows Update, follow these guidelines:
+
+- Use devices for at least 6 hours per month, including at least 2 hours of continuous use.
+- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours.
+- Make sure that devices have at least 10 GB of free space.
+- Give devices unobstructed access to the Windows Update service.
+
+### Manage the end-user experience when receiving Windows Updates
+
+Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for those in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's usually better to use fewer controls to manage the end-user experience.
+
+#### Recommended experience settings
+
+Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features:
+
+1. Automatically download, install and restart (default if no restart policies are set up or enabled)
+2. Use the default notifications
+3. Set update deadlines
+
+##### Setting deadlines
+
+A compliance deadline policy (released in June 2019) enables you to set separate deadlines and grace periods for feature and quality updates.
+
+This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This is extremely beneficial in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation.
+
+
+
+
+
-* [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem)
+* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware)
+* [Block credential stealing from the Windows local security authority subsystem](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem) (lsass.exe)
* [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands)
* [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb)
* [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)
@@ -61,39 +63,41 @@ ASR currently supports all of the rules below:
* [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes)
* [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription)
-**What are some good recommendations for getting started with ASR?**
+## What are some good recommendations for getting started with ASR?
-It is generally best to first test how ASR rules will impact your organization before enabling them, by running them in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR.
+Test how ASR rules will impact your organization before enabling them by running ASR rules in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR.
-Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly-broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool.
+Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool.
-**How long should I test an ASR rule in audit mode before enabling it?**
+## How long should I test an ASR rule in audit mode before enabling it?
-You should keep the rule in audit mode for about 30 days. This amount of time gives you a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them.
+Keep the rule in audit mode for about 30 days to get a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them.
-**I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR?**
+## I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR?
-Rather than attempting to import sets of rules from another security solution, it is, in most cases, easier and safer to start with the baseline recommendations suggested for your organization by Microsoft Defender ATP, then use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. The default configuration for most ASR rules, combined with Defender's real-time protection, will protect against a large number of exploits and vulnerabilities.
+In most cases, it's easier and better to start with the baseline recommendations suggested by [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs.
+
+The default configuration for most ASR rules, combined with Microsoft Defender ATP's real-time protection, will protect against a large number of exploits and vulnerabilities.
From within Microsoft Defender ATP, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked.
-**Does ASR support file or folder exclusions that include system variables and wildcards in the path?**
+## Does ASR support file or folder exclusions that include system variables and wildcards in the path?
Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths.
-**Do ASR rules cover all applications by default?**
+## Do ASR rules cover all applications by default?
It depends on the rule. Most ASR rules cover the behavior of Microsoft Office products and services, such as Word, Excel, PowerPoint, and OneNote, or Outlook. Certain ASR rules, such as *Block execution of potentially obfuscated scripts*, are more general in scope.
-**Does ASR support third-party security solutions?**
+## Does ASR support third-party security solutions?
ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time.
-**I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline?**
+## I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline?
Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP.
-**I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.**
+## I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.
Try opening the indexing options directly from Windows 10.
@@ -101,23 +105,23 @@ Try opening the indexing options directly from Windows 10.
1. Enter **Indexing options** into the search box.
-**Are the criteria used by the rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*, configurable by an admin?**
+## Are the criteria used by the rule, "Block executable files from running unless they meet a prevalence, age, or trusted list criterion," configurable by an admin?
-No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up-to-date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered.
+No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up to date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered.
-**I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?**
+## I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?
This rule relies upon each application having a known reputation, as measured by prevalence, age, or inclusion on a list of trusted apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria.
-Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode.
+Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be reassessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with new versions of applications, you may opt instead to run this rule in audit mode.
-**I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?**
+## I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?
-A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies.
+A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often targets lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies.
-Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning.
+Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive number of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning.
-**Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?**
+## Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?
Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index da5160567b..0ca49f4b35 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -23,9 +23,6 @@ ms.custom: asr
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks.
Attack surface reduction rules target software behaviors that are often abused by attackers, such as:
@@ -44,9 +41,11 @@ For more information about configuring attack surface reduction rules, see [Enab
## Attack surface reduction features across Windows versions
-You can set attack surface reduction rules for computers running the following versions of Windows:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) (Semi-Annual Channel) or later
+You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
index 4084d8b928..9ab72ae669 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
@@ -24,26 +24,96 @@ ms.collection:
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-## Behavioral blocking and containment overview
+## Overview
-Not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats with machine learning, pre- and post-breach. In almost real time, when a suspicious behavior or artifact is detected and determined to be malicious, the threat is blocked. Pre-execution models learn about that threat, and prevent it from running on other endpoints.
+Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised machines. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and machine learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security).
-## Behavioral blocking and containment capabilities
+Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Microsoft Defender ATP components and features work together in behavioral blocking and containment capabilities.
-Behavioral blocking and containment capabilities include the following:
+:::image type="content" source="images/mdatp-next-gen-EDR-behavblockcontain.png" alt-text="Behavioral blocking and containment":::
-- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center (https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
+Behavioral blocking and containment capabilities work with multiple components and features of Microsoft Defender ATP to stop attacks immediately and prevent attacks from progressing.
-- **Client behavioral blocking**. Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
+- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) (which includes Microsoft Defender Antivirus) can detect threats by analyzing behaviors, and stop threats that have started running.
-- **Feedback-loop blocking** (also referred to as rapid protection). Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
+- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) receives security signals across your network, devices, and kernel behavior. As threats are detected, alerts are created. Multiple alerts of the same type are aggregated into incidents, which makes it easier for your security operations team to investigate and respond.
-- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
+- [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection), Microsoft Defender ATP processes and correlates these signals, raises detection alerts, and connects related alerts in incidents.
-As Microsoft continues to improve threat protection features and capabilities, you can expect more to come in the area of behavioral blocking and containment. Visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap) to see what's rolling out now and what's in development.
+With these capabilities, more threats can be prevented or blocked, even if they start running. Whenever suspicious behavior is detected, the threat is contained, alerts are created, and threats are stopped in their tracks.
+
+The following image shows an example of an alert that was triggered by behavioral blocking and containment capabilities:
+
+:::image type="content" source="images/blocked-behav-alert.png" alt-text="Example of an alert through behavioral blocking and containment":::
+
+## Components of behavioral blocking and containment
+
+- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
+
+- **[Client behavioral blocking](client-behavioral-blocking.md)** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
+
+- **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
+
+- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
+
+Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap).
+
+## Examples of behavioral blocking and containment in action
+
+Behavioral blocking and containment capabilities have blocked attacker techniques such as the following:
+
+- Credential dumping from LSASS
+- Cross-process injection
+- Process hollowing
+- User Account Control bypass
+- Tampering with antivirus (such as disabling it or adding the malware as exclusion)
+- Contacting Command and Control (C&C) to download payloads
+- Coin mining
+- Boot record modification
+- Pass-the-hash attacks
+- Installation of root certificate
+- Exploitation attempt for various vulnerabilities
+
+Below are two real-life examples of behavioral blocking and containment in action.
+
+### Example 1: Credential theft attack against 100 organizations
+
+As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server.
+
+Behavior-based machine learning models in Microsoft Defender ATP caught and stopped the attacker’s techniques at two points in the attack chain:
+- The first protection layer detected the exploit behavior. Machine learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack.
+- The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot).
+
+While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)):
+
+:::image type="content" source="images/behavblockcontain-initialaccessalert.png" alt-text="Initial access alert in the Microsoft Defender Security Center":::
+
+This example shows how behavior-based machine learning models in the cloud add new layers of protection against attacks, even after they have started running.
+
+### Example 2: NTML relay - Juicy Potato malware variant
+
+As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Microsoft Defender ATP detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered.
+
+:::image type="content" source="images/NTLMalertjuicypotato.png" alt-text="NTLM alert for Juicy Potato malware":::
+
+The threat turned out to be malware; it was a new, not-seen-before variant of a notorious hacking tool called Juicy Potato, which is used by attackers to get privilege escalation on a device.
+
+Minutes after the alert was triggered, the file was analyzed, and confirmed to be malicious. Its process was stopped and blocked, as shown in the following image:
+
+:::image type="content" source="images/Artifactblockedjuicypotato.png" alt-text="Artifact blocked":::
+
+A few minutes after the artifact was blocked, multiple instances of the same file were blocked on the same device, preventing additional attackers or other malware from deploying on the device.
+
+This example shows that with behavioral blocking and containment capabilities, threats are detected, contained, and blocked automatically.
## Next steps
+- [Learn more about Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
+
- [Configure your attack surface reduction rules](attack-surface-reduction.md)
-- [Enable EDR in block mode](edr-in-block-mode.md)
\ No newline at end of file
+- [Enable EDR in block mode](edr-in-block-mode.md)
+
+- [See recent global threat activity](https://www.microsoft.com/wdsi/threats)
+
+- [Get an overview of Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
new file mode 100644
index 0000000000..317b858f36
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
@@ -0,0 +1,90 @@
+---
+title: Client behavioral blocking
+description: Client behavioral blocking is part of behavioral blocking and containment capabilities in Microsoft Defender ATP
+keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender ATP
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+ms.reviewer: shwetaj
+audience: ITPro
+ms.topic: article
+ms.prod: w10
+ms.localizationpriority: medium
+ms.custom:
+- next-gen
+- edr
+ms.collection:
+---
+
+# Client behavioral blocking
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Overview
+
+Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Microsoft Defender ATP. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically.
+
+:::image type="content" source="images/pre-execution-and-post-execution-detection-engines.png" alt-text="Cloud and client protection":::
+
+Antivirus protection works best when paired with cloud protection.
+
+## How client behavioral blocking works
+
+[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device.
+
+Whenever a suspicious behavior is detected, an [alert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/alerts-queue) is generated, and is visible in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+
+Client behavioral blocking is effective because it not only helps prevent an attack from starting, it can help stop an attack that has begun executing. And, with [feedback-loop blocking](feedback-loop-blocking.md) (another capability of behavioral blocking and containment), attacks are prevented on other devices in your organization.
+
+## Behavior-based detections
+
+Behavior-based detections are named according to the [MITRE ATT&CK Matrix for Enterprise](https://attack.mitre.org/matrices/enterprise). The naming convention helps identify the attack stage where the malicious behavior was observed:
+
+
+|Tactic | Detection threat name |
+|----|----|
+|Initial Access | Behavior:Win32/InitialAccess.*!ml |
+|Execution | Behavior:Win32/Execution.*!ml |
+|Persistence | Behavior:Win32/Persistence.*!ml |
+|Privilege Escalation | Behavior:Win32/PrivilegeEscalation.*!ml |
+|Defense Evasion | Behavior:Win32/DefenseEvasion.*!ml |
+|Credential Access | Behavior:Win32/CredentialAccess.*!ml |
+|Discovery | Behavior:Win32/Discovery.*!ml |
+|Lateral Movement | Behavior:Win32/LateralMovement.*!ml |
+|Collection | Behavior:Win32/Collection.*!ml |
+|Command and Control | Behavior:Win32/CommandAndControl.*!ml |
+|Exfiltration | Behavior:Win32/Exfiltration.*!ml |
+|Impact | Behavior:Win32/Impact.*!ml |
+|Uncategorized | Behavior:Win32/Generic.*!ml |
+
+> [!TIP]
+> To learn more about specific threats, see **[recent global threat activity](https://www.microsoft.com/wdsi/threats)**.
+
+
+## Configuring client behavioral blocking
+
+If your organization is using Microsoft Defender ATP, client behavioral blocking is enabled by default. However, to benefit from all Microsoft Defender ATP capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured:
+
+- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)
+
+- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure)
+
+- [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode)
+
+- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+
+- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) (antivirus)
+
+## Related articles
+
+- [Behavioral blocking and containment](behavioral-blocking-containment.md)
+
+- [Feedback-loop blocking](feedback-loop-blocking.md)
+
+- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/)
+
+- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
index e959cf1bbf..ae36af69a0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
@@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 07/01/2018
---
# Configure attack surface reduction
@@ -27,11 +26,7 @@ You can configure attack surface reduction with a number of tools, including:
* Group Policy
* PowerShell cmdlets
-The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for the applicable configuration tool (or tools).
-
-## In this section
-
-Topic | Description
+Article | Description
-|-
[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to prepare for and install Application Guard, including hardware and software requirements
[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and protect kernel mode processes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
index ad965c75e5..d5f2d69d6c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
@@ -27,31 +27,29 @@ ms.topic: article
## Pull detections using security information and events management (SIEM) tools
->[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>[!NOTE]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
-Microsoft Defender ATP currently supports the following SIEM tools:
+Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model:
-- Splunk
-- HP ArcSight
+- IBM QRadar
+- Micro Focus ArcSight
+
+Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://df.securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details.
To use either of these supported SIEM tools you'll need to:
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- Configure the supported SIEM tool:
- - [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
- - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+ - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+ - Configure IBM QRadar to pull Microsoft Defender ATP detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md).
-## Pull Microsoft Defender ATP detections using REST API
-Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API.
-
-For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md).
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
deleted file mode 100644
index c27fdb45cc..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
+++ /dev/null
@@ -1,133 +0,0 @@
----
-title: Configure Splunk to pull Microsoft Defender ATP detections
-description: Configure Splunk to receive and pull detections from Microsoft Defender Security Center.
-keywords: configure splunk, security information and events management tools, splunk
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Configure Splunk to pull Microsoft Defender ATP detections
-
-**Applies to:**
-
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink)
-
-You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections.
-
->[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
-
-## Before you begin
-
-- Install the open source [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/) in Splunk.
-- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-
-- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values:
- - Tenant ID
- - Client ID
- - Client Secret
- - Resource URL
-
-
-## Configure Splunk
-
-1. Login in to Splunk.
-
-2. Go to **Settings** > **Data inputs**.
-
-3. Select **Windows Defender ATP alerts** under **Local inputs**.
-
- >[!NOTE]
- > - This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/).
- > - For Splunk Cloud, use [Microsoft Defender ATP Add-on for Splunk](https://splunkbase.splunk.com/app/4959/).
-
-
-4. Click **New**.
-
-5. Type the following values in the required fields, then click **Save**:
-
- NOTE:
- All other values in the form are optional and can be left blank.
-
-
-
-
-
Field
-
Value
-
-
-
Name
-
Name for the Data Input
-
-
Login URL
-
URL to authenticate the azure app (Default : https://login.microsoftonline.com)
-
-
Endpoint
-
Depending on the location of your datacenter, select any of the following URL: For EU: https://wdatp-alertexporter-eu.securitycenter.windows.com For US:https://wdatp-alertexporter-us.securitycenter.windows.com
For UK:https://wdatp-alertexporter-uk.securitycenter.windows.com
-
-
-
Tenant ID
-
Azure Tenant ID
-
-
Resource
-
Value from the SIEM integration feature page
-
-
Client ID
-
Value from the SIEM integration feature page
-
-
-
Client Secret
-
Value from the SIEM integration feature page
-
-
-
-
-
-After completing these configuration steps, you can go to the Splunk dashboard and run queries.
-
-## View detections using Splunk solution explorer
-Use the solution explorer to view detections in Splunk.
-
-1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**.
-
-2. Select **New**.
-
-3. Enter the following details:
- - Search: Enter a query, for example:
- `sourcetype="wdatp:alerts" |spath|table*`
- - App: Add-on for Windows Defender (TA_Windows-defender)
-
- Other values are optional and can be left with the default values.
-
-4. Click **Save**. The query is saved in the list of searches.
-
-5. Find the query you saved in the list and click **Run**. The results are displayed based on your query.
-
-
->[!TIP]
-> To minimize Detection duplications, you can use the following query:
->```source="rest://wdatp:alerts" | spath | dedup _raw | table *```
-
-## Related topics
-- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
-- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
-- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
-- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
index 0786bb44f2..9540fd0ce6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/13/2019
+ms.date: 05/20/2020
ms.reviewer:
manager: dansimp
---
@@ -26,11 +26,16 @@ manager: dansimp
> [!IMPORTANT]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-Attack surface reduction rules help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture.
+[Attack surface reduction rules](enable-attack-surface-reduction.md) help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture.
Learn how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
-Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
+You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
@@ -72,7 +77,7 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index 9115bc352e..e31b0b4fc7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -12,22 +12,29 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/05/2020
+ms.date: 05/20/2020
ms.reviewer:
manager: dansimp
---
# Enable attack surface reduction rules
-[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuse to compromise devices and networks. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
+[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuses to compromise devices and networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-Each ASR rule contains three settings:
+Each ASR rule contains one of three settings:
* Not configured: Disable the ASR rule
* Block: Enable the ASR rule
* Audit: Evaluate how the ASR rule would impact your organization if enabled
-To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
+To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
+
+> [!TIP]
+> To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
You can enable attack surface reduction rules by using any of these methods:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
index f408e29140..382f789aa7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
@@ -27,9 +27,10 @@ ms.topic: article
Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API.
->[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>[!NOTE]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
## Prerequisites
- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role.
@@ -75,7 +76,6 @@ You can now proceed with configuring your SIEM solution or connecting to the det
You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
## Related topics
-- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
- [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index 70a03c74e5..a77a399d92 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 04/02/2019
+ms.date: 05/20/2020
ms.reviewer:
manager: dansimp
---
@@ -23,7 +23,11 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
+Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Learn how to evaluate attack surface reduction rules, by enabling audit mode to test the feature directly in your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index 9944777801..83b638059c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -25,6 +25,8 @@ Conducting a comprehensive security product evaluation can be a complex process
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUM]
+
With the simplified set-up experience, you can focus on running your own test scenarios and the pre-made simulations to see how Microsoft Defender ATP performs.
You'll have full access to the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
new file mode 100644
index 0000000000..d4be39d220
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
@@ -0,0 +1,58 @@
+---
+title: Feedback-loop blocking
+description: Feedback-loop blocking, also called rapid protection, is part of behavioral blocking and containment capabilities in Microsoft Defender ATP
+keywords: behavioral blocking, rapid protection, feedback blocking, Microsoft Defender ATP
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+ms.reviewer: shwetaj
+audience: ITPro
+ms.topic: article
+ms.prod: w10
+ms.localizationpriority: medium
+ms.custom:
+- next-gen
+- edr
+ms.collection:
+---
+
+# Feedback-loop blocking
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Overview
+
+Feedback-loop blocking, also referred to as rapid protection, is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/). With feedback-loop blocking, devices across your organization are better protected from attacks.
+
+## How feedback-loop blocking works
+
+When a suspicious behavior or file is detected, such as by [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10), information about that artifact is sent to multiple classifiers. The rapid protection loop engine inspects and correlates the information with other signals to arrive at a decision as to whether to block a file. Checking and classifying artifacts happens quickly. It results in rapid blocking of confirmed malware, and drives protection across the entire ecosystem.
+
+With rapid protection in place, an attack can be stopped on a device, other devices in the organization, and devices in other organizations, as an attack attempts to broaden its foothold.
+
+
+## Configuring feedback-loop blocking
+
+If your organization is using Microsoft Defender ATP, feedback-loop blocking is enabled by default. However, rapid protection occurs through a combination of Microsoft Defender ATP capabilities, machine learning protection features, and signal-sharing across Microsoft security services. Make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured:
+
+- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)
+
+- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure)
+
+- [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode)
+
+- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+
+- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) (antivirus)
+
+## Related articles
+
+- [Behavioral blocking and containment](behavioral-blocking-containment.md)
+
+- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/)
+
+- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
index 066146d158..fe2ddd1f2d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
@@ -46,6 +46,15 @@ To have your company listed as a partner in the in-product partner page, you wil
3. Provide a 15-word product description.
4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Please note that any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. You should allow at least 10 days for review process to be performed.
5. If you use a multi-tenant Azure AD approach, we will need the AAD application name to track usage of the application.
+6. We'd like to request that you include the User-Agent field in each API call made to Microsoft Defender ATP public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
+ Follow these steps:
+ 1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP integrated product with the version of the product that includes this integration.
+
+ - ISV Nomenclature: `MdatpPartner-{CompanyName}-{TenantID}/{Version}`.
+ - Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}`.
+
+ 2. Set the User-Agent field in each HTTP request header to the name based on the above nomenclature.
+ For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0`
Partnership with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png
index 7635b49f3e..50aaff6186 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png and b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/Artifactblockedjuicypotato.png b/windows/security/threat-protection/microsoft-defender-atp/images/Artifactblockedjuicypotato.png
new file mode 100644
index 0000000000..3baa36a30e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/Artifactblockedjuicypotato.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/NTLMalertjuicypotato.png b/windows/security/threat-protection/microsoft-defender-atp/images/NTLMalertjuicypotato.png
new file mode 100644
index 0000000000..0ecdbe5a2d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/NTLMalertjuicypotato.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png
new file mode 100644
index 0000000000..eb5819123e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png
new file mode 100644
index 0000000000..f02cd3b7c4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-processtree.png b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-processtree.png
new file mode 100644
index 0000000000..cc46690248
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-processtree.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png
new file mode 100644
index 0000000000..e9cb104a05
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-next-gen-EDR-behavblockcontain.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-next-gen-EDR-behavblockcontain.png
new file mode 100644
index 0000000000..add1b5bd15
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-next-gen-EDR-behavblockcontain.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png b/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png
new file mode 100644
index 0000000000..cea5e255f5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png
index 94c724f0c8..ef062f0c8e 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index 412d0351fa..31656eeae6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -179,18 +179,59 @@ In order to preview new features and provide early feedback, it is recommended t
sudo yum install mdatp
```
+ If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
+
+ ```bash
+ # list all repositories
+ $ yum repolist
+ ...
+ packages-microsoft-com-prod packages-microsoft-com-prod 316
+ packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2
+ ...
+
+ # install the package from the production repository
+ $ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
+ ```
+
- SLES and variants:
```bash
sudo zypper install mdatp
```
+ If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
+
+ ```bash
+ # list all repositories
+ $ zypper repos
+ ...
+ # | Alias | Name | ...
+ XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ...
+ XX | packages-microsoft-com-prod | microsoft-prod | ...
+ ...
+
+ # install the package from the production repository
+ $ sudo zypper install packages-microsoft-com-prod:mdatp
+ ```
+
- Ubuntu and Debian system:
```bash
sudo apt-get install mdatp
```
+ If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
+
+ ```bash
+ # list all repositories
+ $ cat /etc/apt/sources.list.d/*
+ deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main
+ deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main
+
+ # install the package from the production repository
+ $ sudo apt -t bionic install mdatp
+ ```
+
## Download the onboarding package
Download the onboarding package from Microsoft Defender Security Center:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
index e633d8184f..f1928bc4d1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
@@ -1,6 +1,6 @@
---
-title: Manual deployment for Microsoft Defender ATP for Mac
-description: Install Microsoft Defender ATP for Mac manually, from the command line.
+title: Manual deployment for Microsoft Defender ATP for macOS
+description: Install Microsoft Defender ATP for macOS manually, from the command line.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,45 +17,34 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Manual deployment for Microsoft Defender ATP for Mac
+# Manual deployment for Microsoft Defender ATP for macOS
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for macOS](microsoft-defender-atp-mac.md)
-This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires the completion of all of the following steps:
+This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps:
- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
- [Application installation](#application-installation)
- [Client configuration](#client-configuration)
## Prerequisites and system requirements
-Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for macOS page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
-2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**.
+2. In Section 1 of the page, set operating system to **macOS** and Deployment method to **Local script**.
3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
- 
+ 
5. From a command prompt, verify that you have the two files.
- Extract the contents of the .zip files:
-
- ```bash
- $ ls -l
- total 721152
- -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
- -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
- $ unzip WindowsDefenderATPOnboardingPackage.zip
- Archive: WindowsDefenderATPOnboardingPackage.zip
- inflating: MicrosoftDefenderATPOnboardingMacOs.py
- ```
-
+
## Application installation
To complete this process, you must have admin privileges on the machine.
@@ -87,7 +76,7 @@ The installation proceeds.
## Client configuration
-1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for Mac.
+1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for macOS.
The client machine is not associated with orgId. Note that the *orgId* attribute is blank.
@@ -127,4 +116,4 @@ See [Logging installation issues](mac-resources.md#logging-installation-issues)
## Uninstallation
-See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices.
+See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for macOS from client devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
index d5613256d1..5d98e6652f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
@@ -179,108 +179,45 @@ Follow the steps below to identify the Microsoft Defender ATP Workspace ID and W
3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
-Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed.
+4. Install the Microsoft Monitoring Agent (MMA).
+ MMA is currently (as of January 2019) supported on the following Windows Operating
+ Systems:
-Edit the InstallMMA.cmd with a text editor, such as notepad and update the
-following lines and save the file:
+ - Server SKUs: Windows Server 2008 SP1 or Newer
- 
+ - Client SKUs: Windows 7 SP1 and later
-Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file:
+ The MMA agent will need to be installed on Windows devices. To install the
+ agent, some systems will need to download the [Update for customer experience
+ and diagnostic
+ telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+ in order to collect the data with MMA. These system versions include but may not
+ be limited to:
- 
+ - Windows 8.1
-Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating
-Systems:
+ - Windows 7
-- Server SKUs: Windows Server 2008 SP1 or Newer
+ - Windows Server 2016
-- Client SKUs: Windows 7 SP1 and later
+ - Windows Server 2012 R2
-The MMA agent will need to be installed on Windows devices. To install the
-agent, some systems will need to download the [Update for customer experience
-and diagnostic
-telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
-in order to collect the data with MMA. These system versions include but may not
-be limited to:
+ - Windows Server 2008 R2
-- Windows 8.1
+ Specifically, for Windows 7 SP1, the following patches must be installed:
-- Windows 7
+ - Install
+ [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
-- Windows Server 2016
+ - Install either [.NET Framework
+ 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
+ later) **or**
+ [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
+ Do not install both on the same system.
-- Windows Server 2012 R2
+5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
-- Windows Server 2008 R2
-
-Specifically, for Windows 7 SP1, the following patches must be installed:
-
-- Install
- [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
-
-- Install either [.NET Framework
- 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
- later) **or**
- [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
- Do not install both on the same system.
-
-To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps
-below to utilize the provided batch files to onboard the systems. The CMD file
-when executed, will require the system to copy files from a network share by the
-System, the System will install MMA, Install the DependencyAgent, and configure
-MMA for enrollment into the workspace.
-
-
-1. In Microsoft Endpoint Configuration Manager console, navigate to **Software
- Library**.
-
-2. Expand **Application Management**.
-
-3. Right-click **Packages** then select **Create Package**.
-
-4. Provide a Name for the package, then click **Next**
-
- 
-
-5. Verify **Standard Program** is selected.
-
- 
-
-6. Click **Next**.
-
- 
-
-7. Enter a program name.
-
-8. Browse to the location of the InstallMMA.cmd.
-
-9. Set Run to **Hidden**.
-
-10. Set **Program can run** to **Whether or not a user is logged on**.
-
-11. Click **Next**.
-
-12. Set the **Maximum allowed run time** to 720.
-
-13. Click **Next**.
-
- 
-
-14. Verify the configuration, then click **Next**.
-
- 
-
-15. Click **Next**.
-
-16. Click **Close**.
-
-17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP
- Onboarding Package just created and select **Deploy**.
-
-18. On the right panel select the appropriate collection.
-
-19. Click **OK**.
+Once completed, you should see onboarded endpoints in the portal within an hour.
## Next generation protection
Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index 967d14b25f..2b029e2725 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -27,8 +27,8 @@ ms.topic: conceptual
Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4woug]
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4woug]
Article | Description
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
index f2c30ec2e4..c55c6e231f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@@ -27,8 +27,9 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
>[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
index 2251ec4e49..b3955f8794 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
@@ -30,20 +30,20 @@ ms.topic: article
Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service.
-1. Create a folder: 'C:\test-WDATP-test'.
+1. Create a folder: 'C:\test-MDATP-test'.
2. Open an elevated command-line prompt on the machine and run the script:
- a. Go to **Start** and type **cmd**.
+ 1. Go to **Start** and type **cmd**.
- b. Right-click **Command Prompt** and select **Run as administrator**.
+ 1. Right-click **Command Prompt** and select **Run as administrator**.
- 
+ 
3. At the prompt, copy and run the following command:
- ```
- powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'
- ```
+ ```powershell
+ powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'
+ ```
The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
index f99aa7584f..625c85ac9a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 11/16/2018
+ms.date: 05/20/2020
ms.reviewer:
manager: dansimp
---
@@ -23,15 +23,15 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
+If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it.
1. Open **Windows Security**.
-2. Click **Virus & threat protection** and then click **Threat History**.
-3. Under **Quarantined threats**, click **See full history**.
-4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.)
+2. Select **Virus & threat protection** and then click **Protection history**.
+3. In the list of all recent items, filter on **Quarantined Items**.
+4. Select an item you want to keep, and take an action, such as restore.
-> [!NOTE]
-> You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV.
+> [!TIP]
+> Restoring a file from quarantine can also be done using Command Prompt. See [Restore a file from quarantine](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#restore-file-from-quarantine).
## Related articles
diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md
index a043492918..edb6146667 100644
--- a/windows/whats-new/TOC.md
+++ b/windows/whats-new/TOC.md
@@ -1,4 +1,5 @@
# [What's new in Windows 10](index.md)
+## [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md)
## [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md)
## [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md)
## [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md)
diff --git a/windows/whats-new/images/system-guard2.png b/windows/whats-new/images/system-guard2.png
new file mode 100644
index 0000000000..5505ffa78c
Binary files /dev/null and b/windows/whats-new/images/system-guard2.png differ
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
index b7051cfee0..f8674a3abf 100644
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@@ -18,6 +18,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec
## In this section
+- [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md)
- [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md)
- [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md)
- [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md)
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index e49c027a4d..6898dce476 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -1,6 +1,6 @@
---
title: What's new in Windows 10, versions 1507 and 1511 (Windows 10)
-description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 (versions 1507 and 1511) and Windows 10 Mobile.
+description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511) and Windows 10 Mobile.
ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6
ms.reviewer:
ms.prod: w10
@@ -13,7 +13,7 @@ ms.localizationpriority: high
ms.topic: article
---
-# What's new in Windows 10, versions 1507 and 1511
+# What's new in Windows 10, versions 1507 and 1511 for IT Pros
Below is a list of some of the new and updated features included in the initial release of Windows 10 (version 1507) and the Windows 10 update to version 1511.
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index f27cc65739..2b6f691d44 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -1,6 +1,6 @@
---
title: What's new in Windows 10, version 1607 (Windows 10)
-description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 (version 1607) and Windows 10 Mobile.
+description: What's new in Windows 10 for Windows 10 (version 1607) and Windows 10 Mobile.
keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"]
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,7 +13,7 @@ ms.author: greglin
ms.topic: article
---
-# What's new in Windows 10, version 1607
+# What's new in Windows 10, version 1607 for IT Pros
Below is a list of some of the new and updated features in Windows 10, version 1607 (also known as the Anniversary Update).
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 1a4c0d57c0..bcec94de57 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -1,6 +1,6 @@
---
title: What's new in Windows 10, version 1703
-description: New and updated IT pro content about new features in Windows 10, version 1703 (also known as the Creators Updated).
+description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated).
keywords: ["What's new in Windows 10", "Windows 10", "creators update"]
ms.prod: w10
ms.mktglfcycl: deploy
@@ -14,7 +14,7 @@ ms.author: greglin
ms.topic: article
---
-# What's new in Windows 10, version 1703 IT pro content
+# What's new in Windows 10, version 1703 for IT Pros
Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update).
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 0aaaa4cb45..17f5cb4dfe 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -1,6 +1,6 @@
---
title: What's new in Windows 10, version 1709
-description: New and updated IT Pro content about new features in Windows 10, version 1709 (also known as the Fall Creators Update).
+description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update).
keywords: ["What's new in Windows 10", "Windows 10", "Fall Creators Update"]
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,7 +13,7 @@ ms.localizationpriority: high
ms.topic: article
---
-# What's new in Windows 10, version 1709 IT Pro content
+# What's new in Windows 10, version 1709 for IT Pros
**Applies to**
- Windows 10, version 1709
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index 051d5d4b6e..acd7f43bb2 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -1,6 +1,6 @@
---
title: What's new in Windows 10, version 1803
-description: New and updated IT Pro content about new features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update).
+description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update).
keywords: ["What's new in Windows 10", "Windows 10", "April 2018 Update"]
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,7 +13,7 @@ ms.localizationpriority: high
ms.topic: article
---
-# What's new in Windows 10, version 1803 IT Pro content
+# What's new in Windows 10, version 1803 for IT Pros
**Applies to**
- Windows 10, version 1803
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index ec640e3eea..795fbe2644 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -1,6 +1,6 @@
---
title: What's new in Windows 10, version 1903
-description: New and updated IT Pro content about new features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update).
+description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update).
keywords: ["What's new in Windows 10", "Windows 10", "May 2019 Update"]
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,7 +13,7 @@ ms.localizationpriority: high
ms.topic: article
---
-# What's new in Windows 10, version 1903 IT Pro content
+# What's new in Windows 10, version 1903 for IT Pros
**Applies to**
- Windows 10, version 1903
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 6d20ec5fa7..60ca36e9dd 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -1,6 +1,6 @@
---
title: What's new in Windows 10, version 1909
-description: New and updated IT Pro content about new features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update).
+description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update).
keywords: ["What's new in Windows 10", "Windows 10", "November 2019 Update"]
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,7 +13,7 @@ ms.localizationpriority: high
ms.topic: article
---
-# What's new in Windows 10, version 1909 IT Pro content
+# What's new in Windows 10, version 1909 for IT Pros
**Applies to**
- Windows 10, version 1909
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
new file mode 100644
index 0000000000..5da24d91f6
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -0,0 +1,246 @@
+---
+title: What's new in Windows 10, version 2004
+description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update).
+keywords: ["What's new in Windows 10", "Windows 10", "May 2020 Update"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+manager: laurawi
+ms.localizationpriority: high
+ms.topic: article
+---
+
+# What's new in Windows 10, version 2004 for IT Pros
+
+**Applies to**
+- Windows 10, version 2004
+
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909.
+
+> [!NOTE]
+> The month indicator for this release is 04 instead of 03 to avoid confusion with Windows releases in the year 2003.
+
+## Security
+
+### Windows Hello
+
+- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
+- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
+- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#windows-hello-pin-in-safe-mode-build-18995).
+- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
+
+### Windows Defender System Guard
+
+In this release, [Windows Defender System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
+
+With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.
+
+ 
+
+### Widows Defender Application Guard
+
+[Windows Defender Application Guard](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
+
+Note: [Application Guard for Office](https://support.office.com/article/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46) is coming soon.
+
+## Deployment
+
+### Windows Setup
+
+Improvements in Windows Setup with this release include:
+- Reduced offline time during feature updates
+- Improved controls for reserved storage
+- Improved controls and diagnostics
+- New recovery options
+
+For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464).
+
+### SetupDiag
+
+In Windows 10, version 2004, SetupDiag is now automatically installed.
+
+[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues.
+
+During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there is an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup.
+
+### Windows Autopilot
+
+With this release, you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
+
+If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles.
+
+### Microsoft Endpoint Manager
+
+An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuraton Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
+
+Also see [What's new in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/whats-new).
+
+### Windows Assessment and Deployment Toolkit (ADK)
+
+Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
+
+For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
+
+### Microsoft Deployment Toolkit (MDT)
+
+MDT version 8456 supports Windows 10, version 2004, but there is currently an issue that causes MDT to incorrectly detect that UEFI is present. This issue is currently under investigation.
+
+For the latest information about MDT, see the [MDT release notes](https://docs.microsoft.com/mem/configmgr/mdt/release-notes).
+
+## Servicing
+
+### Delivery Optimization
+
+Windows PowerShell cmdlets have been improved:
+
+- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
+- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
+- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.
+
+Additional improvements:
+- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
+- Automatic cloud-based congestion detection is available for PCs with cloud service support.
+
+The following [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) policies are removed in this release:
+
+- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
+ - Reason: Replaced with separate policies for foreground and background
+- Max Upload Bandwidth (DOMaxUploadBandwidth)
+ - Reason: impacts uploads to internet peers only, which isn't used in Enterprises.
+- Absolute max throttle (DOMaxDownloadBandwidth)
+ - Reason: separated to foreground and background
+
+### Windows Update for Business
+
+[Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include:
+- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
+- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
+
+## Virtualization
+
+### Containers on Windows
+
+This update includes 5 fixes to allow the host to run down-level containers on up-level for process (Argon) isolation. Previously [Containers on Windows](https://docs.microsoft.com/virtualization/windowscontainers/) required matched host and container version. This limited Windows containers from supporting mixed-version container pod scenarios.
+
+### Windows Sandbox
+
+[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature was released with Windows 10, version 1903. Windows 10, version 2004 includes bugfixes and enables even more control over configuration.
+
+[Windows Sandbox configuration](https://docs.microsoft.com/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file) includes:
+- MappedFolders now supports a destination folder. Previously no destination could be specified, it was always mapped to the Sandbox desktop.
+- AudioInput/VideoInput settings now enable you to share their host microphone or webcam with the Sandbox.
+- ProtectedClient is a new security setting that runs the connection to the Sandbox with extra security settings enabled. This is disabled by default due to issues with copy & paste.
+- PrinterRedirection: You can now enable and disable host printer sharing with the Sandbox.
+- ClipboardRedirection: You can now enable and disable host clipboard sharing with the Sandbox.
+- MemoryInMB adds the ability to specify the maximum memory usage of the Sandbox.
+
+Windows Media Player is also added back to the Sandbox image in this release.
+
+Windows Sandbox also has improved accessibility in this release, including:
+- Microphone support is available.
+- Added functionality to configure the audio input device via the Windows Sandbox config file.
+- A Shift + Alt + PrintScreen key sequence that activates the ease of access dialog for enabling high contrast mode.
+- A ctrl + alt + break key sequence that allows entering/exiting fullscreen mode.
+
+### Windows Subsystem for Linux (WSL)
+
+With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but would not shrink when no longer needed.
+
+[WSL2](https://docs.microsoft.com/windows/wsl/wsl2-index) support is has been added for ARM64 devices if your device supports virtualization.
+
+For a full list of updates to WSL, see the [WSL release notes](https://docs.microsoft.com/windows/wsl/release-notes).
+
+### Windows Virtual Desktop (WVD)
+
+Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out [Windows Virtual Desktop documentation](https://aka.ms/wvdgetstarted) for the latest and greatest information, as well as the [WVD Virtual Event from March](https://aka.ms/wvdvirtualevent).
+
+## Microsoft Edge
+
+Read about plans for the new Microsoft Edge and other innovations announced at [Build 2020](https://blogs.windows.com/msedgedev/2020/05/19/microsoft-edge-news-developers-build-2020/) and [What's new at Microsoft Edge Insider](https://www.microsoftedgeinsider.com/whats-new).
+
+Also see information about the exciting new Edge browser [here](https://blogs.windows.com/windowsexperience/2020/01/15/new-year-new-browser-the-new-microsoft-edge-is-out-of-preview-and-now-available-for-download/).
+
+## Application settings
+
+This release enables explicit [control over when Windows automatically restarts apps](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
+
+## Windows Shell
+
+Several enhancements to the Windows 10 user interface are implemented in this release:
+
+### Cortana
+
+[Cortana](https://www.microsoft.com/cortana) has been updated and enhanced in Windows 10, version 2004:
+- Productivity: chat-based UI gives you the ability to [interact with Cortana using typed or spoken natural language queries](https://support.microsoft.com/help/4557165) to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US.
+ - In the coming months, with regular app updates through the Microsoft Store, we’ll enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users.
+- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365’s enterprise-level privacy, security, and compliance promises](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide) as set out in the Online Services Terms.
+- Move the Cortana window: drag the Cortana window to a more convenient location on your desktop.
+
+For updated information, see the [Microsoft 365 blog](https://aka.ms/CortanaUpdatesMay2020).
+
+### Windows Search
+
+Windows Search is [improved](https://insider.windows.com/community-news/desktop-search/) in several ways.
+
+### Virtual Desktops
+
+You can now [rename your virtual desktops](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#renaming-your-virtual-desktops-build-18975), instead of getting stuck with the system-issued names like Desktop 1.
+
+### Bluetooth pairing
+
+Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](https://docs.microsoft.com/windows-insider/at-home/Whats-new-wip-at-home-20h1#improving-your-bluetooth-pairing-experience-build-18985).
+
+### Reset this PC
+
+The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-reset-this-pc-option-cloud-download-build-18970) option.
+
+### Task Manager
+
+The following items are added to Task Manager in this release:
+- GPU Temperature is available on the Performance tab for devices with a dedicated GPU card.
+- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#disk-type-visible-in-task-manager-performance-tab-build-18898).
+
+## Graphics & display
+
+### DirectX
+
+[New DirectX 12 features](https://devblogs.microsoft.com/directx/dev-preview-of-new-directx-12-features/) are available in this release.
+
+### 2-in-1 PCs
+
+A [new tablet experience](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for two-in-one convertible PCs is available. The screen will be optimized for touch When you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption.
+
+### Specialized displays
+
+With this update, devices running Windows 10 Enterprise or Windows 10 Pro for Workstations with multiple displays can be configured to prevent Windows from using a display, making it available for a specialized purpose.
+
+Examples include:
+- Fixed-function arcade & gaming such as cockpit, driving, flight, and military simulators
+- Medical imaging devices with custom panels, such as grayscale X-ray displays
+- Video walls like those displayed in Microsoft Store
+- Dedicated video monitoring
+- Monitor panel testing and validation
+- Independent Hardware Vendor (IHV) driver testing and validation
+
+To prevent Windows from using a display, choose Settings > Display and click Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On. The display will now be available for a specialized use.
+
+## Desktop Analytics
+
+[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
+
+For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/whats-new).
+
+## See Also
+
+[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
+[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
+[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
+[Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
+[What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.
+[What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
+[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
+[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
+[What’s new for IT pros in Windows 10, version 2004](https://aka.ms/whats-new-in-2004): Windows IT Pro blog.