diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index 3da8139a20..eb5e4f6104 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -55,8 +55,8 @@ If you [turn off traffic to this endpoint](manage-connections-from-windows-opera
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| explorer | HTTP | tile-service.weather.microsoft.com |
-| | HTTP | blob.weather.microsoft.com |
+| explorer | HTTP | `tile-service.weather.microsoft.com` |
+| | HTTP | `blob.weather.microsoft.com` |
The following endpoint is used for OneNote Live Tile.
To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
@@ -65,7 +65,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | HTTPS | cdn.onenote.net/livetile/?Language=en-US |
+| | HTTPS | `cdn.onenote.net/livetile/?Language=en-US` |
The following endpoints are used for Twitter updates.
To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
@@ -74,8 +74,8 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | HTTPS | wildcard.twimg.com |
-| svchost.exe | | oem.twimg.com/windows/tile.xml |
+| | HTTPS | `wildcard.twimg.com` |
+| svchost.exe | | `oem.twimg.com/windows/tile.xml` |
The following endpoint is used for Facebook updates.
To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
@@ -84,7 +84,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | | star-mini.c10r.facebook.com |
+| | | `star-mini.c10r.facebook.com` |
The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office.
To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
@@ -93,7 +93,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
+| WindowsApps\Microsoft.Windows.Photos | HTTPS | `evoke-windowsservices-tas.msedge.net` |
The following endpoint is used for Candy Crush Saga updates.
To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
@@ -102,7 +102,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | TLS v1.2 | candycrushsoda.king.com |
+| | TLS v1.2 | `candycrushsoda.king.com` |
The following endpoint is used for by the Microsoft Wallet app.
To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
@@ -111,24 +111,24 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
+| system32\AppHostRegistrationVerifier.exe | HTTPS | `wallet.microsoft.com` |
The following endpoint is used by the Groove Music app for update HTTP handler status.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.
| Source process | Protocol | Destination |
|----------------|----------|------------|
-| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
+| system32\AppHostRegistrationVerifier.exe | HTTPS | `mediaredirect.microsoft.com` |
The following endpoints are used when using the Whiteboard app.
To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | HTTPS | wbd.ms |
-| | HTTPS | int.whiteboard.microsoft.com |
-| | HTTPS | whiteboard.microsoft.com |
-| | HTTP / HTTPS | whiteboard.ms |
+| | HTTPS | `wbd.ms` |
+| | HTTPS | `int.whiteboard.microsoft.com` |
+| | HTTPS | `whiteboard.microsoft.com` |
+| | HTTP / HTTPS | `whiteboard.ms` |
## Cortana and Search
@@ -137,28 +137,28 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| searchui | HTTPS |store-images.s-microsoft.com |
+| searchui | HTTPS | `store-images.s-microsoft.com` |
The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| backgroundtaskhost | HTTPS | www.bing.com/client |
+| backgroundtaskhost | HTTPS | `www.bing.com/client` |
The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| backgroundtaskhost | HTTPS | www.bing.com/proactive |
+| backgroundtaskhost | HTTPS | `www.bing.com/proactive` |
The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx |
+| searchui
backgroundtaskhost | HTTPS | `www.bing.com/threshold/xls.aspx` |
## Certificates
@@ -171,7 +171,7 @@ If traffic to this endpoint is turned off, Windows no longer automatically downl
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| svchost | HTTP | ctldl.windowsupdate.com |
+| svchost | HTTP | `ctldl.windowsupdate.com` |
## Device authentication
@@ -180,7 +180,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | HTTPS | login.live.com/ppsecure |
+| | HTTPS | `login.live.com/ppsecure` |
## Device metadata
@@ -189,8 +189,8 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | | dmd.metaservices.microsoft.com.akadns.net |
-| | HTTP | dmd.metaservices.microsoft.com |
+| | | `dmd.metaservices.microsoft.com.akadns.net` |
+| | HTTP | `dmd.metaservices.microsoft.com` |
## Diagnostic Data
@@ -199,22 +199,22 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
+| svchost | | `cy2.vortex.data.microsoft.com.akadns.net` |
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 |
+| svchost | HTTPS | `v10.vortex-win.data.microsoft.com/collect/v1` |
The following endpoints are used by Windows Error Reporting.
To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| wermgr | | watson.telemetry.microsoft.com |
-| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
+| wermgr | | `watson.telemetry.microsoft.com` |
+| | TLS v1.2 | `modern.watson.data.microsoft.com.akadns.net` |
## Font streaming
@@ -223,8 +223,8 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| svchost | | fs.microsoft.com |
-| | | fs.microsoft.com/fs/windows/config.json |
+| svchost | | `fs.microsoft.com` |
+| | | `fs.microsoft.com/fs/windows/config.json` |
## Licensing
@@ -233,7 +233,7 @@ To turn off traffic for this endpoint, disable the Windows License Manager Servi
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content |
+| licensemanager | HTTPS | `licensing.mp.microsoft.com/v7.0/licenses/content` |
## Location
@@ -242,8 +242,8 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | HTTP | location-inference-westus.cloudapp.net |
-| | HTTPS | inference.location.live.net |
+| | HTTP | `location-inference-westus.cloudapp.net` |
+| | HTTPS | `inference.location.live.net` |
## Maps
@@ -252,7 +252,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| svchost | HTTPS | *g.akamaiedge.net |
+| svchost | HTTPS | `*g.akamaiedge.net` |
## Microsoft account
@@ -261,11 +261,11 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | | login.msa.akadns6.net |
-| | | login.live.com |
-| | | account.live.com |
-| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
-| | | us.configsvc1.live.com.akadns.net |
+| | | `login.msa.akadns6.net` |
+| | | `login.live.com` |
+| | | `account.live.com` |
+| system32\Auth.Host.exe | HTTPS | `auth.gfx.ms` |
+| | | `us.configsvc1.live.com.akadns.net` |
## Microsoft Store
@@ -274,32 +274,32 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | HTTPS | *.wns.windows.com |
+| | HTTPS | `*.wns.windows.com` |
The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | HTTP | storecatalogrevocation.storequality.microsoft.com |
+| | HTTP | `storecatalogrevocation.storequality.microsoft.com` |
The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net |
-| backgroundtransferhost | HTTPS | store-images.microsoft.com |
+| | HTTPS | `img-prod-cms-rt-microsoft-com.akamaized.net` |
+| backgroundtransferhost | HTTPS | `store-images.microsoft.com` |
The following endpoints are used to communicate with Microsoft Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | HTTP | storeedgefd.dsx.mp.microsoft.com |
-| | HTTP \ HTTPS | pti.store.microsoft.com |
-||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
-| svchost | HTTPS | displaycatalog.mp.microsoft.com |
+| | HTTP | `storeedgefd.dsx.mp.microsoft.com` |
+| | HTTP \ HTTPS | `pti.store.microsoft.com` |
+||TLS v1.2| `cy2.*.md.mp.microsoft.com.*.` |
+| svchost | HTTPS | `displaycatalog.mp.microsoft.com` |
## Network Connection Status Indicator (NCSI)
@@ -308,7 +308,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | HTTP | www.msftconnecttest.com/connecttest.txt |
+| | HTTP | `www.msftconnecttest.com/connecttest.txt` |
## Office
@@ -318,13 +318,13 @@ If you turn off traffic for these endpoints, users won't be able to save documen
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | | *.a-msedge.net |
-| hxstr | | *.c-msedge.net |
-| | | *.e-msedge.net |
-| | | *.s-msedge.net |
-| | HTTPS | ocos-office365-s2s.msedge.net |
-| | HTTPS | nexusrules.officeapps.live.com |
-| | HTTPS | officeclient.microsoft.com |
+| | | `*.a-msedge.net` |
+| hxstr | | `*.c-msedge.net` |
+| | | `*.e-msedge.net` |
+| | | `*.s-msedge.net` |
+| | HTTPS | `ocos-office365-s2s.msedge.net` |
+| | HTTPS | `nexusrules.officeapps.live.com` |
+| | HTTPS | `officeclient.microsoft.com` |
The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
@@ -332,20 +332,20 @@ If you turn off traffic for these endpoints, users won't be able to save documen
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
+| system32\Auth.Host.exe | HTTPS | `outlook.office365.com` |
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
+|Windows Apps\Microsoft.Windows.Photos|HTTPS| `client-office365-tas.msedge.net` |
The following endpoint is used to connect the Office To-Do app to it's cloud service.
To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| |HTTPS|to-do.microsoft.com|
+| |HTTPS| `to-do.microsoft.com` |
## OneDrive
@@ -354,14 +354,14 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction |
+| onedrive | HTTP \ HTTPS | `g.live.com/1rewlive5skydrive/ODSUProduction` |
The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| onedrive | HTTPS | oneclient.sfx.ms |
+| onedrive | HTTPS | `oneclient.sfx.ms` |
## Settings
@@ -370,21 +370,21 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| dmclient | | cy2.settings.data.microsoft.com.akadns.net |
+| dmclient | | `cy2.settings.data.microsoft.com.akadns.net` |
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| dmclient | HTTPS | settings.data.microsoft.com |
+| dmclient | HTTPS | `settings.data.microsoft.com` |
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| svchost | HTTPS | settings-win.data.microsoft.com |
+| svchost | HTTPS | `settings-win.data.microsoft.com` |
## Skype
@@ -392,9 +392,9 @@ The following endpoint is used to retrieve Skype configuration values. To turn o
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
-| | HTTPS | browser.pipe.aria.microsoft.com |
-| | | skypeecs-prod-usw-0-b.cloudapp.net |
+|microsoft.windowscommunicationsapps.exe | HTTPS | `config.edge.skype.com` |
+| | HTTPS | `browser.pipe.aria.microsoft.com` |
+| | | `skypeecs-prod-usw-0-b.cloudapp.net` |
## Windows Defender
@@ -403,24 +403,24 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | | wdcp.microsoft.com |
+| | | `wdcp.microsoft.com` |
The following endpoints are used for Windows Defender definition updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | | definitionupdates.microsoft.com |
-|MpCmdRun.exe|HTTPS|go.microsoft.com |
+| | | `definitionupdates.microsoft.com` |
+|MpCmdRun.exe|HTTPS| `go.microsoft.com` |
The following endpoints are used for Windows Defender Smartscreen reporting and notifications.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Windows Defender Smartscreen notifications will no appear.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| | HTTPS | ars.smartscreen.microsoft.com |
-| | HTTPS | unitedstates.smartscreen-prod.microsoft.com |
-| | | smartscreen-sn3p.smartscreen.microsoft.com |
+| | HTTPS | `ars.smartscreen.microsoft.com` |
+| | HTTPS | `unitedstates.smartscreen-prod.microsoft.com` |
+| | | `smartscreen-sn3p.smartscreen.microsoft.com` |
## Windows Spotlight
@@ -429,11 +429,11 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| backgroundtaskhost | HTTPS | arc.msn.com |
-| backgroundtaskhost | | g.msn.com.nsatc.net |
-| |TLS v1.2| *.search.msn.com |
-| | HTTPS | ris.api.iris.microsoft.com |
-| | HTTPS | query.prod.cms.rt.microsoft.com |
+| backgroundtaskhost | HTTPS | `arc.msn.com` |
+| backgroundtaskhost | | `g.msn.com.nsatc.net` |
+| |TLS v1.2| `*.search.msn.com` |
+| | HTTPS | `ris.api.iris.microsoft.com` |
+| | HTTPS | `query.prod.cms.rt.microsoft.com` |
## Windows Update
@@ -442,23 +442,23 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
+| svchost | HTTPS | `*.prod.do.dsp.mp.microsoft.com` |
The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| svchost | HTTP | *.windowsupdate.com |
-| svchost | HTTP | *.dl.delivery.mp.microsoft.com |
+| svchost | HTTP | `*.windowsupdate.com` |
+| svchost | HTTP | `*.dl.delivery.mp.microsoft.com` |
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| svchost | HTTPS | *.update.microsoft.com |
-| svchost | HTTPS | *.delivery.mp.microsoft.com |
+| svchost | HTTPS | `*.update.microsoft.com` |
+| svchost | HTTPS | `*.delivery.mp.microsoft.com` |
These are dependent on enabling:
- [Device authentication](manage-windows-1809-endpoints.md#device-authentication)
@@ -469,7 +469,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
-| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
+| svchost | HTTPS | `tsfe.trafficshaping.dsp.mp.microsoft.com` |
## Microsoft forward link redirection service (FWLink)
@@ -480,7 +480,7 @@ If you disable this endpoint, Windows Defender won't be able to update its malwa
| Source process | Protocol | Destination |
|----------------|:--------:|------------|
-|Various|HTTPS|go.microsoft.com|
+|Various|HTTPS| `go.microsoft.com` |
## Other Windows 10 editions
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 8c5b01b506..f98634584d 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -20,12 +20,12 @@ ms.technology: mde
This topic provides an overview of some of the software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related types of protection offered by Microsoft, see [Related topics](#related-topics).
-| **Section** | **Contents** |
+| Section | Contents |
|--------------|-------------------------|
| [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines how Windows 10 is designed to mitigate software exploits and similar threats. |
| [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). |
| [Mitigations that are built in to Windows 10](#mitigations-that-are-built-in-to-windows-10) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. |
-| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | Describes how mitigations in the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544) correspond to features built into Windows 10 and how to convert EMET settings into mitigation policies for Windows 10. |
+| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | Describes how mitigations in the [Enhanced Mitigation Experience Toolkit (EMET)](https://www.microsoft.com/download/details.aspx?id=48240) correspond to features built into Windows 10 and how to convert EMET settings into mitigation policies for Windows 10. |
This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration:
@@ -118,7 +118,7 @@ Data Execution Prevention (DEP) does exactly that, by substantially reducing the
1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen.
-2. Click **More Details** (if necessary), and then click the **Details** tab.
+2. Click **More Details** (if necessary), and then click the **Details** tab.
3. Right-click any column heading, and then click **Select Columns**.
@@ -311,9 +311,9 @@ The following table lists EMET features in relation to Windows 10 features.
@@ -435,7 +435,7 @@ Examples:
Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL
```
-- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies). This will enable protections on Windows 10 equivalent to EMET's ASR protections.
+- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-windows-defender-application-control). This will enable protections on Windows 10 equivalent to EMET's ASR protections.
- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET "Certificate Trust" XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning). For example:
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 2b62e7fc98..d9d11ffcb6 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -52,9 +52,11 @@ The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index)
##### Attack surface reduction
-Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard).
- - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
- - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
+Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access]/microsoft-365/security/defender-endpoint/enable-controlled-folders).
+
+- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
+
+- When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
###### Windows Defender Firewall
@@ -74,34 +76,42 @@ But these protections can also be configured separately. And, unlike HVCI, code
Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal.
- Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
-
- We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). The new library includes information on:
-- [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus)
-- [Managing updates](/windows/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus)
-- [Reporting](/windows/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus)
-- [Configuring features](/windows/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features)
-- [Troubleshooting](/windows/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus)
+Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus).
- Some of the highlights of the new library include [Evaluation guide for Microsoft Defender AV](/windows/threat-protection/microsoft-defender-antivirus//evaluate-microsoft-defender-antivirus) and [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus).
+We've also [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). The new library includes information on:
- New features for Microsoft Defender AV in Windows 10 Enterprise LTSC 2019 include:
-- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus)
-- [The ability to specify the level of cloud-protection](/windows/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus)
-- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-security-center-antivirus)
+- [Deploying and enabling AV protection](/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus)
+- [Managing updates](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus)
+- [Reporting](/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus)
+- [Configuring features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features)
+- [Troubleshooting](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)
- We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus).
+Some of the highlights of the new library include [Evaluation guide for Microsoft Defender AV](/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus) and [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus).
- **Endpoint detection and response** is also enhanced. New **detection** capabilities include:
-- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
- - [Custom detection](/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
- - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks.
- - Upgraded detections of ransomware and other advanced attacks.
- - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
+New features for Microsoft Defender AV in Windows 10 Enterprise LTSC 2019 include:
- **Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
- - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
- - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
+- [Updates to how the Block at First Sight feature can be configured](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
+- [The ability to specify the level of cloud-protection](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus)
+- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
+
+We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).
+
+**Endpoint detection and response** is also enhanced. New **detection** capabilities include:
+
+- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
+
+- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
+
+- Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks.
+
+- Upgraded detections of ransomware and other advanced attacks.
+
+- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
+
+**Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
+
+- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
+- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
Additional capabilities have been added to help you gain a holistic view on **investigations** include:
@@ -139,7 +149,8 @@ We’re continuing to work on how other security apps you’ve installed show up
This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
-You can read more about ransomware mitigations and detection capability at:
+You can read more about ransomware mitigations and detection capability at:
+
- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/)
@@ -147,7 +158,9 @@ Also see [New capabilities of Microsoft Defender for Endpoint further maximizing
Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+
### Information protection
@@ -203,7 +216,7 @@ Improvements have been added are to Windows Hello for Business and Credential Gu
New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present.
-New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) include:
+New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) include:
- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
@@ -250,7 +263,7 @@ The new [security baseline for Windows 10 version 1803](/windows/security/threat
#### SMBLoris vulnerability
-An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed.
+An issue, known as _SMBLoris_, which could result in denial of service, has been addressed.
#### Windows Security Center
@@ -283,7 +296,7 @@ We’ve continued to work on the **Current threats** area in [Virus & threat pr
[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10.
-Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information.
+Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information.
Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.
@@ -548,7 +561,7 @@ For more info, see [Implement server-side support for mobile application managem
### MDM diagnostics
-In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
+In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
### Application Virtualization for Windows (App-V)
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 6386e1bddd..80fd32b4a9 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -52,7 +52,7 @@ WUfB now has additional controls available to manage Windows Insider Program enr
### Windows Insider Program for Business
-You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business).
+You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
## Administration
@@ -119,7 +119,7 @@ The minimum PIN length is being changed from 6 to 4, with a default of 6. For mo
Microsoft has released new [Windows security baselines](/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
### SMBLoris vulnerability
-An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed.
+An issue, known as _SMBLoris_, which could result in denial of service, has been addressed.
## Windows Analytics
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 82419adcf5..371bf97c95 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -54,7 +54,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update
## Servicing
- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon!
-- [**Automatic Restart Sign-on (ARSO)**](/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
+- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
@@ -132,7 +132,7 @@ This new feature is displayed under the Device Security page with the string “
- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
-- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
### Security management