Merge branch 'master' into MTE_alertdescupdate

devices/hololens/TOC.md

@@ -5,6 +5,7 @@
 ## [Get your HoloLens 2 ready to use](hololens2-setup.md)
 ## [Set up your HoloLens 2](hololens2-start.md)
 ## [HoloLens 2 fit and comfort FAQ](hololens2-fit-comfort-faq.md)
+## [Frequently asked questions about cleaning HoloLens 2 devices](hololens2-maintenance.md)
 ## [Supported languages for HoloLens 2](hololens2-language-support.md)
 ## [Getting around HoloLens 2](hololens2-basic-usage.md)
 

devices/hololens/hololens-insider.md

@@ -36,13 +36,13 @@ If you no longer want to receive Insider builds of Windows Holographic, you can
 
 To verify that your HoloLens is running a production build:
 
-- Go to **Settings > System > About**, and find the build number.
-- [See the release notes for production build numbers.](hololens-release-notes.md)
+1. Go to **Settings > System > About**, and find the build number.
+1. [See the release notes for production build numbers.](hololens-release-notes.md)
 
 To opt out of Insider builds:
 
-- On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**.
-- Follow the instructions to opt out your device.
+1. On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**.
+1. Follow the instructions to opt out your device.
 
 ## Provide feedback and report issues
 
@@ -65,7 +65,7 @@ Here's a quick summary of what's new:
 - Seamlessly apply a provisioning package from a USB drive to your HoloLens
 - Use a provisioning packages to enroll your HoloLens to your Mobile Device Management system
 - Use Windows AutoPilot to set up and pre-configure new devices, quickly getting them ready for productive use.  Send a note to hlappreview@microsoft.com to join the preview.
-- Dark Mode - many Windows apps support both dark and light modes, and now HoloLens customers can choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time. Navigate to Settings > System > Colors to find "Choose your default app mode."
+- Dark Mode - HoloLens customers can now choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time.
 - Support for additional system voice commands
 - Hand Tracking improvements to reduce the tendency to close the index finger when pointing. This should make button pressing and 2D slate usage feel more accurate
 - Performance and stability improvements across the product
@@ -98,6 +98,20 @@ You can now can access these commands with your voice:
 
 If you're running your system with a different language, please try the appropriate commands in that language.
 
+### Dark mode
+Many Windows apps support both dark and light modes, and now HoloLens customers can choose the default mode for apps that support both. Once updated, the default app mode will be "dark," but can be changed easily. Navigate to **Settings > System > Colors to find "Choose your default app mode."**
+Here are some of the in-box apps that support Dark mode!
+- Settings
+- Microsoft Store
+- Mail
+- Calendar
+- File Explorer
+- Feedback Hub
+- OneDrive
+- Photos
+- 3D Viewer
+- Movies & TV
+
 ### FFU download and flash directions
 To test with a flight signed ffu, you first have to flight unlock your device prior to flashing the flight signed ffu.
 1. On PC

devices/hololens/hololens2-maintenance.md

@@ -0,0 +1,84 @@
+---
+title: HoloLens 2 device care and cleaning FAQ
+description: 
+author: Teresa-Motiv
+ms.author: v-tea
+ms.date: 3/26/2020
+ms.prod: hololens
+ms.topic: article
+ms.custom: 
+- CI 115560
+- CSSTroubleshooting
+audience: ITPro
+ms.localizationpriority: medium
+keywords: 
+manager: jarrettr
+appliesto:
+- HoloLens 2
+---
+
+# Frequently asked questions about cleaning HoloLens 2 devices
+
+> [!IMPORTANT]  
+> Microsoft cannot make a determination of the effectiveness of any given disinfectant product in fighting pathogens such as COVID-19. Please refer to your local public health authority's guidance about how to stay safe from potential infection.  
+
+## What are the general cleaning instructions for HoloLens 2 devices?
+
+**To clean the device**
+
+1. Remove any dust by using a dry, lint-free microfiber cloth to gently wipe the surface of the device.
+1. Lightly moisten the cloth by using medical "70%" isopropyl alcohol, and then use the moistened cloth to gently wipe the surface of the device.
+
+   ![Image that shows how to clean the visor](images/hololens-cleaning-visor.png)
+
+1. Let the device dry completely.
+
+**To clean the brow pad**
+
+1. Use water and a mild, antibiotic soap to moisten a cloth, and then use the moistened cloth to wipe the brow pad.
+1. Let the brow pad dry completely.
+
+## Can I use any lens cleaner for cleaning the HoloLens visor?
+
+No. Lens cleaners can be abrasive to the coatings on the visor. To clean the visor, follow these steps:  
+
+1. Remove any dust by using a dry lint-free microfiber cloth to gently wipe the visor.
+1. Lightly moisten a cloth by using medical "70%" isopropyl alcohol, and then gently wipe the visor.
+1. Let the visor dry completely.
+
+## Can I use disinfecting wipes to clean the device?
+
+Yes, if the wipes do not contain bleach. You can use non-bleach disinfecting wipes to [gently wipe the HoloLens surfaces](#what-are-the-general-cleaning-instructions-for-hololens-2-devices).  
+
+> [!CAUTION]  
+> Avoid using disinfecting wipes that contains bleach to clean the HoloLens surfaces. It is acceptable to use bleach wipes in critical situations, when nothing else is available. However, bleach may damage the HoloLens visor or other surfaces.
+
+## Can I use alcohol to clean the device?
+
+Yes. You can use a solution of "70%" isopropyl alcohol and water to clean the hard surfaces of the device, including the visor. Lightly moisten the cloth by using a mix of isopropyl alcohol and water, and then gently wipe the surface of the device
+
+## Is the brow pad replaceable?
+
+Yes. The brow pad is magnetically attached to the device. To detach it, pull it gently away from the headband. To replace it, snap it back into place.
+
+![Remove or replace the brow pad](images/hololens2-remove-browpad.png)
+
+## How can I clean the brow pad?
+
+To clean the brow pad, wipe it by using a cloth that's moistened by using water and a mild antibiotic soap. Let the brow pad dry completely before you use it again.
+
+## Can I use ultraviolet (UV) light to sanitize the device?
+
+UV germicidal irradiation has not been tested on HoloLens 2.
+
+> [!CAUTION]  
+> High levels of UV exposure can degrade the display quality of the device and damage the visor coating. Over-exposure to UV radiation has the following effects, in order of the duration and intensity of exposure:
+>  
+> 1. The brow pad and device closures become discolored.
+> 1. Defects appear in the anti-reflective (AR) coating on the visor and on the sensor windows.
+> 1. Defects appear in the base materials of the visor and on the sensor windows.
+> 1. SRG performance degrades.
+
+## Is the rear pad replaceable?
+
+No.

windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -245,6 +245,7 @@ To collect Event Viewer logs:
 
 ### Useful Links
 
+- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
 - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
 - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
 - [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880)

windows/deployment/update/update-compliance-monitor.md

@@ -20,10 +20,9 @@ ms.topic: article
 > [!IMPORTANT]
 > While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates:
 >
-> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
+> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
 > * The Perspectives feature of Update Compliance will also be removed on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
 
-
 ## Introduction
 
 Update Compliance enables organizations to:

windows/deployment/update/update-compliance-wd-av-status.md

@@ -18,7 +18,7 @@ ms.topic: article
 
 
 > [!IMPORTANT]
-> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
+> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
 
 ![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png)
 

windows/deployment/windows-autopilot/registration-auth.md

@@ -47,9 +47,13 @@ For a CSP to register Windows Autopilot devices on behalf of a customer, the cus
     ![Delegated rights](images/csp2.png)
     - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent.  You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal:  https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges
     - Send the template above to the customer via email.
-2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page:
+2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following Microsoft 365 admin center page:
 
-    ![Global admin](images/csp3.png)
+    ![Global admin](images/csp3a.png)
+
+    The image above is what the customer will see if they requested delegated admin rights (DAP). Note that the page says what Admin roles are being requested.  If the customer did not request delegated admin rights they would see the following page:
+
+    ![Global admin](images/csp3b.png)   
 
     > [!NOTE]
     > A user without global admin privileges who clicks the link will see a message similar to the following:

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # Advanced hunting query best practices

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceEvents

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceFileEvents

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceImageLoadEvents

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceInfo

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceLogonEvents

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceNetworkEvents

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceNetworkInfo

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceProcessEvents

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceRegistryEvents

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # Learn the advanced hunting query language
@@ -32,64 +31,87 @@ Advanced hunting is based on the [Kusto query language](https://docs.microsoft.c
 In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
 
 ```kusto
-// Finds PowerShell execution events that could involve a download.
-DeviceProcessEvents  
+// Finds PowerShell execution events that could involve a download
+union DeviceProcessEvents, DeviceNetworkEvents
 | where Timestamp > ago(7d)
-| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") 
-| where ProcessCommandLine has "Net.WebClient"
-        or ProcessCommandLine has "DownloadFile"
-        or ProcessCommandLine has "Invoke-WebRequest"
-        or ProcessCommandLine has "Invoke-Shellcode"
-        or ProcessCommandLine contains "http:"
-| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
+// Pivoting on PowerShell processes
+| where FileName in~ ("powershell.exe", "powershell_ise.exe")
+// Suspicious commands
+| where ProcessCommandLine has_any("WebClient",
+    "DownloadFile",
+    "DownloadData",
+    "DownloadString",
+    "WebRequest",
+    "Shellcode",
+    "http",
+    "https")
+| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, 
+FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
 | top 100 by Timestamp
 ```
 
 This is how it will look like in advanced hunting.
 
-![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example.png)
+![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example-2.png)
 
-### Describe the query and specify the table to search
-The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
+
+### Describe the query and specify the tables to search
+A short comment has been added to the beginning of the query to describe what it is for. This helps if you later decide to save the query and share it with others in your organization. 
 
 ```kusto
-// Finds PowerShell execution events that could involve a download.
-DeviceProcessEvents
+// Finds PowerShell execution events that could involve a download
 ```
 
-The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding  with the table name `DeviceProcessEvents` and add piped elements as needed.
+The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by creating a union of two tables,  `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
 
+```kusto
+union DeviceProcessEvents, DeviceNetworkEvents
+```
 ### Set the time range
-The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
+The first piped element is a time filter scoped to the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
 
 ```kusto
 | where Timestamp > ago(7d)
 ```
-### Search for specific executable files
-The time range is immediately followed by a search for files representing the PowerShell application.
 
-```kusto
-| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
+### Check specific processes
+The time range is immediately followed by a search for process file names representing the PowerShell application.
+
 ```
-### Search for specific command lines
-Afterwards, the query looks for command lines that are typically used with PowerShell to download files.
-
-```kusto
-| where ProcessCommandLine has "Net.WebClient"
-        or ProcessCommandLine has "DownloadFile"
-        or ProcessCommandLine has "Invoke-WebRequest"
-        or ProcessCommandLine has "Invoke-Shellcode"
-        or ProcessCommandLine contains "http:"
+// Pivoting on PowerShell processes
+| where FileName in~ ("powershell.exe", "powershell_ise.exe")
 ```
-### Select result columns and length 
-Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
+
+### Search for specific command strings
+Afterwards, the query looks for strings in command lines that are typically used to download files using PowerShell.
 
 ```kusto
-| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
+// Suspicious commands
+| where ProcessCommandLine has_any("WebClient",
+    "DownloadFile",
+    "DownloadData",
+    "DownloadString",
+    "WebRequest",
+    "Shellcode",
+    "http",
+    "https")
+```
+
+### Customize result columns and length 
+Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
+
+```kusto
+| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, 
+FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
 | top 100 by Timestamp
 ```
 
-Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
+Click **Run query** to see the results. Select the expand icon at the top right of the query editor to focus on your hunting query and the results. 
+
+![Image of the Expand control in the advanced hunting query editor](images/advanced-hunting-expand.png)
+
+>[!TIP]
+>You can view query results as charts and quickly adjust filters. For guidance, [read about working with query results](advanced-hunting-query-results.md)
 
 ## Learn common query operators for advanced hunting
 

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # Use shared queries in advanced hunting