Merge branch 'master' into MTE_alertdescupdate

windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -245,6 +245,7 @@ To collect Event Viewer logs:
 
 ### Useful Links
 
+- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
 - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
 - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
 - [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880)

windows/deployment/update/update-compliance-monitor.md

@@ -20,10 +20,9 @@ ms.topic: article
 > [!IMPORTANT]
 > While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates:
 >
-> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
+> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
 > * The Perspectives feature of Update Compliance will also be removed on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
 
-
 ## Introduction
 
 Update Compliance enables organizations to:

windows/deployment/update/update-compliance-wd-av-status.md

@@ -18,7 +18,7 @@ ms.topic: article
 
 
 > [!IMPORTANT]
-> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
+> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
 
 ![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png)
 

windows/deployment/windows-autopilot/registration-auth.md

@@ -47,9 +47,13 @@ For a CSP to register Windows Autopilot devices on behalf of a customer, the cus
     ![Delegated rights](images/csp2.png)
     - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent.  You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal:  https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges
     - Send the template above to the customer via email.
-2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page:
+2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following Microsoft 365 admin center page:
 
-    ![Global admin](images/csp3.png)
+    ![Global admin](images/csp3a.png)
+
+    The image above is what the customer will see if they requested delegated admin rights (DAP). Note that the page says what Admin roles are being requested.  If the customer did not request delegated admin rights they would see the following page:
+
+    ![Global admin](images/csp3b.png)   
 
     > [!NOTE]
     > A user without global admin privileges who clicks the link will see a message similar to the following:

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # Advanced hunting query best practices

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceEvents

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceFileEvents

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceImageLoadEvents

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceInfo

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceLogonEvents

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceNetworkEvents

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceNetworkInfo

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceProcessEvents

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # DeviceRegistryEvents

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # Learn the advanced hunting query language
@@ -32,64 +31,87 @@ Advanced hunting is based on the [Kusto query language](https://docs.microsoft.c
 In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
 
 ```kusto
-// Finds PowerShell execution events that could involve a download.
-DeviceProcessEvents  
+// Finds PowerShell execution events that could involve a download
+union DeviceProcessEvents, DeviceNetworkEvents
 | where Timestamp > ago(7d)
-| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") 
-| where ProcessCommandLine has "Net.WebClient"
-        or ProcessCommandLine has "DownloadFile"
-        or ProcessCommandLine has "Invoke-WebRequest"
-        or ProcessCommandLine has "Invoke-Shellcode"
-        or ProcessCommandLine contains "http:"
-| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
+// Pivoting on PowerShell processes
+| where FileName in~ ("powershell.exe", "powershell_ise.exe")
+// Suspicious commands
+| where ProcessCommandLine has_any("WebClient",
+    "DownloadFile",
+    "DownloadData",
+    "DownloadString",
+    "WebRequest",
+    "Shellcode",
+    "http",
+    "https")
+| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, 
+FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
 | top 100 by Timestamp
 ```
 
 This is how it will look like in advanced hunting.
 
-![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example.png)
+![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example-2.png)
 
-### Describe the query and specify the table to search
-The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
+
+### Describe the query and specify the tables to search
+A short comment has been added to the beginning of the query to describe what it is for. This helps if you later decide to save the query and share it with others in your organization. 
 
 ```kusto
-// Finds PowerShell execution events that could involve a download.
-DeviceProcessEvents
+// Finds PowerShell execution events that could involve a download
 ```
 
-The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding  with the table name `DeviceProcessEvents` and add piped elements as needed.
+The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by creating a union of two tables,  `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
 
+```kusto
+union DeviceProcessEvents, DeviceNetworkEvents
+```
 ### Set the time range
-The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
+The first piped element is a time filter scoped to the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
 
 ```kusto
 | where Timestamp > ago(7d)
 ```
-### Search for specific executable files
-The time range is immediately followed by a search for files representing the PowerShell application.
 
-```kusto
-| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
+### Check specific processes
+The time range is immediately followed by a search for process file names representing the PowerShell application.
+
 ```
-### Search for specific command lines
-Afterwards, the query looks for command lines that are typically used with PowerShell to download files.
-
-```kusto
-| where ProcessCommandLine has "Net.WebClient"
-        or ProcessCommandLine has "DownloadFile"
-        or ProcessCommandLine has "Invoke-WebRequest"
-        or ProcessCommandLine has "Invoke-Shellcode"
-        or ProcessCommandLine contains "http:"
+// Pivoting on PowerShell processes
+| where FileName in~ ("powershell.exe", "powershell_ise.exe")
 ```
-### Select result columns and length 
-Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
+
+### Search for specific command strings
+Afterwards, the query looks for strings in command lines that are typically used to download files using PowerShell.
 
 ```kusto
-| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
+// Suspicious commands
+| where ProcessCommandLine has_any("WebClient",
+    "DownloadFile",
+    "DownloadData",
+    "DownloadString",
+    "WebRequest",
+    "Shellcode",
+    "http",
+    "https")
+```
+
+### Customize result columns and length 
+Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
+
+```kusto
+| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, 
+FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
 | top 100 by Timestamp
 ```
 
-Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
+Click **Run query** to see the results. Select the expand icon at the top right of the query editor to focus on your hunting query and the results. 
+
+![Image of the Expand control in the advanced hunting query editor](images/advanced-hunting-expand.png)
+
+>[!TIP]
+>You can view query results as charts and quickly adjust filters. For guidance, [read about working with query results](advanced-hunting-query-results.md)
 
 ## Learn common query operators for advanced hunting
 

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 10/08/2019
 ---
 
 # Use shared queries in advanced hunting