Merge branch 'master' into v-gmoor-for-pr-4313

windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -20,7 +20,7 @@ The enrollment into Intune is triggered by a group policy created on your local
 Requirements:
 - AD-joined PC running Windows 10, version 1709 or later
 - The enterprise has configured a mobile device management (MDM) service
-- The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md)
+- The on-premises AD must be [integrated with Azure AD (via Azure AD Connect)](https://docs.microsoft.com/azure/architecture/reference-architectures/identity/azure-ad)
 - The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
 - The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
 

windows/client-management/mdm/mdm-enrollment-of-windows-devices.md

@@ -12,7 +12,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date: 11/15/2017
+ms.date: 11/19/2020
 ---
 
 # MDM enrollment of Windows 10-based devices
@@ -248,33 +248,6 @@ To create a local account and connect the device:
 
    After you complete the flow, your device will be connected to your organization’s MDM.
    
-
-### Connect to MDM on a phone (enroll in device management)
-
-1.  Launch the Settings app, and then select **Accounts**.
-
-    ![phone settings](images/unifiedenrollment-rs1-38.png)
-
-2.  Select **Access work or school**.
-
-    ![phone settings](images/unifiedenrollment-rs1-39.png)
-
-3.  Select the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link).
-
-    ![access work or school page](images/unifiedenrollment-rs1-40.png)
-
-4.  Enter your work email address.
-
-    ![enter your email address](images/unifiedenrollment-rs1-41.png)
-
-5.  If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information.
-
-    Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
-
-6.  After you complete the flow, your device will be connected to your organization’s MDM.
-
-    ![completed mdm enrollment](images/unifiedenrollment-rs1-42.png)
-
 ### Help with connecting personally-owned devices
 
 There are a few instances where your device may not be able to connect to work.

windows/client-management/mdm/policy-csp-userrights.md

@@ -75,9 +75,6 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s
    
   If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (`<![CDATA[...]]>`) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator.
 
-> [!NOTE]
-> There is currently a reporting issue in the Microsoft Endpoint Manager (MEM) console which results in the setting reporting back a 'Remediation failed' (0x87d1fde8) error, even when the setting is successfully applied. To verify whether the setting has applied successfully, check the local Windows 10 device: Event Viewer>Applications and Services Logs<Microsoft>Windows>DeviceManagement-Enterprise-Diagnostics-Provider>Admin>Event ID 814. This issue is the result of the use of the CDATA tags, which are neccesary when more than a single entry is required. If there is only a single entry, the CDATA tags can be omitted - which will resolve the reporting false positive.
-
 > [!NOTE]
 > `&#xF000;` is the entity encoding of 0xF000.
 
@@ -87,7 +84,7 @@ For example, the following syntax grants user rights to Authenticated Users and
 <![CDATA[Authenticated Users&#xF000;Replicator]]>
 ```
 
-For example, the following syntax grants user rights to two specific users from Contoso, user1 and user2:
+For example, the following syntax grants user rights to two specific Azure Active Directory (AAD) users from Contoso, user1 and user2:
 
 ```xml
 <![CDATA[AzureAD\user1@contoso.com&#xF000;AzureAD\user2@contoso.com]]>

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -10,11 +10,11 @@ ms.sitesec: library
 ms.localizationpriority: high
 audience: ITPro
 author: linque1
-ms.author: obezeajo
+ms.author: robsize
 manager: robsize
 ms.collection: M365-security-compliance
 ms.topic: article
-ms.date: 7/7/2020
+ms.date: 12/1/2020
 ---
 
 # Manage connections from Windows 10 operating system components to Microsoft services

windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md

@@ -50,14 +50,14 @@ To have your company listed as a partner in the in-product partner page, you wil
 4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. Wait for at least 10 days for the review process to be done.
 5.	If you use a multi-tenant Azure AD approach, we will need the Azure AD application name to track usage of the application.
 6. Include the User-Agent field in each API call made to Microsoft Defender for Endpoint public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
-    Follow these steps:
-    1.	Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP-integrated product with the version of the product that includes this integration. 
-      - ISV Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}`
-      - Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{TenantID}` 
 
-    2.	Set the User-Agent field in each HTTP request header to the name based on the above nomenclature. 
+   	- Set the User-Agent field in each HTTP request header to the name based on the Following nomenclature.
-    For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0`
 
+    - `MsdePartner-{CompanyName}-{ProductName}/{Version}`
+    
+    - For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0`
+    
+    - For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43).
 
 Partnerships with Microsoft Defender for Endpoint help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender for Endpoint partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.
 

windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md

@@ -54,7 +54,7 @@ The following steps can be used to troubleshoot and mitigate these issues:
     > [!NOTE]
     > This feature is available in version 100.90.70 or newer.
 
-    This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
+    This feature is enabled by default on the `Dogfood` and `InsiderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
  
     ```bash
     mdatp config real-time-protection-statistics --value enabled
@@ -78,16 +78,63 @@ The following steps can be used to troubleshoot and mitigate these issues:
     To collect current statistics, run:
 
     ```bash
-    mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file
+    mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json
+    ```
+    > [!NOTE]
+    > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing.
+
+    The output of this command will show all processes and their associated scan activity. 
+
+3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the command: 
+
+    ```bash
+    wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py
+    ```
+    The output of this command should be similar to the following:
+
+    ```Output
+    --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py
+    Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx
+    Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.xxx.xxx| :443... connected.
+    HTTP request sent, awaiting response... 200 OK
+    Length: 1020 [text/plain]
+    Saving to: 'high_cpu_parser.py'
+
+    100%[===========================================>] 1,020    --.-K/s   in 0s
+    ```
+4. Next, type the following commands:
+    ```bash
+    chmod +x high_cpu_parser.py
+    ```
+    ```bash
+    cat real_time_protection.json | python high_cpu_parser.py  > real_time_protection.log
     ```
 
-    The output of this command will show all processes and their associated scan activity. To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md).
+      The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact.
     
-    > [!NOTE]
+    For example, the output of the command will be something like the below: 
+
+    ```Output
+    ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10
+	27432 None 76703
+	73467 actool     1249
+	73914 xcodebuild 1081
+	73873 bash 1050
+	27475 None 836
+	1    launchd    407
+	73468 ibtool     344
+	549  telemetryd_v1   325
+	4764 None 228
+	125  CrashPlanService 164
+    ```
+     
+    To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md).                
+    
+    >[!NOTE]
     > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
 
-3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
+5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
+
+    For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).    
 
-4. Configure Defender for Endpoint for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
 
-    For more details, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md).

windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md

@@ -91,6 +91,12 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d
    
    `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` <br/>
 
+> [!NOTE]
+> When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
+> Example:<br/>
+> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/>
+> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
+
 3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/>
    
    `Get-Service -Name windefend`

windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md

@@ -139,7 +139,7 @@ You can prevent further propagation of an attack in your organization by banning
 
 >[!IMPORTANT]
 >
->- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
+>- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–delivered protection is enabled. For more information, see [Manage cloud–delivered protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
 >
 >- The Antimalware client version must be 4.18.1901.x or later.
 >- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.

windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md

@@ -87,6 +87,12 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d
    
    `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` <br/>
 
+> [!NOTE]
+> When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
+> Example:<br/>
+> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/>
+> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
+
 3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/>
    
    `Get-Service -Name windefend`